Identity theft has moved from an unusual cottage industry to a ubiquitous plague where, because of their financial expertise, CPAs are often one of the first professionals to be consulted. Because of this, it is important for CPAs to act as first responders to this financial crisis and to be equipped with "first aid" remedies, including the ability to triage the risks.
Although identity theft is often referred to as a financial crime, this article treats it as similar to personal crimes. And as is the case with most personal crimes, identity theft is underreported. For example, in 2014, as many as 92% of victims did not report the crime to the police (Victims of Identity Theft, 2014, Bureau of Justice Statistics (Sept. 2015)). There are probably three reasons for this: (1) Many victims may not know for a long time that their identities have been stolen if they were not planning a major purchase (car, home, etc.) that requires credit checks; (2) the amount of money stolen may be so small (relative to the volume of transactions) that the victim may not want to be bothered by having to report it to law enforcement; or (3) the victim is protecting the criminal, perhaps because he or she is a relative.
Further, identity thieves have become so skilled and clever that airtight prevention is impossible. Thieves can penetrate encrypted personnel records and email exchanges. And the costs of identity theft to victims are grossly underestimated and often focus solely on the monetary value of the theft. Enduring social and psychological costs are typically ignored, even though these consequences may turn out to be far more irremediable than the financial losses.
In some cases, the CPA may be one of the first people to discover an identity theft. For example, a CPA may e-file a tax return and have the return rejected because a previous filing was falsely made using a client's identifying information. Some taxpayers forward unopened correspondence from the IRS to the CPA. When the CPA opens the correspondence, he or she discovers that the IRS believes the taxpayer is a victim of identity theft and must break the news to the client.
Because of CPAs' position as trusted financial advisers, it may be prudent for them to prepare to act as a type of first responder to this financial assault. Unfortunately, most financial professionals lack training in the soft skills possessed by professionals who regularly counsel crime victims. This article introduces some basics for counseling financially assaulted clients, using tools adaptable from the medical profession.
EXTENT OF IDENTITY THEFT VICTIMIZATION
Identity theft, according to the Federal Trade Commission (FTC), was the top complaint the FTC received for the past 15 years, increasing 47% from 2014 to 2015 as a result of a massive increase in tax-related identity theft (see "FTC Releases Annual Summary of Consumer Complaints," March 1, 2016). According to the U.S. Postal Inspection Service and the White House, identity theft is America's fastest growing crime (see "Fact Sheet: Safeguarding Consumers' Financial Security," Oct. 17, 2014). The Bureau of Justice Statistics reported that in 2012 the cost of identity theft significantly exceeded that of all other property crimes combined in the United States ("Identity Theft Now Costs Far More Than All Other Property Crimes Combined," by Erin Fuchs, Business Insider (Dec. 12, 2013)).
In 2015, over 724,000 identities were stolen from the IRS's Get Transcript system, and of CPAs polled by The Tax Adviser and JofA, 59% said at least one of their clients was a victim of tax identity theft in the 2016 filing season. (For more on this year's tax identity theft survey results, click here.)
SOCIO-PSYCHOLOGICAL EFFECTS ON VICTIMS
While the financial losses from identity theft are significant and the economic effects are far-reaching, the socio-psychological harm to victims is incalculable. One police officer observed that identity theft can result in emotional and psychological trauma comparable to that experienced by "victims of repeated physical assault" ("Identity Theft and Police Response: The Problem," by Ed Dadisho, The Police Chief, Jan. 2005, page 25).
Distrust often extends to almost everybody the victims encounter, including grocery store clerks and even some family members. Long delays in clearing victims' names only make matters worse. While about 52% of identity theft victims are able to resolve their problems within 24 hours, approximately 9% spent a month or more. According to Erika Harrell, "[V]ictims who spent more time resolving financial and credit-related problems ... were more likely to experience problems with work and other relationships ... than victims who were able to resolve the problems relatively quickly" (Victims of Identity Theft, 2014, by Erika Harrell, Bureau of Justice Statistics, Sept. 2015, page 10).
PRESCRIBED AND PROSCRIBED RESPONSES TO STOLEN IDENTITY
The AICPA has created an excellent checklist available in the Tax Section's toolbox that practitioners can hand to clients. ("ID Theft Checklist for Clients: Action Steps for Recovery" can be downloaded at aicpa.org; member login is required.) CPAs should advise clients to take the following steps, adapted from the checklist:
- Report the crime to the local police.
