This year thousands of Americans will discover their identity has been used to file a false tax return. It’s become such a growing issue that the federal government has gathered a task force to figure out a solution. While we all wait, the IRS offers virtually nothing to prevent it from happening, and has a woefully outdated process to help the defrauded amend a return and recover their money. The thousands who will have their returns stolen, resulting in costs in the billions for the IRS, will suffer a months-long process of phone calls, filings, mailings, and of course another tax return.
Dell Engineer Chad Skipper knows this process well, resulting from his own run-in with tax fraud in 2014. At RSA 2016, Skipper regaled an audience with his personal saga through the process of recovering his return after a fraudster filed on his behalf. He was lucky, Skipper recalled, to even have found out that he had been defrauded at all — two days before taxes were due.
“The only way you the taxpayer really find out is when you go to do your taxes online, you hit submit and it will come back and say ‘Hey, time out. You’ve already submitted this year,’” Skipper said. “That’s one way. The way I found out is the bank had closed the account of the fraudster and [the IRS] sent me a hard check.”
By this time, of course, it’s already too late to stop the fraud from occurring. So the only recourse is to try and amend the return. This process, as Skipper explained in his session, is not easy.
In 2014 the IRS reported that fraudulent returns cost the agency $6.5 billion. That number is expected to jump to as much as $21 billion this year.
On top of that, and the millions of suspicious returns the IRS has to comb through, the agency had its IT budget slashed by $200 million in 2015. Despite these challenges, the IRS reports that it has nearly $11 billion in fraudulent returns in 2016. Additionally, it is supposedly working on measures of support and further prevention for fraud.
One of the measures, however, is the Identity Protection PIN (or IP PIN). The PIN was previously only available to “eligible taxpayers.” As of March 17 however, the sign-up process for this PIN — which is supposed to be the version of multifactor verification to prevent fraud — has been “suspended until further notice.” The move is reportedly to review security measures for the registration to receive a pin. It was likely done because hackers were finding that registering only required a few easily obtained pieces of information like addresses, loan amounts, and dates.
The other touted effort from the IRS is “Theft Victim Assistance” organization, an organizational restructuring aiming to reduce the time and effort it takes to recover from tax return fraud. “During 2015, the IRS centralized most of its victim assistance work within one function,” the IRS website states. “The agency also is reviewing its process and procedures to better serve taxpayers and to help reduce the time it takes to resolve cases.” The website also states an average recovery can take 120 days.
Four months is not exactly a rapid recovery. And that may be on the optimistic side. For Chad Skipper, it took twice as long.
Road to reconciliation
One of the major roadblocks in amending a fraudulent return is information access. Once notifying the IRS, which should be done as soon as possible, the fraudulent tax return no longer belongs to the individual for which it was submitted. Meaning, Skipper said, the fraudster who submitted it, has more rights than the person who was defrauded.
“I [couldn’t] even find out if my kids were included on that tax return,” Skipper said. The IRS is subject to strict privacy laws pertaining to returns, which prevents any IRS agent from sharing information included in the return, even if it’s information about your family or dependents.
From the IRS website: “Due to federal privacy laws, the IRS cannot disclose information to a person who is listed on a fraudulently filed tax return unless that person’s name and SSN is listed as the primary or secondary taxpayer on the return.”
In his presentation, Skipper laid out his process to reconciling his fraudulent return, which involved hours of time on the phone with multiple agencies, filings with the IRS, the Social Security office, the FBI’s IC3 office, the FTC, and all three credit reporting agencies.
Despite his months of work to file the appropriate complaints and reports to these various agencies, Skipper was still met with what can be viewed as punitive responses from the IRS. Any victim of tax fraud will be ineligible to file electronically for three years; so all returns will need to be submitted manually through the mail. Additionally, Skipper said the IRS will delay any returns to him for 180 days after his filing. But, he also noted, if he owes money to the IRS, payment is expected immediately.
Little prevention, but what to do
With the IP PIN not being an option, tax filers are without many options to prevent a fraudulent return. The IRS itself is doing all it can, but considering the length of time — whether it be 120 days or eight months — that it takes to reconcile a false return, it’s important to do everything possible on an individual level.
Skipper noted, importantly, that credit protection would not help with tax fraud. “I had two credit monitoring [services],” he said during his RSA session. “They don’t detect this.”
Still, there are a number of measures everyone can take to help at least make tax fraud harder.
- Use a credit lock
- Also known as a credit freeze. A credit lock gives individuals more control over their own credit score and lender data. They prevent lenders from accessing your credit report, making it highly unlikely that they grant any loan or line of credit.
- Use strong, varied passwords
- A common method for tax thieves is to hijack TurboTax or H&R Block accounts using stolen credentials found in other data breaches. Skipper for instance, suspects his tax return started because of personal data stolen from the health insurance company Anthem.
- Enable two-factor authentication
- Intuit starting in February of 2015 offered mutli-factor authentication, which is a good idea for any and all sites that take a password. H&R Block and TaxAct have also made the option available for online users, and it should be enabled hastily if not done already.
- Watch out for phishes
- Phishing is still, and will be for the foreseeable future, on of the easiest way to steal login credentials. And it’s clear attackers are spending more effort on the crafting and design of phishing attempts to make them convincing. For more on phishing, check out the OpenDNS Labs blog.
For companies large and small, phishing awareness is more important than ever. A trend is growing that involves e-mail spoofing an executive level employee and simply asking for either money or data. So it’s also important to verify any requests coming from a company leader; particularly if the request is for large batches of data or money; and especially particularly if the request contains poor use of English.
On March 22, a Reddit user took to the site for advice on a scenario in which an HR representative at his company had been duped and offered up the W-2 form for every single employee. The HR rep believed the request came from a high-level executive, likely because hackers spoofed the exec’s e-mail address.
Enterprise leaders own a nearly equal part in protecting the identity and privacy of employees as the employees themselves.