Tax return and other tax-related identity theft is a growing problem that CPAs can help their clients with—both in taking preventive actions and in correcting problems after an identity thief has struck. Tax return identity theft occurs when someone uses a taxpayer’s personal information, such as name and Social Security number (SSN), without permission to commit fraud on tax returns to claim refunds or other credits to which a taxpayer is not entitled, or for other crimes.

Thieves normally file early in the tax-filing season, often before the IRS has received Forms W-2 or 1099, to thwart information matching and avoid receiving duplicate return notices from the IRS. Taxpayers sometimes discover they are victims of identity theft when they receive a notice from the IRS stating that “more than one tax return was filed with their information or that IRS records show wages from an employer the taxpayer has not worked for in the past” (FS-2012-7 (January 2012)).

In 2011, the IRS processed about 145 million returns. About 109 million were claims for refunds, with an average refund amount of almost $3,000. As of May 16, 2012, the IRS had pulled 2.6 million returns for possible identity theft, and that trend is on the increase. The IRS recently reported an inventory of more than 450,000 identity theft cases. For the 2011 filing season, the Treasury Inspector General for Tax Administration (TIGTA) estimated that identity-theft-related fraud accounted for approximately 1.5 million tax returns in excess of $5.2 billion.

CONSEQUENCES OF IDENTITY THEFT

Tax return identity theft delays legitimate taxpayer refunds because the return appears to be a duplicate return and may be a sign of other fraud or identity theft problems. IRS support to solve traditional and nonfraud problems may be delayed as well when IRS resources are diverted to combat identity theft. Other tax-related identity theft can cause problems for the taxpayer as well. If an individual fraudulently used a taxpayer’s SSN to get a job, the taxpayer may have extra W-2 wages erroneously reported (and perhaps also extra taxes withheld), leading to a correspondence matching audit. The National Taxpayer Advocate notes that time and money are spent to clear the individuals’ names, during which “victims may lose job opportunities, may be refused loans, education, housing or cars, or even get arrested for crimes they didn’t commit” (IRS Publication 4535, Identity Theft Prevention and Victim Assistance).

Further, until recently, the IRS would hold suspicious refunds while verifying the underlying W-2 information, for up to 11 weeks. With the increase in the number of cases and budget limitations, refunds may take longer. So, the IRS says, “[I]dentity theft can impose a significant burden on its victims, whose legitimate refund claims are blocked and who often must spend months or longer trying to convince the IRS that they are, in fact, victims and then working with the IRS to untangle their account problems” (IR-2012-66).

A typical identity theft starts when thieves have (illegally) bought or stolen information from individuals, employers, hospitals, or nursing homes or have used the public list of deaths with SSNs issued by the Social Security Administration. With a number or list of numbers, they file false tax returns for refunds. For example, investigators found a single address that was used to file 2,137 tax returns for $3.3 million in refunds (see TIGTA Rep’t No. 2012-42-80). Most thieves prefer to receive the refund using direct deposit or prepaid debit cards. In another example, 590 tax refunds totaling more than $900,000 were deposited into a single bank account. Although banks have strict rules to verify the identity of account holders, they don’t have the ability to monitor whether the direct deposit is for a legitimate refund.

Although the IRS planned to spend about $330 million in 2012 to combat identity theft, the IRS has limited resources and needs additional funding to combat this problem. Identity theft also happens to tax systems in other countries, but the extent of the problem is lessened in countries where the government can immediately (or in “real-time”) match income and withholding with the tax return. IRS Commissioner Douglas Shulman called for real-time matching in his prepared remarks at the AICPA Fall 2011 National Tax Conference for the purpose of reducing the number of taxpayer audits, but such a system should help reduce identity theft fraudulent tax returns as well (IR-2011-108).

IDENTITY THEFT IN THE MAKING: HOW ID IS STOLEN

Common ways to obtain personal information include email or telephone phishing and Dumpster diving. Thieves are looking for “discarded tax returns, bank records, credit card receipts or other records containing personal and financial information” (FS-2008-9 (January 2008)). For example, some taxpayers receive email messages allegedly from the IRS advising them that they are under investigation or have a refund pending. To get the victim to respond, the email may threaten a dire consequence (see Exhibit 1 for a typical phishing message). Often, the recipient is asked to click on a link to access what appears to be—but is not—the legitimate IRS website.

The IRS does not send unsolicited, tax-account related emails to taxpayers and never asks for personal and financial information, including PINs and passwords, via email. The IRS advises that “[s]ince the IRS rarely contacts taxpayers via e-mail, and never about their tax accounts, taxpayers should be cautious about any e-mails that claim to come from the IRS” (FS-2008-9). (People receiving a suspicious email from the IRS are encouraged to report the email by calling the IRS at 800-829-1040 or forwarding the email to phishing irs; note in Exhibit 1 how the email uses “irs.org” not “irs.gov.”)

