Stopping tax identity theft: Practical advice for CPAs and clients

Learn preventive actions and ways to correct problems after a thief has struck.

Tax return and other tax-related identity theft is a growing problem that CPAs can help their clients with—both in taking preventive actions and in correcting problems after an identity thief has struck. Tax return identity theft occurs when someone uses a taxpayer’s personal information, such as name and Social Security number (SSN), without permission to commit fraud on tax returns to claim refunds or other credits to which a taxpayer is not entitled, or for other crimes.

Thieves normally file early in the tax-filing season, often before the IRS has received Forms W-2 or 1099, to thwart information matching and avoid receiving duplicate return notices from the IRS. Taxpayers sometimes discover they are victims of identity theft when they receive a notice from the IRS stating that “more than one tax return was filed with their information or that IRS records show wages from an employer the taxpayer has not worked for in the past” (FS-2012-7 (January 2012)).

In 2011, the IRS processed about 145 million returns. About 109 million were claims for refunds, with an average refund amount of almost $3,000. As of May 16, 2012, the IRS had pulled 2.6 million returns for possible identity theft, and that trend is on the increase. The IRS recently reported an inventory of more than 450,000 identity theft cases. For the 2011 filing season, the Treasury Inspector General for Tax Administration (TIGTA) estimated that identity-theft-related fraud accounted for approximately 1.5 million tax returns in excess of $5.2 billion.


Tax return identity theft delays legitimate taxpayer refunds because the return appears to be a duplicate return and may be a sign of other fraud or identity theft problems. IRS support to solve traditional and nonfraud problems may be delayed as well when IRS resources are diverted to combat identity theft. Other tax-related identity theft can cause problems for the taxpayer as well. If an individual fraudulently used a taxpayer’s SSN to get a job, the taxpayer may have extra W-2 wages erroneously reported (and perhaps also extra taxes withheld), leading to a correspondence matching audit. The National Taxpayer Advocate notes that time and money are spent to clear the individuals’ names, during which “victims may lose job opportunities, may be refused loans, education, housing or cars, or even get arrested for crimes they didn’t commit” (IRS Publication 4535, Identity Theft Prevention and Victim Assistance).

Further, until recently, the IRS would hold suspicious refunds while verifying the underlying W-2 information, for up to 11 weeks. With the increase in the number of cases and budget limitations, refunds may take longer. So, the IRS says, “[I]dentity theft can impose a significant burden on its victims, whose legitimate refund claims are blocked and who often must spend months or longer trying to convince the IRS that they are, in fact, victims and then working with the IRS to untangle their account problems” (IR-2012-66).

A typical identity theft starts when thieves have (illegally) bought or stolen information from individuals, employers, hospitals, or nursing homes or have used the public list of deaths with SSNs issued by the Social Security Administration. With a number or list of numbers, they file false tax returns for refunds. For example, investigators found a single address that was used to file 2,137 tax returns for $3.3 million in refunds (see TIGTA Rep’t No. 2012-42-80). Most thieves prefer to receive the refund using direct deposit or prepaid debit cards. In another example, 590 tax refunds totaling more than $900,000 were deposited into a single bank account. Although banks have strict rules to verify the identity of account holders, they don’t have the ability to monitor whether the direct deposit is for a legitimate refund.

Although the IRS planned to spend about $330 million in 2012 to combat identity theft, the IRS has limited resources and needs additional funding to combat this problem. Identity theft also happens to tax systems in other countries, but the extent of the problem is lessened in countries where the government can immediately (or in “real-time”) match income and withholding with the tax return. IRS Commissioner Douglas Shulman called for real-time matching in his prepared remarks at the AICPA Fall 2011 National Tax Conference for the purpose of reducing the number of taxpayer audits, but such a system should help reduce identity theft fraudulent tax returns as well (IR-2011-108).


Common ways to obtain personal information include email or telephone phishing and Dumpster diving. Thieves are looking for “discarded tax returns, bank records, credit card receipts or other records containing personal and financial information” (FS-2008-9 (January 2008)). For example, some taxpayers receive email messages allegedly from the IRS advising them that they are under investigation or have a refund pending. To get the victim to respond, the email may threaten a dire consequence (see Exhibit 1 for a typical phishing message). Often, the recipient is asked to click on a link to access what appears to be—but is not—the legitimate IRS website.