- Report the identity theft to the fraud department of one of the credit reporting agencies (Equifax, Experian, or TransUnion) as soon as possible. (One must notify the other two agencies.)
- Request a copy of your credit report and request that only the last four digits of your Social Security number (SSN) be used on the report.
- Close any accounts that have been compromised or have been opened fraudulently.
- Inform the credit reporting agencies and credit issuers of any fraudulent accounts and incorrect information.
- Obtain new credit cards and destroy the old ones.
- Alert anyone who has received your credit report in the past six months of any disputed, fraudulent, or incorrect information.
- Have an extended, seven-year fraud alert placed on your credit report.
- Report the identity theft to the FTC's identity theft hotline (877-438-4338), the IRS at 800-908-4490 (and file Form 14039, Identity Theft Affidavit), and the state's tax agency.
- Contact your local postal inspector (in cases of mail fraud).
- Check your Social Security earnings record to make sure no one is using your SSN.
- Contact your health insurance company if your insurance card was accessed or stolen.
- Contact utilities to ensure no new accounts have been opened in your name.
- Tell debt collectors you are a victim of fraud.
- Create an identity theft file and keep copies of everything.
- Change all passwords.
We also recommend that the client ask the police taking a theft report to run a criminal background check in case criminals have used the client's identity when being booked for their crimes. In IRS Publication 5199, Tax Preparer Guide to Identity Theft, the Service also provides information on helping taxpayers who have been victimized, but there is very little published on how to manage clients' emotions when they have just learned that they have been victimized. And clients who have been victimized may want to take steps to keep it from happening again. No combination of preventive steps is foolproof, but we all need to be sensitive to our identity issues, even as society becomes more transparent. To help prevent future identity theft, clients can take several other steps:
- Check credit scores regularly. Some credit card companies provide this as part of their monthly statement.
- Invest with companies that voluntarily adopt online fraud policies that promise to reimburse assets stolen in unauthorized online transactions.
- Keep important documents in a secure location such as a safe or a locking file.
- Before giving out an SSN, ask what the business will do with the information, why it needs your SSN, and what will happen if you refuse its request.
- Shred or hide all documents that contain full account numbers or other sensitive information.
- Keep wallets and purses out of plain sight.
- Password protect all electronic devices with passwords that are unobvious, contain at least eight characters, and include uppercase and lowercase letters, numbers, and special characters. Choose different passwords for different accounts. Change passwords regularly. Store passwords away from the computer. Use two-factor authentication where available.
- Only install known, safe software. Also install a firewall and anti-virus and anti-spyware software to detect unwanted programs. Click only on safe links.
- Frequently back up critical information.
- Residents of Florida, Georgia, and the District of Columbia should order a preventive identity protection personal identification number (IP PIN) from the IRS.
- Frequently check social media postings and privacy settings.
THE ROLE OF THE CPA: LESSONS FROM MEDICAL DOCTORS
CPAs are generally not trained to respond to their clients' emotions. Indeed, the emphasis has been to be dispassionate and rational when relating to clients. To deliver bad news with the least-devastating consequences, the CPA might look to medical doctors for best practices. Perhaps the most commonly cited "protocol for delivering bad news" in medical journals in the United States is "SPIKES: A Six-Step Protocol for Delivering Bad News: Application to the Patient With Cancer," by Walter F. Baile, et al, The Oncologist, June 2000, page 302.
SPIKES (setting, perception, invitation, knowledge, emotions, and strategy) was developed for the purpose of "gathering information from the patient, transmitting the medical information, providing support to the patient, and eliciting the patient's collaboration in developing a strategy or treatment plan for the future." The six steps are:
- Setting up: Set up an interview by arranging a private room with tissues ready in case the client gets upset, ask the client to come with one or two trusted family members, ensure comfortable seating, establish a rapport with the client by maintaining eye contact, and inform the client of any constraint on how much time you have to discuss the matter;
- Perceptions: If the client is already aware of the identity theft, use open-ended questions to assess how he or she perceives the situation so that the delivery of the news can be tailored to the client's understanding.
- Invitation: While some clients have a desire to know everything all at once, others do not. If a client doesn't want to discuss all the possible ramifications now, offer to answer questions in the future.
- Knowledge: Introduce the topic to the client by first warning the client that you have "some bad news."
- Emotions: Address the client's emotions with empathetic responses. An empathetic response to a client's "shock, isolation, and grief" means observing and acknowledging any emotions such as sadness or anger and comforting a crying client.
- Strategy: Clients should be advised about what remedies are available.
