Tax identity theft has grown exponentially over the past several years. Identity theft has topped the Internal Revenue Service's "Dirty Dozen" annual list of tax scams for both 2012 and 2013, and also appeared on the list in 2011. According to the National Taxpayer Advocate Service, identity theft grew by more than 650 percent between fiscal years 2008 and 2012.

Unfortunately, the predictions are that this trend will continue, even in the face of growing safeguards that are currently being put into place by the IRS, tax practitioners and taxpayers themselves.

An audit report released in August 2012 by the Treasury Inspector General for Tax Administration estimated that during the next five years, the IRS could lose a projected $21 billion to fraudulently claimed tax refunds related to identity theft.

And this figure, according to TIGTA, takes into account the new fraud controls that the IRS has put in place that the agency touts as having saved $20 billion of fraudulent refunds on 2012 returns alone.



Generally, identity theft as encountered by the IRS typically involves a taxpayer's stolen Social Security number that is then used to file a tax return and claim a fraudulent refund. When the legitimate taxpayer then files their return, the IRS rejects it.

The taxpayer must correct the situation to obtain their refund, which in many cases can consume a considerable amount of time, effort and expense. In best-case scenarios, a six-month delay has been common.

Identity theft usually plays out differently when a business taxpayer's identity is stolen. Similar to return filings for individuals, the theft can occur in the form of a fraudulently claimed tax refund, but often involves more subtle schemes that remain undetected until the business receives a notice from a government agency related to unpaid employment taxes, erroneously claimed tax credits, unreported merchant payment card income, and similar business transaction-generated subterfuge.



Tax-information thieves employ a variety of techniques to glean information to defraud the IRS and unknowing taxpayers. They usually include one or more variations on the following:

  • Pilfering through trash (whether paper or electronic);
  • Phishing scams (including bogus "IRS" inquiries); or,
  • Deceit by familiar faces (such as a business associate, an ex-spouse or a particularly financially hard-pressed relative).

Certain basis steps may be taken by individuals to minimize the risk that they will be victims of tax ID theft. These precautions include:

  • Filing tax returns early (identity thieves generally file early in the season to ensure that the IRS will process their fraudulent returns and distribute the refunds before the legitimate taxpayer has the chance to file);
  • Protecting Social Security numbers;
  • Safeguarding Internet passwords;
  • Installing firewalls and antivirus protection;
  • Safeguarding mail;
  • Shredding important documents; and,
  • Checking credit reports regularly.


Businesses generally deal with larger transactions, have larger account balances and credit lines than do individual taxpayers, and organizations can set up and accept merchant credit card payments with numerous banks. Business information regarding tax identification numbers, profit margins and revenues, officers, and even officer salaries is often public and easily accessed. At the same time, remedies and enforcement tend to focus more on individual identity theft. Business identity theft itself tends to be more subtle and, consequently, more difficult to immediately detect. Thus, business identity theft can be more lucrative and arguably less dangerous for a thief to engage in than individual taxpayer identity theft.

Stealing an EIN and EFIN. Identity thieves can use a business' employer identification number to initiate merchant card payment schemes, file false tax returns, and even generate hundreds of fake Form W-2s in furtherance of individual taxpayer identity theft. Thieves targeting return preparer businesses can obtain electronic filing identification numbers just as easily. They, like EINs, are found on the taxpayer's copy of a tax return and on filing confirmations.

Payment settlement entities and Form 1099-K. When identity thieves steal a business' identity, they can also set up a business account with a payment settlement entity, which would be responsible for reporting all income from credit card transactions to the IRS. Typically, an identity thief provides a PSE with the information from the real business that only first realizes there is a problem when it receives Forms 1099-K or, even later, when it is audited because Form 1099-K income does not match income as reported on its tax return.

Other best practices. Certain basic steps may be taken by businesses to minimize the unique risks that they face in becoming a victim of tax ID theft. These precautions may include:

  • Account monitoring;
  • Safeguarding a dissolved business;
  • Bank protections;
  • Safeguarding documents and identification information; and,
  • Changing passwords.


Tax return preparers are also at risk of having their identities stolen and used in furtherance of fraudulent tax refund schemes. Return preparers in particular should safeguard their business files, for both their sakes and those of their clients.

Recommendations cited by the American Institute of CPAs in a written statement issued to the IRS Oversight Board listed several basic tasks that tax practitioners can perform to protect their clients' sensitive information. These include:

  • Locking desk drawers and file cabinets;
  • Using encrypted flash drives;
  • Using other encrypted procedures in electronically transferring a client's information to a third party;
  • Redacting or truncating SSNs, EINs, EFINs, and other personal information;
  • Using couriers and certified mail to ensure that the correct person receives their correspondence;
  • Training staff and notifying clients about the proper handling of client information and how to avoid Internet schemes; and,
  • Installing and requiring antivirus and other security software on all of the firm's computers.


