IRS sees increase in identity theft on business tax returns and data breaches at preparer offices
The Internal Revenue Service held a meeting of its Security Summit partners Tuesday in Dallas and reported on progress in battling identity theft tied to tax refund fraud, along with some setbacks.
The IRS said it has been seeing an increase in identity theft from business and partnership tax returns, fueled in part by cybercriminals training their focus on breaching tax professionals’ systems and stealing client data. In response, the Security Summit, in which the IRS partners with state tax authorities and the tax industry, has launched a 10-week awareness campaign called “Don’t Take the Bait,” which encourages tax professionals to ramp up their security measures to guard against phishing email schemes and other tactics.
IRS Commissioner John Koskinen pointed to signs of progress, particularly on individual tax returns. “I am pleased to be able to report that we are clearly making progress in this battle,” he said during a conference call with reporters Tuesday. “Our Summit partners have tightened their procedures, and the IRS and states have taken steps to strengthen our systems. Since 2015, we’ve had fewer fraudulent returns entering our systems, fewer bad refunds going out the door, and fewer tax-related identity theft victims than in previous years. In fact, the number of people victimized by identity theft declined from 698,700 in calendar year 2015 to 376,500 in 2016—a drop of nearly half.”
The IRS is now receiving some initial data for the 29017 filing season, indicating the number of victims is continuing to decline sharply. “In the first five months of 2017, about 107,400 taxpayers reported they were victims of identity theft, compared to the same period in 2016 when 204,000 filed victim reports,” said Koskinen. “That’s about 96,000 fewer victims—representing a drop of 47 percent. For comparison, we had nearly 297,000 identity theft victims during the first five months of 2015. So when you look at the last two years, the number of taxpayers reporting they are victims of tax-related identity theft has declined by about two-thirds. That’s an amazing statistic.”
Multifactor authentication techniques, such as sending PIN codes to taxpayers’ cell phones to verify their identities, have helped on the individual side. However, the IRS is seeing signs of trouble now with business tax returns. “But there is still more to be done,” said Koskinen. “In fact, we need to be prepared to fight on new fronts. For example, we’re seeing an increase in identity theft involving business-related tax returns. This shows that identity thieves are constantly working to come up with new ways to get around the barriers we’ve put up. That’s why we’re working to put more taxpayer protections in place for the 2018 filing season. We will be sharing more details on those this fall.”
So far through June 1 of this year, the IRS has identified approximately 10,000 business tax returns that had potential identity theft, compared to about 4,000 for calendar year 2016 and 350 for calendar year 2015. While the number of businesses affected was relatively low, the IRS acknowledged the potential dollar amounts were significant: $137 million for 2017, $268 million for 2016 and $122 million for 2015.
The affected returns included corporate returns filed on Forms 1120 and 1120S and estate and trust returns filed on Form 1041. The IRS also noticed an increase in identity theft related to Schedule K-1 filings from partnerships. It said tax preparers will start to see new “trusted customer” questions on these types of returns. For more information, see a new IRS document providing information about identity theft involving businesses, partnerships and estates and trusts.
“It’s the natural evolution of where criminals are going to go,” Koskinen said in response to a question from Accounting Today. “When this all started, we had sophisticated filters. We have a system now that we can adjust on the run. It used to be that we could adjust the filers once a year. It was fairly simple for even individual criminals, and people in jail, to file a false return. It used to be you could file a number of them and have them all sent to one address. As we’ve ratcheted that down, the first response of criminals is to get more sophisticated in trying to deal with individual returns. The next thing—and we knew this would happen—would be that they would start to masquerade as a company or try to take over a company’s account and file a false return with a refund. The advantage of doing it with a business is that you could ask for a bigger refund without necessarily triggering somebody’s filter. The average false refunds for individuals would always be in the $3,000 to $5,000 to $8,000 range. That would be appropriate for an individual, but for a company we’ve had a few indications—and fortunately there aren’t as many business returns, so our filters and our monitoring are much more straightforward. You’ve got 152 million individual returns, so monitoring is a challenge. But it’s the logical next place to go. If you can’t get volumes of individual returns, then if you can get a smaller number of business false returns, then you can do well. So we’ve seen people masquerading as mortgage companies, trying to come in to get individual accounts. Now we see people starting to create false companies, trying to file false business returns.”