The IRS does not send unsolicited, tax-account related emails to taxpayers and never asks for personal and financial information, including PINs and passwords, via email. The IRS advises that “[s]ince the IRS rarely contacts taxpayers via e-mail, and never about their tax accounts, taxpayers should be cautious about any e-mails that claim to come from the IRS” (FS-2008-9). (People receiving a suspicious email from the IRS are encouraged to report the email by calling the IRS at 800-829-1040 or forwarding the email to; note in Exhibit 1 how the email uses “” not “”)


The IRS has several filters that address different issues. These filters are designed to distinguish legitimate returns from fraudulent ones and to prevent the recurrence of identity theft. If a tax return is caught by a filter, it is manually reviewed to validate the taxpayer’s identity. If the IRS identifies a suspicious return, it corresponds with the taxpayer to verify the correct information. Alternatively, if a second, unauthorized person is using the taxpayer’s SSN, the taxpayer may receive a correspondence audit notice informing the taxpayer that he or she failed to report income from another (erroneous) employer.

When a taxpayer’s identity has been stolen, the legitimate taxpayer may be issued a confidential identity protection PIN (IP PIN) that identifies the taxpayer as the legitimate party using the SSN and other identifying information. The IRS issues these numbers to taxpayers who have reported that their identities have been stolen, verified their identities, and had an identity theft indicator applied to their accounts. Not all victims of identity theft will receive an IP PIN—the IRS says that taxpayers who submitted Form 14039, Identity Theft Affidavit, and proper documentation or taxpayers whom the IRS has itself identified as victims will receive them. During the 2012 filing season, the IRS issued 250,000 IP PINs, up from about 54,000 the year before. Once the IP PIN has been issued, it must be present and correct on the specific tax return for which it was issued. For the 2012 tax year, the six-digit IP PIN is inserted at the bottom of page 2 of Form 1040, to the right of the taxpayers’ signatures.

If two taxpayers are married filing jointly and each taxpayer receives an IP PIN, the couple should use the IP PIN of the SSN that appears first on the tax return. Tax preparation software is generally equipped to ask taxpayers if they received an IP PIN. If a taxpayer is filing a printed copy of the return, however, this number will not print, and should be handwritten in the space provided. A request for an extension or installment agreement using an IP PIN must be made on paper, but the tax return may still be filed electronically.

A new IP PIN is issued every subsequent year as long as the theft indicator remains on the legitimate taxpayer’s account. Returns with an IP PIN are processed more efficiently, in that they bypass the regular filtering system, and the IP PIN prevents fraudulent returns from being processed. The IRS began a pilot program in 2010 to mark the accounts of deceased taxpayers to prevent misuse by identity thieves.


As trusted financial advisers, CPAs may be asked what to do if a client’s identity is stolen. The CPA should consider advising or helping the client with several steps:

  1. For tax and nontax identity theft, report the theft to the Federal Trade Commission at 877-438-4338,, or TTY 866-653-4261.
  2. File a report with the local police.
  3. Close any affected bank and credit card accounts.
  4. Inform the credit bureaus and consider putting a credit freeze on the accounts (see A credit freeze restricts access to credit reports, making it unlikely that thieves can open new accounts in the client’s name. Credit freeze laws vary from state to state.
  5. If personal information is lost or stolen during the year, contact the IRS Identity Protection Specialized Unit at 800-908-4490, and complete Form 14039, if necessary. Expect to be patient, though. The National Taxpayer Advocate noted in her semiannual report that “this unit has been unable to answer about two out of every three calls it has received from taxpayers so far this year. At times during the filing season, it was answering only about one out of every nine calls it received—and those who managed to get through waited an average of over an hour to speak with an employee.”
  6. Respond to all IRS notices immediately, using the name and number printed on the notice.
  7. Tax preparers should ask their clients if they received an IP PIN.


