Identity Theft and Your Income Taxes

In 2013, 13.1 million people were victims of some sort of identity-theft. Often, you may think of identity theft as being confined to credit card or ATM fraud, yet there is an epidemic of fraudulent electronically filed tax returns. Identity-related tax fraud is the third-largest theft of federal funds after Medicare/Medicaid and unemployment-insurance fraud.

It is not until June of each year that the IRS receives prior-year W-2 wage and withholding information that was submitted by employers first to the Social Security Administration. Accordingly, identity thieves will take advantage of this matching gap and file fraudulent tax returns in the January, February and March window-of-opportunity in which the IRS uses the honor system to release refunds. The fraudulent refunds are received electronically or by paper. Bank accounts and post office boxes are then closed immediately. This makes it difficult for the IRS' Criminal Investigation Division (that is increasingly working with local police departments) to apprehend the perpetrators (sometimes working with postal and bank employees) who are often engaged in other criminal activities.

The IRS's Battle Plan

So what has the IRS been doing about it? The agency has been battling online fraud and identity theft for years. It has doubled its efforts by assigning more than 3,000 employees to work on identity theft issues.

But is the agency really getting ahead in this tsunami-like battle? Some, including the Treasury Inspector General for Tax Administration, J. Russell George, and the United States Taxpayer Advocate, Nina Olson, would say “no.” While it is true that the IRS has increased its awareness and training in this area by establishing an Identity Protection Specialized Unit and intercepting more and more suspiciously claimed refunds, billions of dollars in fraudulent refunds are still released each year. See, “Identity Protection: Prevention, Detection and Victim Assistance.” This can have a dramatic impact on attorneys and their clients.

Lets first shed light on just how big of a problem identity theft is with respect to the filing of fraudulent tax returns. Some of the statistics are a few years old, but the trend is clear.

• For the 2010 filing season (affecting 2009 tax returns), the IRS had detected 1,400,000 fake income tax returns and had stopped over $6.5 billion in fraudulent payments ' however, the IRS does admit that it paid out as much as $5.2 billion in fraudulent refunds.
• For the 2011 filing season, the IRS stopped $14 billion in fraudulent refunds ' but paid out more than $12 billion in fraudulent tax refunds.
• For the 2012 filing season, the IRS stopped $20 billion in fraudulent refunds (approximately 3 million fraudulent tax returns) ' but paid out $4 billion in fraudulent tax refunds.

How Hackers Get Data

Identity theft is easier then you may think. With over 80% of all income tax returns electronically filed, capturing information is much easier for criminals and the identification by the IRS and states of phony returns becomes much more problematic. Personal data can be bought or acquired online for very little money (often $10 or less).

We read stories about hackers stealing massive credit and debit card information on almost a weekly basis (i.e., Target's 70 million customer data breach in December 2013). Personal information is frequently stolen from health-care providers and motor vehicle bureaus (by current or ex-employees) (i.e., Anthem in February) and it is available from sites such as DOBsearch.com. Sometimes data is stolen from tax practitioners' offices by former employees or were even used by some recently convicted practitioners themselves to file thousands of phony refund returns.

Identity thieves use a variety of methods to get information from victims. The most common ways are:

• Rummaging through trash and mail.
• Skimming. Stolen credit/debit card numbers using a special storage device.
• Phishing. Fraudulent e-mails (remember the IRS never sends taxpayers e-mails).
• e-file Phishing Sites. Web-based site advertised through commercial pay-per-click sites. Captures the victim's tax information and reroutes the refund to the phisher's bank account.
• Stealing. Wallets, purses.
• Social networking websites (i.e., Facebook, Twitter, Google+, LinkedIn, etc.).
• Mobile devices (i.e., laptops, smartphones, tablets).
• Data breaches.
• Trojan viruses.
• Stealing information from the practitioners office (i.e., cleaning staff, vendors, repair personnel).

What To Do If Victimized

Typically, you, your clients or their tax practitioners won't know a fraudulent tax return was filed until the “true return” is filed months later and electronically rejected. What happens when a client's income tax return is e-filed and it gets rejected because the primary or secondary Social Security Number (SSN) has been used more than once? This is almost definitely a situation of identity theft. Yours or your clients' returns cannot be e-filed and there are extra steps that need to be taken (discussed later). There may still be other e-file rejection codes which may or may not be the result of identity theft.