IDENTITY THEFT DETECTION: HOW IDENTITY THEFT IS CAUGHT

The IRS has several filters that address different issues. These filters are designed to distinguish legitimate returns from fraudulent ones and to prevent the recurrence of identity theft. If a tax return is caught by a filter, it is manually reviewed to validate the taxpayer’s identity. If the IRS identifies a suspicious return, it corresponds with the taxpayer to verify the correct information. Alternatively, if a second, unauthorized person is using the taxpayer’s SSN, the taxpayer may receive a correspondence audit notice informing the taxpayer that he or she failed to report income from another (erroneous) employer.

When a taxpayer’s identity has been stolen, the legitimate taxpayer may be issued a confidential identity protection PIN (IP PIN) that identifies the taxpayer as the legitimate party using the SSN and other identifying information. The IRS issues these numbers to taxpayers who have reported that their identities have been stolen, verified their identities, and had an identity theft indicator applied to their accounts. Not all victims of identity theft will receive an IP PIN—the IRS says that taxpayers who submitted Form 14039, Identity Theft Affidavit, and proper documentation or taxpayers whom the IRS has itself identified as victims will receive them. During the 2012 filing season, the IRS issued 250,000 IP PINs, up from about 54,000 the year before. Once the IP PIN has been issued, it must be present and correct on the specific tax return for which it was issued. For the 2012 tax year, the six-digit IP PIN is inserted at the bottom of page 2 of Form 1040, to the right of the taxpayers’ signatures.

If two taxpayers are married filing jointly and each taxpayer receives an IP PIN, the couple should use the IP PIN of the SSN that appears first on the tax return. Tax preparation software is generally equipped to ask taxpayers if they received an IP PIN. If a taxpayer is filing a printed copy of the return, however, this number will not print, and should be handwritten in the space provided. A request for an extension or installment agreement using an IP PIN must be made on paper, but the tax return may still be filed electronically.

A new IP PIN is issued every subsequent year as long as the theft indicator remains on the legitimate taxpayer’s account. Returns with an IP PIN are processed more efficiently, in that they bypass the regular filtering system, and the IP PIN prevents fraudulent returns from being processed. The IRS began a pilot program in 2010 to mark the accounts of deceased taxpayers to prevent misuse by identity thieves.

IDENTITY THEFT CORRECTIVE ACTIONS: WHAT TO DO IF AN IDENTITY IS STOLEN

As trusted financial advisers, CPAs may be asked what to do if a client’s identity is stolen. The CPA should consider advising or helping the client with several steps:

1.For tax and nontax identity theft, report the theft to the Federal Trade Commission at 877-438-4338 or TTY 866-653-4261.

2.File a report with the local police.

3.Close any affected bank and credit card accounts.

4.Inform the credit bureaus and consider putting a credit freeze on the accounts. A credit freeze restricts access to credit reports, making it unlikely that thieves can open new accounts in the client’s name. Credit freeze laws vary from state to state.

5.If personal information is lost or stolen during the year, contact the IRS Identity Protection Specialized Unit at 800-908-4490, and complete Form 14039, if necessary. Expect to be patient, though. The National Taxpayer Advocate noted in her semiannual report that “this unit has been unable to answer about two out of every three calls it has received from taxpayers so far this year. At times during the filing season, it was answering only about one out of every nine calls it received—and those who managed to get through waited an average of over an hour to speak with an employee.”

6.Respond to all IRS notices immediately, using the name and number printed on the notice.

7.Tax preparers should ask their clients if they received an IP PIN.

IDENTITY THEFT PREVENTION TECHNIQUES

Since identity theft is so prevalent and growing, a CPA may consider providing general preventive advice through newsletters, websites, and other communications. This advice may include:

1.Have clients arrange for masked SSNs where possible, e.g., on insurance cards, so that client SSNs are closely protected and circulated as little as possible.

2.Watch credit reports from the three major credit bureaus; consider offering this as an off-season service or adding a timely reminder with contact information to the firm newsletter. (Contact details for the fraud departments of the three major credit bureaus are: Equifax – 800-525-6285; Experian – 888-397-3742; and TransUnion – 800-680-7289.)

3.Advise clients to forward all information appearing to be from the IRS promptly and to not click on links or open attachments from emails claiming to be from the IRS.

4.Advise clients to safeguard their Social Security cards, store them in a safe and secure location, and not discard any documents with an SSN on them.

5.Advise clients to resist giving businesses an SSN or other personal information just because they ask for it; often it is not required, and dissemination of SSN information is risky.

6.Advise clients to protect financial information by investing in and using a shredder before discarding documents.

7.A taxpayer should secure personal information in one’s own home. For example, copies of tax returns can be kept in a locked file cabinet or safe.

8.Taxpayers should protect personal computers by using firewalls and anti-spam or anti-virus software, updating security patches, and regularly changing passwords for internet accounts with sensitive information, such as online banking sites.

CPAs may be able to take additional preventive steps for tax returns, where the client is cooperative:

1.File clients’ returns early if possible.

2.E-file returns to be notified of duplicate return notices more quickly.

3.Consider truncating or masking SSNs on Forms 1098, 1099, and 5498 consistent with Notice 2011-38.

4.Communicate with the client to change client expectations: Refunds might take longer in future years as additional system security steps are taken.

