Tax returns are a prime target for identity thieves. After all, the IRS processes more than $300 billion in tax refunds every year, and criminals follow the money. A thief needs little more than your name and Social Security number (SSN) in order to file a fraudulent tax return and pocket the refund. Then, when you attempt to file your return, the IRS or state tax authority informs you that you’re attempting to file a duplicate return. It can take months to resolve the matter, cause unwelcome headaches and delay any legitimate refunds you expect.
Increasingly, identity thieves also target entities — including corporations, partnerships, estates and trusts — and use stolen information to file phony tax returns.
IRS cracks down on ID theft
In recent years, tax-related identity theft has substantially declined, due in large part to actions taken by the IRS. For example, the IRS has improved filters in its computer systems, enabling it to flag potentially fraudulent returns. The system looks for anomalies, such as dramatic differences in a taxpayer’s returns from one year to the next or wage information that doesn’t match information provided by employers.
In addition, online tax preparers and software companies have beefed up their security and implemented measures to confirm their customers’ identities. For example, many providers use multifactor authentication — such as a password plus a code sent by text — to verify a user’s identity. On the business side, the IRS now requires tax preparers to furnish additional information to verify that a return is legitimate.
These efforts have been effective, but tax-related identity theft remains a major threat. So it’s important for individuals and businesses to take steps to protect themselves.
For individuals, one of the keys to preventing tax-related (and other forms of) identity theft is to keep your SSN private. Don’t carry your Social Security card with you and don’t provide your SSN to others unless absolutely necessary (and never provide it via email).
Beware of phishing emails. These are official-looking emails designed to look like they’re from the IRS, a financial institution or an executive at your company, but are actually from criminals attempting to steal your SSN, bank account numbers or passwords. Never click on links or attachments in emails unless you’re positive they’re legitimate. And remember that the IRS, banks and most other legitimate businesses will never ask you for financial or personal information via email.
Other steps you should take to protect yourself include:
- Using strong passwords for computers, mobile devices and financial websites, and changing them periodically,
- Using antispam and antivirus software on your computers and installing all security updates,
- Reconciling bank and brokerage statements and reviewing them for suspicious activity,
- Storing bank statements and tax documents in a secure location and shredding them when no longer needed,
- Reviewing your credit report periodically for suspicious activity,
- Locking your mailbox, retrieving mail daily and shredding credit card solicitations and other mail thieves can use to obtain your SSN or other personal information, and
- Exercising caution when using public wi-fi networks. Use a virtual private network (VPN) service to encrypt any information you transmit over these networks.
Finally, file your return as early as possible. In the event identity thieves do obtain your SSN or other information, filing first will prevent them from claiming a refund in your name.
Businesses should take steps to protect their own information as well as that of their employees. They would be wise to provide training to accounting, human resources and other employees to educate them on the latest tax fraud schemes and how to spot phishing emails; using secure methods to send W-2 forms to employees; and implementing risk management strategies designed to flag suspicious communications.
Responding to a theft
If you become a victim of tax-related identity theft:
- File a complaint with the Federal Trade Commission (identitytheft.gov) and local law enforcement,
- Contact the three major credit bureaus to place a “fraud alert” on your credit records, the IRS and your tax advisor, and
- Submit an Identity Theft Affidavit (Form 14039) to the IRS. You’ll receive a six-digit Identity Protection Personal Identification Number (IP PIN) for use in filing electronic or paper returns.
You should also contact your financial institutions and close any accounts that have been compromised or opened fraudulently.