Asset Management Intelligence - August 2015 - Fraudulent Returns, Identity Theft, and the IRS

Published: Aug 7, 2015
Share

A little while ago, I had a colleague who sent me her wedding invitation by mail, which is not unusual except for the fact that no one gave her my home address. She had wanted to surprise me and so looked me up online! That was a friendly gesture, but in this electronic age of smart phones, e-commerce, data streaming and government-mandated electronic filing of tax returns, do we really know how secure our personal information is? Meanwhile, the federal Office of Personnel Management announced in early July that personal data of 21.5 million federal employees, contractors, applicants and family members was stolen in a massive cyber theft. This is in addition to the 4.2 million files stolen one month earlier.

In late May, the IRS announced that due to a data breach from February through May of this year to its online Get Transcript application system, information of over 100,000 taxpayers was stolen. The system is the online version of a function that the IRS has always provided to the taxpayers. For a fee, if for any reason the taxpayer requires a copy of their previously filed tax return, a transcript of that return can be requested. The transcript does not look like the return but contains all the information that was on the filed return. As a result of the breach, these unknown criminals then created phony accounts and filed approximately 13,000 fraudulent returns with the IRS, successfully claiming up to $39 million in tax refunds.

Each year we hear about massive refund amounts issued for returns that were fraudulent because of identity theft. According to a recent Wall Street Journal article that cited the Government Accountability Office, more than $5.8 billion was lost in 2013 because of identity theft related fraud.

The difference between the usual fraudulent returns and the ones filed this year is the breadth of information that was supplied and the breach itself. An identity theft return would typically have a name, social security number and employer information. In the current cases, the returns would also have information such as names of dependents and their social security numbers along with last year’s Adjusted Gross Income, and all other information that would be present on the previous year’s tax return.

Apparently, the criminals used personal information stolen elsewhere and used that data to access prior year tax information from the Get Transcript system, which enabled them not only to then simulate a credible fraudulent tax return, but also obtain information on the taxpayer’s dependents and income sources.

The ease with which this can be done is partly due to the somewhat primitive authentication process that is still being used at the IRS. To obtain a transcript from the IRS of your last year’s tax return one would need $50, name, address, date of birth, social security number, and filing status; information that is readily available on the black market. According to a recent Dell SecureWorks report, personal information is sold ranging from $50 - $1,000 per record.

Taxpayers who have had fraudulent returns filed in their name would either find that they are unable to electronically file their return (as those had already been filed under their social security number), or would receive a letter from the IRS that a return has been received but additional information is required to process the return. In either case, it will be up to the taxpayers to provide proof that they are who they say they are which will include a laundry list of items, signed and notarized.

The case will then be passed along to criminal investigations and, up until late May of this year, the taxpayer has been left in the dark as to what information was stolen that appeared on the fraudulent return, and has little understanding of the extent of the theft that would enable them to take steps to protect themselves and their family. The IRS has cited privacy concerns (of the criminal) but recommends that a credit report be requested from one of the credit agencies like Equifax.

After the recent theft and some very pointed questions from Senator Kelly Ayotte (R-NH), the IRS has agreed to release fraudulent tax returns to the affected taxpayers, redacting information belonging to other taxpayers on the same return such as a spouse. At this time, no procedure has been published to allow taxpayers to make requests. The Get Transcript service is also currently unavailable.

This past May, Senator Ron Johnson (R-WI), introduced a bill, S.1323, the Social Security Identity Defense Act of 2015, that would require that the IRS disclose tax return information to victims of identity theft and assessing a $5,000 penalty against transgressors. The penalty is in addition to any other laws that are also violated.

In the meantime, the IRS and state tax authorities are working in conjunction with tax return software preparers to implement a new return processing system that will include a multifactor authentication system for the 2016 tax filing year. In addition, transmissions of returns will be reviewed for repetitive use of IP addresses among other steps to help flag suspicious return filings. All this while the House Appropriation Committee is proposing to cut the IRS budget by 8% for the fiscal year 2016.

Asset Management Intelligence - August 2015