Updated from Nov. 1
In the first five months of 2017, about 107,000 taxpayers reported being victims of identity theft, compared to the same period in 2016, when 204,000 filed victim reports. That's about 97,000 fewer victims—representing a drop of 47 percent. For comparison, there were nearly 297,000 identity theft victims during the first five months of 2015.
Every year, the IRS distributes $300 billion in refunds to U.S. taxpayers. That's a big pile of money for identity thieves to attack. Until recently, the crime seemed trivial to commit: File a tax return before a taxpayer does, and collect their refund first. This simple formula has been massively successful for criminals, and a terrible headache for victims. At one point, victims were told to wait least six months for their refunds while the IRS untangled fallout from the crime.
So it's important to recognize the signs of tax ID theft, avoid it if you can, and know what to do if you are a victim.
How does tax ID theft happen? How common is it?
In 2016, FTC Chairwoman Edith Ramirez called "tax refund fraud" the largest and fastest growing ID theft category; the commission actually created Tax Identity Theft Awareness Week in an attempt to combat the crime.
Tax ID theft swelled in the early part of this decade because it was relatively easy to commit; armed with a name and a Social Security number, imposters would file before taxpayers and get big refund checks sent wherever they wanted. In some cases, they used fake income and withholding numbers to make the refund checks even larger. One Treasury Department review in 2013 found that the IRS had sent a total of 655 tax refunds to a single address in Lithuania; another found some $11 billion in bogus returns were sent out by the agency during one 3-year stretch. In 2014, at the peak of the crime, the IRS identified 766,000 victims.
At Advisen's Cyber Risk Insights Conference last week, Michael Bruemmer, vice president of Experian's Data Breach Resolution Group, said he's concerned about fraud this tax season. "With some of the recent, large incidents and all the information that was compromised, I think [breaches of] W2s are going to come roaring back again."
There is good news, however. The IRS has implemented several steps to spot fake returns, and they seem to be working. In 2017, the agency said it experienced a sizable drop in the rate of crime, with only about 100,000 victims in the first five months of the year—a 47% drop from the 2015 rate. IRS Commissioner John Koskinen said in October that the number of ID theft-related tax returns have fallen by about two thirds since 2015.
There's also been coordination with tax professionals to better secure tax information. Tax preparation software makers have forced consumers to use better passwords, for example.
The problem persists, however. Criminals are upping their game, tricking HR department into sending them W-2 forms so their fake returns look more real. They've also begun to attack business returns—in June, the IRS had identified approximately 10,000 business returns as potential identity theft, compared to about 4,000 for calendar year 2016 and 350 for calendar year 2015.
How can I avoid becoming a victim?
The best thing you can do is file your taxes as early as possible—beating imposters before they file. Securing your Social Security Number is a good idea, but as we all know, consumers often can't help it when a government agency or corporation leaks the data. In truth, for many tax ID theft victims, there wasn't anything they could have done to stop the crime. That's why detection and recovery are so important.
How do you know you are a victim?
Many ID theft victims learn about the crime when they attempt to file a tax return electronically and it is rejected because it looks like a "duplicate"—the IRS has already received a return filed for that year under that taxpayer's SSN. In some cases, the hints are more subtle. If the IRS suspects identity theft, it might send you a "4883c letter," which will ask you for more information to confirm your identity. Recipients are not necessarily victims, but that's a cue to take the potential seriously.
One thing that won't happen: You won't get a phone call, email, or text from the IRS. If you do, it's almost certainly a criminal posing as an agent; ignore it, or better yet, forward it to firstname.lastname@example.org. Other signs to look for, according to the IRS:
- You owe additional tax based on income you did not earn;
- You are hit by a "refund offset" for past taxes owed, or you have collection actions taken against you;
- IRS records indicate you received wages or other income from an employer for whom you did not work.
What victims should do?
Call the IRS Identity Protection Specialized Unit right away at 1-800-908-4490. Create a file with every piece of paperwork you can get your hands on, dating back several years, to help prove you are who you say you are. File a police report and an IRS ID Theft Affidavit Form 14039. Be patient. Know your your refund will be delayed. If that delay causes you a financial hardship, you can appeal through the IRS Taxpayer Advocate office.
When your case is resolved, the IRS will issue you an "IP PIN" code to use in the future when e-filing your tax return. You'll have to guard that code with the same ferocity as your SSN. More critically, you can't lose it, or the IRS will have to issue you a new one, which can cause further delays. So store in in a safe place that you'll remember come tax time. You'll need a new code every year, so you'll have to get used to the rhythm of that.
Finally, get a copy of the fraudulent return filed in your name. That might give you useful clues about your imposter, in case she or he plans on committing other forms of ID theft using your information. You are legally entitled to it, with some redactions. You can ask the IRS for that here.
What are regulators doing to fix this?
The IRS is continuing its efforts to catch identity thieves and make life less frustrating for victims. In a step borrowed from other computer security industries, it's created an Information Sharing and Assessment Center (ISAC) partnership of tax preparation and software firms, payroll and tax financial product processors and state tax administrators to share tactics and ideas. The group discusses best practices for transmission of taxpayer data, for example. And the IRS has engaged taxpayers through its Taxes. Security. Together. campaign, designed to raise awareness among taxpayers.
The IRS is also sharply expanded a pilot program begun in 2016 that will make it harder to use fake W-2 forms when filing taxes. The agency has partnered with some payroll service providers to print a new 16-digit "verification code" on W-2's issued during tax season. That code is then supposed to be entered into tax preparation software to act as additional authentication of the data on the W-2.
Meanwhile, Congress is trying to legislate some tax identity theft fixes. Two bills are working their way through the Senate and the House, seemingly with bipartisan support. The Stolen Identity Refund Fraud Prevention Act of 2017, sponsored by Rep. Renacci, James B. [R-OH] and The Identity Theft and Tax Fraud Prevention Act, sponsored by Sen. Nelson, Bill [D-FL] would make some IRS ID-theft fighting initiatives permanent law. The legislation would also require the IRS to reduce red tape that catches victims, require that the IRS actively warn victims they've been hit, and increase penalties on criminals.
While all these efforts to slow tax ID theft seem to be having an impact, it's important to remember that threat is still real and widespread, with hundreds of thousands of victims each year. Knowing the signs, and acting fast, are your two best tools to ease the consequences if you become a victim.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.
This article was originally published on November 1, 2017, and has been updated.