Recent high-profile cyberattacks on the IRS highlight just how vulnerable taxpayers’ data can be. In January 2016, criminals stole Social Security numbers from outside the IRS and used them to obtain IRS e-filing personal identification numbers that could be used to electronically file tax returns. In May 2015, criminals used information obtained from social media and stole around 724,000 taxpayers’ return data from the IRS’s Get Transcript system.
The IRS considers identity theft to be at the top of its annual “dirty dozen” tax scams to avoid. Tax-related identity theft occurs when stolen Social Security numbers are used to file tax returns claiming fraudulent refunds.
“Identity thieves are usually very quick,” said Melanie Lauridsen, senior technical manager for tax policy and advocacy at the AICPA. “By the time the real taxpayer realizes there is a mistake, often the IRS has paid the refund electronically and the bank account [into which the refund was paid] has been shut down.”
If your computer is not secure, personal information can be stolen from you without your being aware it is happening. “You can log in to the IRS website to make a quarterly tax payment, and malware on your computer can allow the bad guys to remotely control your computer, take screen shots of every screen you look at, and capture your every keystroke,” said David Mills, IT audit and assurance partner at Carr, Riggs & Ingram LLC and a member of the AICPA Service Organization Control Reporting task force.
Are you a victim? How to know, and what to do
Taxpayers affected by the recent incidents will be notified via mail by the IRS. They (or their tax preparer) may also find out when their return is filed electronically and rejected—and they receive a message that a return has already been filed under that Social Security number.
“If there was an attempt to file a tax return in your name, you can apply to the IRS for an identity protection personal identification number (IP PIN),” Lauridsen said. An IP PIN is a six-digit number used to confirm your identity and prevent misuse of your Social Security number on federal tax returns you subsequently file. If you e-file your return and your IP PIN is missing or incorrect, the IRS’s system will reject the return. If you file a paper return, the IRS will validate the IP PIN before the return is processed.
Note: On March 7, the IRS shut down its online tool for applying for an IP PIN due to security concerns. It will remain down until further notice while the IRS looks to strengthen the security features of the application.
Key steps for preventing identity theft
Mills and Lauridsen provided these suggestions on how CPAs can help taxpayers protect themselves from identity theft.
Keep personal information private and secure. Protect birth dates, your mother’s maiden name, account numbers, passwords, and Social Security numbers (particularly for young children, the elderly, and the deceased, which can be used by criminals with less risk of detection). Carefully consider all requests to provide your Social Security number before you give it out. Do not carry your Social Security card. Shred documents with sensitive personal data. Use third-party private storage applications to store and protect passwords.
Be careful about the personal information you share on social media. Cybercriminals gather information over time. Be mindful about whom you “friend” and be selective before accepting invitations from people you do not know. Separate what you share publicly from what you share only with your contacts. Do not post your birthday. Do not provide specific information about your personal finances, such as, “I just got a great rate on a jumbo mortgage on my house from XYZ Bank” or “I just got a big tax refund, so I am going shopping,” as it can be an inroad to identity theft.
Protect your computer. Use up-to-date security software (antivirus and malware protection and firewalls). Consider updating software automatically. If possible, use a different computer for business and finances than you do for social media, games, and family use. Use strong passwords and change them often.
Don’t fall for impersonators on the telephone. Criminals use robotic dialers and automated questions to call thousands of targets a day. Do not provide personal information to any caller you don’t know. If you are requested to verify personal information that callers say they already have, ask for another way to verify it or go to a recognized website (for example, your mortgage company, bank, or leasing company) and call a phone number listed there. The IRS will not call to say you owe money or make initial contact by phone.
Avoid unsolicited emails. Any time you click on a link in an email, you are launching something. Don’t open an attachment unless you know who sent it and what it is. The IRS will not send emails with links or request sensitive information online. Internet sites should be encrypted; if you go to a site that does not have a lock symbol displayed, do not enter sensitive data into it.
Secure tax return preparation and storage. Before running tax return software programs, run virus scans and make sure all software updates have been completed. Users preparing their own returns should load the application on a personal computer and not stay connected to the internet the entire time unless the program requires it. Remove the application once you are finished with it. Remove tax information from your computer and store the data on a remote drive and as PDF files. All of these steps lower the “attack surface,” according to Mills. Keep paper returns in a secure place and shred tax documents before trashing them.
Monitor your personal information. Review your bank and credit card statements often. Check your credit report frequently.
The IRS also is taking steps to prevent and detect identity theft. In collaboration with the states and the tax industry, it has put together a campaign called “Taxes. Security. Together.” to educate the public. The agency also provides resources on its website such as the Tax Preparer Guide to Identity Theft and Security Awareness for Taxpayers, which include information on how to protect taxpayers from identity theft and what they should do if theft occurs.