Since identity theft is so prevalent and growing, a CPA may consider providing general preventive advice through newsletters, websites, and other communications. This advice may include:

  1. Have clients arrange for masked SSNs where possible, e.g., on insurance cards, so that client SSNs are closely protected and circulated as little as possible.
  2. Watch credit reports from the three major credit bureaus; consider offering this as an off-season service or adding a timely reminder with contact information to the firm newsletter. (Contact details for the fraud departments of the three major credit bureaus are: Equifax–, 800-525-6285; Experian–, 888-397-3742; and TransUnion–, 800-680-7289.)
  3. Advise clients to forward all information appearing to be from the IRS promptly and to not click on links or open attachments from emails claiming to be from the IRS. 
  4. Advise clients to safeguard their Social Security cards, store them in a safe and secure location, and not discard any documents with an SSN on them.
  5. Advise clients to resist giving businesses an SSN or other personal information just because they ask for it; often it is not required, and dissemination of SSN information is risky. 
  6. Advise clients to protect financial information by investing in and using a shredder before discarding documents.
  7. A taxpayer should secure personal information in one’s own home. For example, copies of tax returns can be kept in a locked file cabinet or safe.
  8. Taxpayers should protect personal computers by using firewalls and anti-spam or anti-virus software, updating security patches, and regularly changing passwords for internet accounts with sensitive information, such as online banking sites.

CPAs may be able to take additional preventive steps for tax returns, where the client is cooperative:

  1. File clients’ returns early if possible.
  2. E-file returns to be notified of duplicate return notices more quickly.
  3. Consider truncating or masking SSNs on Forms 1098, 1099, and 5498 consistent with Notice 2011-38.
  4. Communicate with the client to change client expectations: Refunds might take longer in future years as additional system security steps are taken.
  5. Finally, CPAs with new online clients should be very careful to confirm the identity of those new clients, so that an identity thief cannot trade on an unwitting CPA’s credibility in filing false returns.

CPAs can find additional information at:

Authors’ note: The authors thank the AICPA IRS Practice and Procedures Committee for help with this article.

Exhibit 1: Sample of Phishing Email

Title/Subject of email: Your Tax Refund Payment Update
[attachment to email is “Refund Form.html”= link to webform]

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $ 826.28

Submit the tax refund request and allow us 3–5 business days in order to process it.

A refund can be delayed for a number of reasons. For example submitting invalid details which we don’t have on record or applying after the deadline.

Download, fill and submit your Tax Refund Form in order to complete the process.

© Copyright 2010. | Internal Revenue Service | United States Department of the Treasury


Tax-related identity theft is a growing problem that requires CPAs to learn how to help clients who are victims and how to help clients avoid becoming victims.

Identity thieves use taxpayer information obtained illegally, sometimes by email or telephone phishing, or by Dumpster diving.

Identity thieves often file returns early before a legitimate taxpayer has had a chance to file and before the IRS has received Forms W-2 and 1099 to match with returns.

Once an identity is stolen, a number of steps can be taken to protect taxpayers.

The IRS issues special taxpayer identification numbers to victims to allow them to have their future returns processed without undue delay.

There are a number of preventive steps CPAs can advise their clients to take to avoid becoming victims of identity theft.

Valrie Chambers ( ) is a professor of accounting at Texas A&M University–Corpus Christi. Rabih Zeidan ( ) is an assistant professor of accounting at Texas A&M University–Corpus Christi.

To comment on this article or to suggest an idea for another article, contact Sally P. Schreiber, senior editor, at or 919-402-4828.


JofA article

Preventing Identity Theft Throughout the Data Life Cycle,” Jan. 2009, page 58

Insider articles

Sign up for the AICPA’s Insider e-newsletters and view back issues at

  • The CPA’s Handbook of Fraud and Commercial Crime Prevention (#056504)
  • Silent Safety: Best Practices for Protecting the Affluent (#091059)

For more information or to make a purchase or register, go to or call the Institute at 888-777-7077.

The Tax Adviser and Tax Section

The Tax Adviser is available at a reduced subscription price to members of the Tax Section, which provides tools, technologies, and peer interaction to CPAs with tax practices. More than 23,000 CPAs are Tax Section members. The Section keeps members up to date on tax legislative and regulatory developments. Visit the Tax Center at The current issue of The Tax Adviser is available at

PFP Member Section and PFS credential

Membership in the Personal Financial Planning (PFP) Section provides access to specialized resources in the area of personal financial planning, including complimentary access to Forefield Advisor. Visit the PFP Center at Members with a specialization in personal financial planning may be interested in applying for the Personal Financial Specialist (PFS) credential. Information about the PFS credential is available at

Where to find June’s flipbook issue

The Journal of Accountancy is now completely digital. 





Leases standard: Tackling implementation — and beyond

The new accounting standard provides greater transparency but requires wide-ranging data gathering. Learn more by downloading this comprehensive report.