5.Finally, CPAs with new online clients should be very careful to confirm the identity of those new clients, so that an identity thief cannot trade on an unwitting CPA’s credibility in filing false returns.

CPAs can find additional information at:

• IRS website, and
• IRS resources including the Taxpayer Guide to Identity Theft page, or the Identity Protection page.

Additional resources for business accounting tips are available here.

The IRS has improved its identification of fraudulent tax returns that involve identity theft, but the agency needs to be more accurate in its identity theft estimates, according to a new report from the Treasury Inspector General for Tax Administration (TIGTA).

TIGTA performed an audit to determine how effective the IRS is at detecting and preventing identity theft. The watchdog also looked at how the IRS is measuring undetected identity theft and coordinating identity theft information with other agencies and tax industry partners.

TIGTA identified 568,329 undetected potentially bogus tax returns with refunds totaling more than $1.6 billion for tax year 2013. That’s a drop of more than $523 million from the prior year, the report states.

However, the false reporting of wages and withholding accounts for the largest amount of undetected potentially fraudulent refunds at $1.3 billion. TIGTA believes the new Jan. 31 deadline for employers to file their W-2 forms with the Social Security Administration will reduce this type of fraudulent return.

The new Jan. 31 filing deadline also applies to certain Forms 1099-MISC reporting nonemployee compensation, such as payments to independent contractors.

TIGTA also noted that using states’ lead data during tax return processing could improve detection of identity theft.

TIGTA also discovered that the accuracy of the Identity Theft Taxonomy quantification for both protected and unprotected revenue needs improvement. As an example, the IRS’s estimate of protected revenue was overstated by almost $2.4 billion as a result of the wrong calculation of refunds associated with rejected electronically filed tax returns.

The audit resulted in the following six recommendations, which the IRS agreed with:

1. Expand the use of identity theft models to include all accelerated W-2s to compare with tax returns for possible identity theft.
2. Develop criteria to identify and evaluate potential fraud in tax returns.
3. Develop a way to use state lead data to help evaluate tax returns for identity theft.
4. Use tax return data to find the refund amount associated with electronically filed tax returns that were rejected when computing revenues, leave out rejected returns that don’t claim a refund, and account for tax returns with multiple reasons for rejection.
5. Review revenues to ensure that duplicate tax returns are omitted.
6. Tax returns with mismatched income because of amended or duplicate income documents should not be considered for potential identity theft.

Additional resources for business accounting tips are available here

You may have heard of the CEO scam: that’s where spear-phishers impersonate a CEO to hit up a company for sensitive information.

That’s what happened to Snapchat, when an email came in to its payroll department, masked as an email from CEO Evan Spiegel and asking for employee payroll information.

Snapchat’s payroll department fell for it. Ouch.

Here’s a turn of that same type of screw: the Internal Revenue Service (IRS) last week sent out an urgent warning about a new tax season scam that wraps the CEO fraud in with a W-2 scam, then adds a dollop of wire fraud on top.

A W-2 is a US federal tax form, issued by employers, that has a wealth of personal financial information, including taxpayer ID and how much an employee was paid in a year.

This new and nasty dual-phishing scam has moved beyond the corporate world to target nonprofits such as school districts, healthcare organizations, chain restaurants, temporary staffing agencies and tribal organizations.

As with earlier CEO spoofing scams, the crooks are doctoring emails to make the messages look like they’re coming from an organization’s executive. Sending the phishing messages to employees in payroll or human resources departments, the criminals request a list of all employees and their W-2 forms.

The scam, sometimes referred to as business email compromise (BEC) or business email spoofing (BES), first appeared last year. This year, it’s not only being sent to a broader set of intended victims; it’s also being sent out earlier in the tax season than last year.

In a new twist, this year’s spam scamwich also features a followup email from that “executive”, sent to payroll or the comptroller, asking for a wire transfer to a certain account.

The wire transfer scam isn’t tax-related: it’s just hitching a ride on the tax-related W-2 scam. Some companies have been swindled twice: they’ve lost both employees’ W-2s and thousands of dollars sent out via the wire transfers.

The IRS is telling organizations that receive the W-2 scam emails to forward them to Phishing IRS, with the subject line of “W2 Scam”.

If your business has already fallen for the scam, it can file a complaint with the Internet Crime Complaint Center (IC3), operated by the FBI. Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission or the IRS identity theft.

The IRS says that employees should also file a Form 14039 Identity Theft Affidavit (PDF) if their own tax returns get rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

How to sidestep the scam

But before you even get to the sad state of having to file a report about getting ripped off, it’s better to avoid falling for the bait in the first place.

Unfortunately, that’s getting tougher as crooks get more and more cunning. Case in point: the carefully crafted, well-disguised attack that led to the hacking of Clinton campaign chair John Podesta’s Gmail account. The attack relied on a shortened Bitly link to mask nefarious HTML code.

Screenshots of the Bitly link used against Podesta show that even the longer links hiding behind rigged Bitly links can be made to look, to an untrained eye, like they’re legitimate.

One step that can protect against phishing attacks is to pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.

Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.

Also, consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.