How to Protect Yourself from Tax Identity Theft by Michael Alexander, CPA, PFS, MBA
Unfortunately, every year, we have one or two clients who become victims of identity fraud. One of the most frustrating parts of the experience is that often you never find out exactly how it happened. And of course, dealing with the issue after the fact can be time consuming. For those of you who are our clients, please know that we are very careful with your private data, shredding all paper, keeping and transmitting information securely in the cloud through an encrypted portal and discouraging clients from sharing their social security number whenever possible. For your information, the following article from The Wall Street Journal has additional ideas:
Protect Yourself From Tax Identity Theft
Here’s how to limit your risk of tax refund fraud—and the steps to take if you’re a victim
Photo: Tim Foley
Feb. 27, 2015 11:55 a.m. ET
Robert Scott Jack took precautions most people never dream of to prevent tax identity theft.
Mr. Jack, a retired federal cybersecurity expert in Alexandria, Va., who now works as a consultant, shunned online tax-preparation programs that store data on the Internet. He researched the security features of different software programs and opted for a packaged—not downloaded—product. He checked the package for signs of tampering before loading it into his secure home computer.
Yet soon after he tried to electronically file his federal tax return through TurboTax on Feb. 14, the company told him it been rejected because someone already had filed using his Social Security number.
“I was disappointed and frustrated,” Mr. Jack says. He knew that “sweeping up the broken glass” would take three days of scrambling to lock down financial accounts, plus many more months of waiting for resolution.
Plenty of other taxpayers are feeling the same frustration.
In early February, a surge of fraudulent state tax returns forced Intuit, the maker of TurboTax—by far the most popular tax-prep program—to suspend state e-filings for 24 hours.
Several states, including Utah, Kentucky, North Dakota and Minnesota, suspended processing returns for a few days. State officials were alarmed because many of the false filings included data apparently drawn from taxpayers’ 2013 tax returns.
Since then there have been many reports of fraudulent federal returns linked to TurboTax that also apparently used 2013 information.
Both the Federal Bureau of Investigation and the Internal Revenue Service’s criminal division are probing the issues at TurboTax, according to a person familiar with the matter, and Congress is looking into them as well. A spokeswoman for Intuit says the company isn’t the target of an FBI investigation, and Chief Executive Brad Smith says that the company hasn’t had a data breach.
Much remains unclear about this year’s rash of fraudulent filings—especially how they compare in size or success to others, or whether they affected a disproportionate number of TurboTax users.
While the IRS publishes little data on tax identity theft, information released by others points to a serious issue. According to Government Accountability Office reports, the IRS lost an estimated $5.8 billion to fraudulent refund claims in 2013, the most recent data available, while blocking about $24 billion in attempts. In 2013 there were almost 2 million suspected tax identity theft incidents, compared with about 440,000 in 2010, according to the Treasury Inspector General for Tax Administration.
Curbing this type of theft may require multiple efforts by businesses, the IRS and Congress, says Neal O’Farrell, a cybersecurity specialist at the Identity Theft Council, a nonprofit advocacy group in Walnut Creek, Calif. But there are steps people can take to help prevent tax identity theft—and to cope after it happens.
Ask for an IP PIN. The IRS issues victims of tax identity theft a six-digit Identity Protection PIN for use in filing returns once cases have been resolved. Returns can’t be filed without the number, and the taxpayer receives a new one every year.
But you don’t have to be a victim to obtain such a PIN. Starting this year, an IRS pilot program is giving PINs to people who filed federal returns as residents of Georgia, Florida and the District of Columbia last year. (These are the areas with the highest percentage rate of tax identity theft.) To get one, apply at www.irs.gov.
The IRS also recently sent letters offering PINs to about 1.7 million people who were selected because the agency had seen suspicious activity in their accounts.
In addition, people who are potential victims of identity theft—be it from a stolen purse or a data breach—can notify the IRS by filing Form 14039, “Identity Theft Affidavit,” and checking Box 2. The IRS may or may not grant a PIN, but filing the form could qualify taxpayers for other heightened security measures, according to an IRS spokeswoman.
Andy Mattson, a certified public accountant at Moss Adams in Campbell, Calif., hasn’t been a victim of identity theft. But he received a PIN from the IRS after a 2012 data breach of South Carolina’s tax system exposed the information of 3.8 million individuals, including his—because he prepares corporate tax returns filed there.
Mr. Mattson urges everyone who is at risk to file Form 14039. “It only takes a few minutes and could save many hours of your time or a professional’s,” he says.
Shun email links and attachments. Realistic-looking emails can harbor malware that could steal your information—a practice known as phishing. The massive South Carolina data breach, for example, occurred after state tax employees opened links in phishing emails, according to an official report.
