IRS Still Plagued by Identity Theft This Tax Season

The Internal Revenue Service has been unable to get control of rampant identity theft this tax season, despite high-profile efforts to confront the problem with the help of private industry.

Yesterday the IRS warned it has seen a 400 percent increase in email phishing and malware incidents this tax season aimed at both taxpayers and tax professionals (see IRS Warns of Surge in Phishing and Malware Schemes Targeting Preparers and Taxpayers).

Admittedly, the IRS has been making efforts to get a better handle on the problem in recent years. According to a report in January by the Government Accountability Office, the IRS estimated that it prevented $24.2 billion in fraudulent identity theft tax refunds in filing season 2013. However, the IRS also estimated that it paid out $5.8 billion in fraudulent refunds to identity thieves. Last year, the IRS detected a breach in its online Get Transcript application affecting hundreds of thousands of taxpayers that it blamed on organized criminals abroad (see Extra 220,000 Hit by IRS ‘Get Transcript Breach’). The IRS needed to scale back the application and instead of letting taxpayers and tax preparers immediately view and print a transcript of a prior year’s tax return, they still can only use the application to order a copy to be sent to them by mail.

After tax season last year, the IRS convened a series of meetings it dubbed the “Security Summit,” partnering with state tax authorities, tax software companies, and major tax prep chains in an effort to collaborate on ways to better protect tax filings from identity thieves. They agreed on new standards for this tax season for logging onto all tax software products, including minimum password requirements, new security questions and standard lockout features. The software industry also agreed to provide more than 20 additional data elements from the tax return submission to the IRS and, in turn, to the states to help identity fraudulent returns. Plus, they agreed to information sharing on a weekly basis to help quickly identify and adjust to new and emerging tax-related fraud schemes, along with the launch of a new public awareness campaign aimed at reminding taxpayers to take steps to protect their own personal information.

However, the identity theft problem has continued to plague the IRS. This month, the IRS reported that it had detected and stopped an attack on another of its online services, the Electronic Filing PIN app, in which identity thieves tried to use hundreds of thousands of Social Security Numbers to access a personal identification number used by tax professionals to electronically file tax returns (see IRS Detects Attack on Electronic Filing PIN App). Based on its review, the IRS identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN. Security vulnerabilities still continue to be found in the electronic filing PIN section of the IRS’s website (see IRS Urged to Close Security Vulnerability in IRS E-File PIN Page).

Tax software companies have also been experiencing problems. Both TaxAct and TaxSlayer have needed to alert thousands of their customers to suspicious activity (see TaxAct Detects Data Breach and Suspends Customer Accounts and TaxSlayer Experiences Identity Theft Attack).

Nationwide tax preparation chains have also found themselves running afoul of identity theft and tax fraud. Maryland and Michigan officials have shut down a number of Liberty Tax Service franchises after noticing questionable returns being filed from them (see Maryland Suspends Liberty Tax Service Franchises and Maryland Halts Returns from More Preparers).

A security expert who monitors the underground forums frequented by identity thieves recently told Accounting Today he has seen few signs of a reduction in chatter, despite the IRS’s new safeguards (see Fraudsters Undeterred by IRS’s New Security Measures).

“Since it’s tax season again, we’re noticing again that they are focusing on defrauding the IRS and more specifically defrauding U.S. taxpayers and the services that they use to process their tax returns in order to basically fill prepaid cards and cash them out with the returns before the actual person is able to,” said SecurityScorecard chief research officer Alex Heid. “They do that using a series of prepaid cards that are set up with fake identities. They use the same information from the fake identities to file a tax return before the actual person does, and it usually requires the coordination of several individuals.”

Taxpayers are increasingly finding themselves in the position of having to file their tax returns earlier in the season in order to minimize the chances that a thief will be able to claim their tax refund before they can. Waiting until the deadline before filing a tax return can mean the tax refund simply won’t be there. The IRS needs to improve security, as do taxpayers and the tax industry, but one step they can take that’s sure to be beneficial is to stop support for depositing tax refunds on prepaid debit cards. While the debit cards are useful for taxpayers who lack bank accounts, they’re all too useful for the identity thieves who victimize legitimate taxpayers.

Do you think the IRS needs to be doing more to prevent identity theft?