IRS-based Identity Theft – and Steps You Can Take to Prevent It

Stan Rose, Tax Director
March 2017

Introduction

More and more aspects of our lives are being recorded electronically, and with personal, highly confidential data increasingly stored electronically in multiple locations, it is not surprising that identity theft is on the rise. One of the most common means of identity theft involves filing a false tax return to steal a refund. Over the years this has resulted in billions of dollars in false claims, and lengthy hassles for the victims. Confirmed instances of fraudulent tax returns numbered 1.2 million during 2015, and 787,000 through most of the 2016 filing season. The purpose of this article is to discuss how this happens and point out ways you can reduce the odds of it happening to you or to those whose information is in your custody.

Let’s address this in reverse order, starting with the scammers’ interactions with the IRS, and then working backward to examine what enabled them to do it and how victims might have prevented it (or not).

How the IRS is duped

The typical IRS identity theft simply involves the thief filing a phony tax return that reports an overpayment, enabling the thief to collect the refund. To do this, the thief needs the victim’s name, address, and Social Security Number (SSN) – but nothing more. It is helpful, but not always necessary, for the thief to have actual financial information related to the victim.

    SSNs were not always used nationally as a personal identifier. They were established in 1936 solely to track earnings histories and compute benefit levels. In fact, as recently as 1973 the predecessor to the Department of Health and Human Services concluded that “the adoption of a national identifier was not desirable, and that the SSN was not suitable for such a purpose.” Increased use of computers in the years to follow led to the IRS and others using SSNs more broadly, to the point we are now accustomed to providing it even when paying cash for a blueberry muffin.

The IRS will not process what appears to be a fraudulent return, and will contact the legitimate taxpayer by mail if something seems amiss. This should occur whenever the phony return reports payments toward that year’s liability that vary from what the IRS has on record. However, two things appear to be working in a thief’s favor, in spite of the IRS matching efforts:

  1. As discussed below, hackers have become adept at gaining access to W-2s. With that information, it will greatly increase the odds that IRS will view the return as legitimate.
  2. Based on the Taxpayer Advocate’s 2016 Annual Report to Congress, the IRS often processes refunds before fully reviewing all relevant records. It does so because the IRS balances prevention of refund fraud with the need to send refunds quickly, often to taxpayers who are in need of those funds. 70% of the 150 million returns the IRS receives show refunds. The average refund is $2,800, and they are committed to providing 90% of those refunds within 21 days. You might think “wait – aren’t W-2s filed by employers in February or March… often electronically? Can’t that matching take place early in the filing season?” What many may not know is that W-2s are filed with the Social Security Administration – not the IRS. Anecdotally, we understand that the records may not be shared between the two branches of government until well after the April 15 filing deadline.

Enabling and preventing

One thing ID thieves absolutely need to steal your income tax is your SSN. It, above all things, must be protected. Think about all the parties who have your SSN. Examples may include:

  1. Your employer,
  2. Employer’s benefit plan administrator,
  3. Employer’s payroll tax administrator,
  4. Investment custodians (banker/broker/mutual funds),
  5. Health care providers,
  6. Insurers,
  7. Accountants/attorneys,
  8. Educational institutions,
  9. Credit card providers,
  10. Lenders, and
  11. The SSA and IRS

That is a lengthy list, but it is not complete, because some of these entities engage a number of third parties who handle administrative functions on their behalves, and they may receive your SSNs as well. Examples include those who prepare Forms 1099 for investments, and Forms 1098 for loan interest.

So how do thieves steal our SSNs?

  1. They piece together several facts that independently are pretty benign, but collectively are very powerful, eventually allowing them to access an account while posing as the victim. Once in, they often can gain more data directly, potentially including the SSN.
  2. They steal it from one of the parties listed above who does not protect the data like they should.
  3. Often – very often – they blatantly trick people into parting with it.

Let’s look at these three methods thieves use below, and discuss how to help prevent them.