For 2018, the IRS will be asking tax professionals to gather more information on their business clients to help authenticate tax returns. Some of the new information people may be asked to provide when filing their business, trust or estate client returns include:
• The name and Social Security number of the company individual authorized to sign the business return. Is the person signing the return authorized to do so?
• Payment history – Were estimated tax payments made? If yes, when were they made, how were they made, and how much was paid?
• Parent company information – Is there a parent company? If yes who?
• Additional information based on deductions claimed.
• Filing history – Has the business filed Form(s) 940, 941 or other business related tax forms?
Tax professionals also should watch out for any potential business clients claiming they do not currently have an Employer Identification Number, the IRS warned.
Members of the Security Summit praised the way the group was working together to improve tax filing security. “No one person knows all the secrets in the room, and that’s important for protecting the tax system," said Larry Gray, government liaison with the National Association of Tax Professionals.
Mark Steber, chief tax officer of Jackson Hewitt, recommended tax professionals take a look at a recent report from the Electronic Tax Administration Advisory Committee. "In that ETAAC report, you’ll see that many of these initiatives that we’ve taken on—information sharing, authentication—are now taking form with some real specific recommendations," he said.
“It says other industries and government agencies can work together on similar types of threats that exist out there,” said CeCe Morken, executive vice president and general manager of Intuit's ProConnect Group. “I’m thinking of financial services. In addition to that, it also has brought the awareness up for everyone.”
"We all take this seriously because we all have a personal and financial stake in the integrity of the tax system," said John Ams, executive vice president of the National Society of Accountants.
Nina Tross, executive director of the National Society of Tax Professionals, agreed that she has seen improvement, but expressed frustration with some of the IRS’s new authentication requirements, which rely heavily on cell phones. Still, she acknowledged that the IRS is offering a paper-based method of authentication as well for taxpayers and tax professionals who don’t have mobile phones registered in their name. “There’s been a lot of improvement,” she said. “We’ve had some really good leadership in that area, but sometimes getting down into the weeds has been very frustrating. For my members, what’s frustrating is the whole cell phone issue, and I know that there has been some movement. I know you can now do it on paper, if there’s a cell phone number that’s not in your name, you can register it through a paper process.”
The IRS said tax professionals need to protect their data and systems against sophisticated, well-funded and technologically adept criminal syndicates around the world. Cybercriminals are showing further signs of savvy and tax expertise as they employ stolen information, sometimes from tax practitioners, to file business, partnership and trust returns for refunds. In some cases they are posting the stolen data for resale on the Dark Net so that other criminals can file fraudulent tax returns. In the first five months of this year, there were 177 reported data breaches at tax preparers’ offices. The IRS said it continues to receive reports of three to five data breaches each week.
"As we’ve made progress against identity theft in 2016 and 2017, we see the fraudsters changing their tactics," said Koskinen. "They are having more trouble getting past our security protections in our tax processing systems. So they are increasingly taking aim at the places where large amounts of taxpayer data reside. That means trying to access data belonging to tax return preparers and other tax professionals, as well as the payroll community, small employers and human resources departments."
The Security Summit is urging all tax professionals to take the following steps:
• Educate all employees about the dangers of phishing emails posing as familiar businesses, organizations or colleagues.
• Use the best security software to guard against malware, phishing sites and viruses; set it to update automatically.
• Use strong, unique passwords for all accounts and change them frequently; use a password manager if necessary. Better yet, use two-factor authentication whenever possible.
• Encrypt all sensitive data and routinely back it up to an external disk.
• Review Publication 4557, Safeguarding Taxpayer Data, to create a security plan.