Other “red flags” that could indicate identity theft can be the following:

• A notice from the IRS or State claiming that there was more than one tax return filed;
• A notice from the IRS or State stating there is a balance due, refund offset or that there is a collection action taken for a year you did not file a tax return;
• IRS records indicate you received more wages than you actually earned; or
• Your state or federal benefits were reduced or cancelled because the agency received information reporting an income change.

(Note: It's important to reiterate at this point that, as per the IRS itself: “The IRS does not initiate contact with taxpayers by e-mail to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.”)

Assuming you or your client has verified the information and you believe there is identity theft, the first step is to prepare a power-of- attorney (form 2848) for the IRS and for each state that was rejected authorizing either you or your client's tax practitioner's representation on the return. We advise putting multiple years on the power-of- attorney.

You or your client will have to paper-file the rejected tax return and attach the e-file rejection to the front of the return.

Next, you or your clients' representative should call the IRS/State (Tax Practitioner Hotline/Practitioner Priority Service) and notify them you believe there was identity theft and that the first filing was not that of the taxpayers. You will be asked for certain identifying information–including the taxpayer's date of birth. The tax authority will immediately flag the account and note the conversation. You will not be able to request any type of transcripts after the account is flagged.

Since this is a case of identity theft, you or the client's representative will need to prepare an Identity Theft Affidavit (IRS Form 14039). The corresponding California, New York State, and New Jersey forms, for example, are FTB-3522, DTF-275 and NJ- IDT-100 respectively. Have the client sign it and send in immediately along with the requested support (for example, driver's license, passport, etc.).

IRS internal procedures are constantly changing, so when calling the Identity Theft Protection Unit (1-800-908-4490) be sure to ask whether the paper return and the affidavit should be filed separately or together and what address(es) should be used.

It will take the IRS at least 120 days to process the Affidavit(s). In theory, the IRS will contact you or the client's representative with a result of their investigation. However, our advice is to call the Identity Theft Protection Unit once every 30 days.

Resolution can take up to 12 months. Patience and perseverance are critical. There is currently a backlog of over 700,000 cases and are handled in strict chronological order.

Is there an Ideal Target Of Identity Theft?

The answer is actually yes & no. Anyone that has a valid social security number can be a victim. For tax year 2010, the Treasury's Inspector General for Tax Administration (TIGTA; www.treasury.gov/tigta/) identified the type of individual whose identity appears to have been stolen. See , Figure 1, below.

[IMGCAP(1)]

Another question that most taxpayers and practitioners have is where is most of the identity theft occurring? The common misconception is in the cities. Not so. In Figure 2, below, TIGTA analyzed the Top 5 Addresses Used to File Potentially Fraudulent Tax Returns.

[IMGCAP(2)]

In Figure 3, below, TIGTA analyzed the Top 5 Cities From Which Potentially Fraudulent Tax Returns Were Filed.

[IMGCAP(3)]

Protecting Your Clients And Yourselves

Can attorneys completely protect themselves and their client's from identity theft? Probably not, but they can reduce the possibility. The IRS has given tips to prevent or minimize the chance of identity theft:

• Don't carry Social Security card or any documents with your SSN.
• Don't give a business out the SSN just because they ask. Give it only when required.
• Protect your financial information.
• Check your credit report every 12 months.
• Secure personal information in your office.
• Protect your personal computers by using firewalls, anti-spam/virus software.
• Never give personal information over the phone, through the mail or on the Internet, unless you have initiated the contact or you are sure you know who you are dealing with.

Though most of these seem like common sense, victims still get “taken” each year.

Conclusion

Identity theft will continue to grow and attorneys and their clients need to be aware of the potential risks, preventative measures, and what to do when a client's identity have been compromised. Attorneys need to protect the confidentiality of client information.

With the advent of technology, e-filing has become a mixed blessing given the relative ease of identity theft. When your client becomes a victim, moving quickly and knowing what to do does make a vital difference. Most importantly, this is a process of managing client expectations and frustrations ' especially when the client is expecting a large refund. It is not uncommon for some affected clients to irrationally blame the attorney or tax professional for somehow contributing to the situation. Follow-up regularly and keep the client informed. Keep timely written notes of all actions.