Piecemeal

People routinely access many services electronically with use of passwords, user names and e-mail addresses. Lest we forget one of our dozens of passwords, we establish seemingly harmless “safety words” like pet’s names, mother’s maiden name, or school mascots. Then we (and our family members) lay a trail on Facebook that might allow any number of people to gather that information if they care to take the time. We hand out personal information like candy. Even the hardware store clerk who rang up that last snow shovel you bought may have asked for (and received) your phone number or zip code, because that’s what the cash register asked for. With enough pieces of the puzzle, hackers can often access one of our accounts, and once in, gain more personal information like a SSN. Security professionals advise that we use strong and varied passwords. We also should consider being more protective of our personal data by politely refusing to provide what is not truly necessary.

Theft of data

When multiple parties are in possession of your SSN, you are at the mercy of each and every one of their security systems – both electronic and physical. We know vulnerabilities exist there. Anthem’s well-known breach resulted in SSNs of around 80 million people being stolen – potentially anyone insured by them from 2004-2015. With information like this for sale on the “dark web,” a huge percentage of people in the U.S. are vulnerable to fraud for years to come. This applies not only to adult insured, but also to their children, many of whom are too young to be employed, and therefore the IRS has no legitimate filing information to compare to suspected phony claims. In a lesser-known incident, ADP was compromised in 2016 when hackers overtook online portal access and gained access to thousands of W-2s of more than a dozen of ADP’s customers. As this article is written, news is breaking of a hack at Kansas-based JobLink, which recently assumed job-matching services for the Maine Department of Labor. These incidents involved direct theft of SSNs, but many other well-known hacks have compromised other information that could lead to SSNs, such as those involving TJ Maxx, Hannaford, and Yahoo.

Even the IRS itself is represented. Just a few years ago in response to previous fraudulent refund claims, it established an Identity Theft PIN program to protect taxpayers. The program assigns a unique, annually-generated PIN to each taxpayer who the IRS believes or knows to be at risk of ID theft. In 2016, hackers hacked the IRS list of PINs, gaining access to 101,000 of the 464,000 PINs they attempted to steal. The IRS responded by notifying the affected taxpayers and applying an additional “mark” to their accounts. Their online “transcript of account” service was also hacked, and had to be temporarily shut down.

It is hard to advise how to prevent this kind of theft from a third party, because one user generally cannot impact the ways of a huge entity, and we cannot withhold our SSNs from a payroll company or our insurers. However, the employees and management of those third parties can protect those records as follows: Only exchange information using a safe method; such as a secure portal, or encrypted e-mail. Take the additional step of password-protecting files that contain SSNs. Store information in a secure location. Examples for on-site storage could involve hard copies locked in a location only accessible by electronic key card, or on computers accessible only by user name and complex password. For off-site (cloud) location, use a secure facility that uploads and downloads only via secure methods, and physically protects its servers. Limit access only to those who need the information. Flash drives can be especially vulnerable, and ports can be disabled to prevent malicious code (or anything else) from entering a computer via memory stick. Employ pervasive firewall protection and spam filters to limit intrusion from external sources. Finally, teach employees to be vigilant, and be wary of any messages that seem out of the ordinary.

    Note: Many of these methods can bring with them a level of frustration for the users, including clients – especially those with limited computer skills, incompatible equipment, or those who simply are in a hurry. BNN employs methods described above, and our employees and clients accept these impediments as necessary in protecting highly confidential data – a job any accountant takes extremely seriously.

Trickery

The Anthem breach apparently was initiated with a scammer sending an e-mail to an Anthem employee, and tricking the employee to click on a link that launched malicious code. The e-mail was designed to appear as if it came from a coworker. In some cases, HR and payroll personnel have been duped into replying to such “phishing” schemes by sending W-2s to what they thought were company executives. When multiple parties have legitimate access to SSNs (payroll service providers, 401(k) administrators, accountants, etc.), HR and payroll personnel need to be trained and vigilant to avoid unintentionally handing this information over to a well-disguised imposter.

Conclusion

The level of success scammers have had with stealing tax refunds, and the ability of hackers in general to find a way to penetrate nearly any defense, leaves victims, and potential victims, in the unfortunate position of just waiting for the next incident. But there are things we can all do to strengthen our defenses just a bit, perhaps staying one step ahead of the criminals most of the time. Hopefully the information above sheds some light on how these frauds occur and presents a few ways to avoid them. The alternative, I suppose, is for our entire economy to revert back to a bartering system; however, this particular author has no interest in remuneration in the form of a stack of pelts.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.