In 2015, the Internal Revenue Service (IRS) estimates that at least $14.6 billion in fraudulent tax returns were filed seeking a federal tax refund. The IRS stopped all but $2.24 billion of the fraudulent requests. Pretty good when you consider that the IRS paid about $403 billion in refunds (about 0.6%) for fiscal year 2015 on total collections of $3.3 trillion.
According to researchers at Javelin Strategy & Research, 15.4 million U.S. consumers were victims of identity theft in 2016. The fraudsters’ illegal take during the year amounted to an estimated $16 billion. That means about 14% of fraudulent profits were down to the IRS.
When a thief steals (or buys) personally identifiable information on someone, that data can be used for all manner of fraud, including filing an early and fraudulent request for a tax refund. The IRS may pay the refund, then when the real taxpayer files a return, the IRS notifies the taxpayer of a duplicate return, and that is typically when the fraud is discovered.
The Government Accountability Office (GAO) recently released a report reviewing the IRS’s performance during the 2016 tax filing season. The report was requested by some members of Congress and included a recommendation to speed up the agency’s requests for documents.
But the main part of the GAO report dealt with identity theft fraud and how the IRS responds to it. The GAO identified potential weaknesses in the IRS’s internal control processes that could lead to the IRS paying refunds to fraudsters. The GAO also noted that the IRS does not notify taxpayers when a dependent’s identity appears on a fraudulent return. By not notifying taxpayers that their dependents’ information may have been used to commit fraud, IRS is limiting taxpayers’ ability to take action to protect their dependents’ identity.
While all taxpayers need to be aware of the IRS issues, it is probably much more important to pay attention to protecting personally identifiable information. Recent research from the Pew Foundation found that 64% of all Americans have personally experienced a major data breach. Think about the Target and Home Depot breaches of a few years ago that compromised millions of records each.
We noted last October some steps you could take to minimize the risk of having personally identifiable information stolen. Those recommendations remain valid, and we might add a recommendation that you consider using two-factor authentication.
What users may not know is how their stolen data is used and abused. Cybercriminals risk the penalties for fraud because there is big money at stake. And like any industry where big money is at stake, big organizations crop up to get and hold their shares.
Cybersecurity expert Brian Krebs in a recent blog post included a screenshot listing stolen IRS Form W-2 data for sale. The thieves are selling the data to individuals and other companies that could use that data to file a fraudulent tax return. According to Krebs:
This particular shop … currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.
Depending on the value of the data based on the wages paid in 2016, the data costs between $4 and $20 per record, payable in Bitcoin.
Personally identifiable W-2 information can be stolen by phishing scams where individual consumers are asked to provide the information in order to get a refund or avoid some other penalty. More productive from the thieves’ point of view are phishing scams directed at an HR or payroll department employee purporting to be from some company executive asking for all employee data to be rolled up into a single file and emailed to the executive. The fraudulent request directs the file to the cyberthieves.
Krebs recommends the following steps to prevent a fraudster from using your personally identifiable information to file a fraudulent tax return:
- File early, before the fraudsters to.
- Routinely check your credit report.
- Monitor your credit report and then freeze it.
- File IRS Form 14039 to request a PIN.