Experts say it’s unfortunate that many legitimate offers from financial firms come with embedded links. “Marketers are looking for reactions they can measure, but as a result consumers become less cautious and fall prey to malicious emails that seem real,” says Mr. O’Farrell, who also advises consumer-credit firm Credit Sesame. Instead of clicking a link, he says, enter through the company’s website.
The IRS reminds taxpayers that it never initiates contact by email, text messages or social media.
Stay proactive. As of now, there is no way to find out if someone has already filed a tax return using your Social Security number until you send in your own. Filing early can beat thieves to the punch, but taxpayers with investments or complex returns often must wait for paperwork to arrive.
Meanwhile, practice cyber-hygiene—especially in the wake of data breaches such as the massive one at health insurer Anthem, which may have exposed the sensitive personal information of nearly 80 million people, according to the company.
“There’s so much stolen information out there now, and it’s all for sale,” says Mr. O’Farrell.
Experts advise using strong passwords and changing them frequently. Update computer applications, especially antivirus software, and make sure that Wi-Fi access is password-protected.
If you prepare your own taxes using a commercial product, make sure your personal information is accurate when you log into the account—especially the bank account number listed for direct deposit of a refund. Inaccurate information could be a telltale sign of a fraudster.
Be careful with paper mail, especially during tax season, when sensitive documents arrive. Guard against theft of such documents and be careful when disposing of them, as thieves can make use of partial information such as a date of birth or bank account number.
Think twice before paying for ID-protection services, experts say. Typically they don’t claim to prevent tax identity theft, which is the most common type of such theft, according to Federal Trade Commission statistics. Most services actually help more with recovery than prevention.
What about filing a paper tax return? That may not help either. If thieves can get your Social Security number and other information via another source, they can still file a false return. An e-filing rejection notice from the IRS is often the first sign of identity theft, Mr. Mattson says, so the extra time it takes to process a paper return delays the discovery and could compound the damage.
If you are a victim, act fast—and then plan to wait. The IRS has a list of steps for victims to take at www.irs.gov before calling the agency. They include filing a police report, an affidavit with the IRS and a complaint with the Federal Trade Commission; contacting one of the three major credit-reporting companies to place a 90-day fraud alert on your credit records; and closing any fraudulent accounts opened in your name.
Victims may want to impose a credit freeze with the credit-reporting firms, which can prevent extensions of credit using their identity. They should also file their tax returns on paper, the IRS says.
After taking these steps, Mr. Jack contacted the firms holding every financial account he and his wife had, including pension and 401(k) plans. He didn’t close the accounts, but the sponsors did issue fraud alerts and in some cases added an extra layer of security.
Victims say the mad dash to deal with tax identity theft typically takes two to three days, followed by a long wait while the IRS completes its investigation. How long? A spokeswoman for the agency say 120 days is the norm, but Mr. Jack and other recent victims say they have been told to expect resolution in 180 days.
In complex cases, the wait can be longer and the process more frustrating. National Taxpayer Advocate Nina Olson has chided the IRS because taxpayers in such cases don’t have a single contact person within the agency, among other issues. Taxpayers “shouldn’t have to navigate the maze of IRS operations, recounting their experience time and again,” she said.
In response, the IRS says that the current system allows taxpayers to get help when they need it and doesn’t depend on a particular employee’s availability.
Tax refunds aren’t paid until a case is closed, which is one more reason to minimize them by not having too much money withheld from paychecks.
Urge Congress to act. Top lawmakers in both the House and Senate are probing this year’s spate of tax identity thefts, and the Senate Finance Committee is expected to focus on them in a hearing on tax scams in March.
Experts say the fraudulent-filing epidemic is partly of the government’s own making, because easy e-filing and rapid refunds—both priorities in Washington—also offer myriad opportunities to criminals. The IRS often doesn’t get wage data until late spring, long after many tax refunds have been paid, so it is at a disadvantage.
Legislation is required, however, to change key elements of the current system, such as speeding up data delivery or allowing employers to mask a portion of an employee’s Social Security number on a W-2.
The IRS, which has had its budget cut by $1.2 billion over the past five years, recently estimated that $82 million more spent on identity theft prevention could save nearly $1 billion in revenue by 2018.
Keep perspective. Experts say tax identity theft can actually be one of the least harmful types of ID theft. Although the process is painful and slow, taxpayers can work out their problems with the IRS.
Far more difficult, Mr. O’Farrell says, is a rarer type of identity theft in which a criminal commits a violent crime in someone else’s name, say, or has a string of drunken-driving arrests. Then the victim “may have to hire lawyers and go to a state he has never visited to declare to a judge that someone has used his identity,” he says.
Still, tax identity theft is no picnic. Kim Ledbetter, who works at a Toyota dealership in Paris, Texas, received a letter from the IRS on Feb. 5 and then learned that someone had filed both a federal and a Missouri return in his name.
“At first I thought we were being audited,” he says, “but this is much worse.”