Individuals who have been victimized by taxpayer identity theft have a number of steps that they should consider taking. These might include:

  • Closing financial accounts;
  • Contacting Equifax, Experian and TransUnion;
  • Following up on fraudulent credit report information (including notifying all lenders);
  • Triggering fraud alerts (including notification of a taxpayer's banks and creditors);
  • Contacting the Social Security Administration;
  • Contacting the Federal Trade Commission (and its online FTC Identity Theft Report, also helpful to local law enforcement officials trying to complete a police report);
  • Filing a police report (to help establish a theft for a casualty loss deduction); and,
  • Filing IRS Form 14039, Identity Theft Affidavit.

Identity Theft Affidavit. Taxpayers should place a fraud alert on their accounts with the IRS as soon as they suspect that they have been victimized by identity theft, such as when they have received a notice from the IRS that their tax return has been rejected because one has already been filed with their SSN. To do this, taxpayers should fill out IRS Form 14039, Identity Theft Affidavit.

Taxpayers are allowed to file IRS Form 14039 even if no tax problem has yet occurred. However, although no penalty will attach to being wrong about a situation, filing Form 14039 will slow normal dealings with the IRS, as the service takes additional precautionary steps because of such notification.

When the IRS receives the affidavit, it will flag the taxpayer's account with a marker indicating that a tax return filed under the taxpayer's name could be fraudulent. In some cases the IRS will issue that taxpayer an identity protection personal identification number. This IP PIN must be included on the tax return for the tax year for which it was issued, or the tax return will be automatically rejected.

IRS Identity Protection Specialized Unit. A taxpayer that has previously been in contact with the IRS regarding tax-related identity theft and has not achieved a resolution may contact the IRS Identity Protection Specialized Unit at (800) 908-4490. The IRS established the unit in 2008 as a means to provide centralized assistance to victims of identity theft.

Taxpayer Advocate Service.Taxpayers may also contact the Taxpayer Advocate Service through the state/territory links, which has helped taxpayers attempting to resolve identity theft-related issues. The TAS itself handled nearly 55,000 identity theft cases in fiscal year 2012.



Businesses that have been victims of taxpayer identity theft (or identity theft in general), have fewer resources available to them. Most of the resources made available by government agencies have been designed for individuals.

Nevertheless, businesses might try to approach the crime in the same way as individuals, by checking their credit reports and placing a fraud alert on them, closing accounts that have been tampered with, and contacting the Federal Trade Commission as a resource.

Businesses might also try to avail themselves of IRS Form 14039. Before submitting it to the IRS, however, they should probably indicate at the top of the form that the crime concerned the theft of a business entity's information.

A victimized business might also consider changing its EIN. This, however, must be done at the end of the fiscal year, according to general IRS rules.

Business victims of merchant payment account schemes. If a business discovers from a Form 1099-K that it has an unusually large and unexpected amount of credit card payment income, it may be an indication that the business has become a victim of identity theft. If the IRS has sent such a business a notice relating to potentially unreported or under-reported Form 1099-K income, the IRS advises the business to:

  • Read the notice thoroughly and complete any attached worksheets;
  • Gather all tax records, including any Form 1099-Ks, received for the tax year in question;
  • Determine whether there has been a legitimate under-reporting of gross receipts;
  • Direct any questions to the contact information provided on the notice; and,
  • Consider consulting a tax professional.

Other initiatives. The Treasury and the IRS have recently taken certain measures to prevent identity theft, as well as to protect its past or potential victims. These measures include new fraud-detection filters placed on submitted tax returns during processing, issuance of unique identification numbers to potential identity theft victims, and closer control of the Social Security Death Master File.

The IRS is also using intra-functional and intra-governmental coordination to make identity theft detection more efficient and successful.



The IRS, the Treasury, the SSA, and other government agencies have become more aware of the growing problem of ID theft and have made resources available to victims. Taxpayers and their representatives should take advantage of these resources.

Once ID theft is discovered, clients generally must act quickly to prevent further damage. Having a checklist of action steps at hand in that event makes sense, especially given the ever-increasing odds of being a victim. Preventive steps to guard against ID theft also may be a smart move, even though it may require a review of certain accounts and files on a regular basis.

Dealing with identity theft is, unfortunately, becoming an area with which a growing number of tax practitioners must become familiar.

George G. Jones, JD, LL.M, is managing editor, and Mark A. Luscombe, JD, LL.M, CPA, is principal analyst, at CCH Tax and Accounting, a part of Wolters Kluwer.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access