Resources for Taxpayer Fraud

It is also suggested that your client contact the major credit bureaus:

• Equifax: www.equifax.com, 1-800-525-6285
• Experian: www.experian.com, 1-888-397-3742
• TransUnion: www.transunion.com, 1-800-680-7289

Other Resources

• Visit the Federal Trade Commission: www.ftc.gov'or call the Identity Theft Helpline: 1-877-438-4338
• Visit the IRS: http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

Richard H. Stieglitz, CPA, a member of this newsletter's Board of Editors, is a tax Partner in the New York accounting firm of Anchin, Block & Anchin LLP. He can be reached at 212-840-3456 or via e-mail at [email protected]. David Albrecht, EA, is a Senior Manager of Tax Controversy in the New York accounting firm of Anchin, Block & Anchin LLP and formerly worked at the IRS Criminal Investigation. He can be reached at 212-863-1434 or via e-mail at [email protected].

In 2013, 13.1 million people were victims of some sort of identity-theft. Often, you may think of identity theft as being confined to credit card or ATM fraud, yet there is an epidemic of fraudulent electronically filed tax returns. Identity-related tax fraud is the third-largest theft of federal funds after Medicare/Medicaid and unemployment-insurance fraud.

It is not until June of each year that the IRS receives prior-year W-2 wage and withholding information that was submitted by employers first to the Social Security Administration. Accordingly, identity thieves will take advantage of this matching gap and file fraudulent tax returns in the January, February and March window-of-opportunity in which the IRS uses the honor system to release refunds. The fraudulent refunds are received electronically or by paper. Bank accounts and post office boxes are then closed immediately. This makes it difficult for the IRS' Criminal Investigation Division (that is increasingly working with local police departments) to apprehend the perpetrators (sometimes working with postal and bank employees) who are often engaged in other criminal activities.

The IRS's Battle Plan

So what has the IRS been doing about it? The agency has been battling online fraud and identity theft for years. It has doubled its efforts by assigning more than 3,000 employees to work on identity theft issues.

But is the agency really getting ahead in this tsunami-like battle? Some, including the Treasury Inspector General for Tax Administration, J. Russell George, and the United States Taxpayer Advocate, Nina Olson, would say “no.” While it is true that the IRS has increased its awareness and training in this area by establishing an Identity Protection Specialized Unit and intercepting more and more suspiciously claimed refunds, billions of dollars in fraudulent refunds are still released each year. See, “Identity Protection: Prevention, Detection and Victim Assistance.” This can have a dramatic impact on attorneys and their clients.

Lets first shed light on just how big of a problem identity theft is with respect to the filing of fraudulent tax returns. Some of the statistics are a few years old, but the trend is clear.

• For the 2010 filing season (affecting 2009 tax returns), the IRS had detected 1,400,000 fake income tax returns and had stopped over $6.5 billion in fraudulent payments ' however, the IRS does admit that it paid out as much as $5.2 billion in fraudulent refunds.
• For the 2011 filing season, the IRS stopped $14 billion in fraudulent refunds ' but paid out more than $12 billion in fraudulent tax refunds.
• For the 2012 filing season, the IRS stopped $20 billion in fraudulent refunds (approximately 3 million fraudulent tax returns) ' but paid out $4 billion in fraudulent tax refunds.

How Hackers Get Data

Identity theft is easier then you may think. With over 80% of all income tax returns electronically filed, capturing information is much easier for criminals and the identification by the IRS and states of phony returns becomes much more problematic. Personal data can be bought or acquired online for very little money (often $10 or less).

We read stories about hackers stealing massive credit and debit card information on almost a weekly basis (i.e., Target's 70 million customer data breach in December 2013). Personal information is frequently stolen from health-care providers and motor vehicle bureaus (by current or ex-employees) (i.e., Anthem in February) and it is available from sites such as DOBsearch.com. Sometimes data is stolen from tax practitioners' offices by former employees or were even used by some recently convicted practitioners themselves to file thousands of phony refund returns.