A similar protocol uses the acronym ABCDE (advanced preparation, building a therapeutic environment, communicating well, dealing with the patient's reactions, and encouraging and validating the patient's emotions) ("Breaking Bad News," by Gregg Vandekieft, American Family Physician, Dec. 2001, page 1975).
To be clear, while CPAs may find themselves breaking the news of identity theft, most of them are not trained counselors and should not assume such a role. These tools provide a framework for limiting the emotional damage so that the client can heal independently or with the help of professionals, such as by consulting a psychologist after leaving the CPA's office. CPAs can find referrals from most state psychological associations.
With identity theft ever-present, many CPAs will likely encounter client-victims in the course of their practice. Because CPAs are trusted financial advisers, they are often one of the first professionals to be consulted. As such, it may be prudent for CPAs to prepare to act as a type of first responder to this financial assault. By using lessons from medical professionals who have to deliver bad news and counsel patients, CPAs can arm themselves with important tools for consulting with financially assaulted clients until those clients can heal independently or with the help of professional counselors. Ultimately, this might involve one or two courses in grief counseling that are specifically tailored to CPAs and their clients as well as to the contexts in which both interact.
An anonymous identity theft victim’s account
The telephone rang. The caller, a credit card company representative, asked if I had approved a $10,000 balance transfer to this credit card. My response was an emphatic “No!” Soon after, my daughter called saying that considerable funds had been stolen from a joint bank account that she and I had.
My emotions ranged from shock, to fear, to anger, and finally to a strong determination to fight this crime head-on. (These were the same emotions I experienced several years before when I was diagnosed with aggressive breast cancer.) I had no knowledge of identity theft and no identity theft monitoring service. I called my CPA, who advised me to file a police report. A strenuous, two-year ordeal followed.
The police said to file a police report where my daughter lives (several hundred miles from my residence), file a complaint with the Federal Trade Commission’s Identity Theft Data Clearinghouse, contact the state’s Department of Highway Safety and Motor Vehicles (which acknowledged that it sent a new driver’s license to an address that law enforcement later discovered was used for many crimes), contact the local Social Security office, request an extended fraud alert with the major credit bureaus, and contact my credit card companies.
Law enforcement in my daughter’s community stated their staff and funds were insufficient to help. I had numerous stressful meetings with personal bankers. The bank returned half of my daughter’s stolen funds. Photos from the perpetrator’s ATM transactions showed the person withdrawing funds looked nothing like me. A collection agency called both me and my daughter several times daily for two months in an attempt to recover the portion of money that the bank had returned.
One day police in another community called, stating that they found the perpetrator and bags filled with credit cards, ATM cards, driver’s licenses, and checks for bank accounts that had been opened in my name and in the names of several other victims. The collection agency stopped harassing us; the bank returned all of my daughter’s funds.
About the authors
Bilaye R. Benibo (email@example.com) is a professor of sociology at Texas A&M University—Corpus Christi in Corpus Christi, Texas. Valrie Chambers (firstname.lastname@example.org) is an associate professor of accounting at Stetson University in DeLand, Fla. Betty Thorne (email@example.com) is a professor of statistics at Stetson University.
To comment on this article or to suggest an idea for another article, contact Sally P. Schreiber, senior editor, at firstname.lastname@example.org or 919-402-4828.
- "How Clients Can Protect Their Tax Data From Hackers," CPA Insider, April 4, 2016
- "Resolving the Theft of Tax Clients' Identity," JofA, Sept. 2015
The CPA's Handbook of Fraud and Commercial Crime Prevention (#056504)
Identity Theft: Preventing, Detecting, and Investigating Identity Theft (#753508, text; #163031, one-year online access)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.
Tax Identity Theft Information & Tools webpage, aicpa.org
The Tax Adviser and Tax Section
The Tax Adviser is available at a reduced subscription price to members of the Tax Section, which provides tools, technologies, and peer interaction to CPAs with tax practices. More than 23,000 CPAs are Tax Section members. The Section keeps members up to date on tax legislative and regulatory developments. Visit the Tax Center at aicpa.org/tax. The current issue of The Tax Adviser and many other resources are available at thetaxadviser.com.
PFP Member Section and PFS credential
Membership in the Personal Financial Planning (PFP) Section provides access to specialized resources in the area of personal financial planning, including complimentary access to Forefield Advisor. Visit the PFP Center at aicpa.org/PFP. Members with a specialization in personal financial planning may be interested in applying for the Personal Financial Specialist (PFS) credential. Information about the PFS credential is available at aicpa.org/PFS.