Identity thieves use a variety of methods to get information from victims. The most common ways are:

• Rummaging through trash and mail.
• Skimming. Stolen credit/debit card numbers using a special storage device.
• Phishing. Fraudulent e-mails (remember the IRS never sends taxpayers e-mails).
• e-file Phishing Sites. Web-based site advertised through commercial pay-per-click sites. Captures the victim's tax information and reroutes the refund to the phisher's bank account.
• Stealing. Wallets, purses.
• Social networking websites (i.e., Facebook, Twitter, Google+, LinkedIn, etc.).
• Mobile devices (i.e., laptops, smartphones, tablets).
• Data breaches.
• Trojan viruses.
• Stealing information from the practitioners office (i.e., cleaning staff, vendors, repair personnel).

What To Do If Victimized

Typically, you, your clients or their tax practitioners won't know a fraudulent tax return was filed until the “true return” is filed months later and electronically rejected. What happens when a client's income tax return is e-filed and it gets rejected because the primary or secondary Social Security Number (SSN) has been used more than once? This is almost definitely a situation of identity theft. Yours or your clients' returns cannot be e-filed and there are extra steps that need to be taken (discussed later). There may still be other e-file rejection codes which may or may not be the result of identity theft.

Other “red flags” that could indicate identity theft can be the following:

• A notice from the IRS or State claiming that there was more than one tax return filed;
• A notice from the IRS or State stating there is a balance due, refund offset or that there is a collection action taken for a year you did not file a tax return;
• IRS records indicate you received more wages than you actually earned; or
• Your state or federal benefits were reduced or cancelled because the agency received information reporting an income change.

(Note: It's important to reiterate at this point that, as per the IRS itself: “The IRS does not initiate contact with taxpayers by e-mail to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.”)

Assuming you or your client has verified the information and you believe there is identity theft, the first step is to prepare a power-of- attorney (form 2848) for the IRS and for each state that was rejected authorizing either you or your client's tax practitioner's representation on the return. We advise putting multiple years on the power-of- attorney.

You or your client will have to paper-file the rejected tax return and attach the e-file rejection to the front of the return.

Next, you or your clients' representative should call the IRS/State (Tax Practitioner Hotline/Practitioner Priority Service) and notify them you believe there was identity theft and that the first filing was not that of the taxpayers. You will be asked for certain identifying information–including the taxpayer's date of birth. The tax authority will immediately flag the account and note the conversation. You will not be able to request any type of transcripts after the account is flagged.

Since this is a case of identity theft, you or the client's representative will need to prepare an Identity Theft Affidavit (IRS Form 14039). The corresponding California, New York State, and New Jersey forms, for example, are FTB-3522, DTF-275 and NJ- IDT-100 respectively. Have the client sign it and send in immediately along with the requested support (for example, driver's license, passport, etc.).

IRS internal procedures are constantly changing, so when calling the Identity Theft Protection Unit (1-800-908-4490) be sure to ask whether the paper return and the affidavit should be filed separately or together and what address(es) should be used.

It will take the IRS at least 120 days to process the Affidavit(s). In theory, the IRS will contact you or the client's representative with a result of their investigation. However, our advice is to call the Identity Theft Protection Unit once every 30 days.

Resolution can take up to 12 months. Patience and perseverance are critical. There is currently a backlog of over 700,000 cases and are handled in strict chronological order.

Is there an Ideal Target Of Identity Theft?

The answer is actually yes & no. Anyone that has a valid social security number can be a victim. For tax year 2010, the Treasury's Inspector General for Tax Administration (TIGTA; www.treasury.gov/tigta/) identified the type of individual whose identity appears to have been stolen. See , Figure 1, below.

[IMGCAP(1)]

Another question that most taxpayers and practitioners have is where is most of the identity theft occurring? The common misconception is in the cities. Not so. In Figure 2, below, TIGTA analyzed the Top 5 Addresses Used to File Potentially Fraudulent Tax Returns.

[IMGCAP(2)]

In Figure 3, below, TIGTA analyzed the Top 5 Cities From Which Potentially Fraudulent Tax Returns Were Filed.

[IMGCAP(3)]

Protecting Your Clients And Yourselves

Can attorneys completely protect themselves and their client's from identity theft? Probably not, but they can reduce the possibility. The IRS has given tips to prevent or minimize the chance of identity theft:

• Don't carry Social Security card or any documents with your SSN.
• Don't give a business out the SSN just because they ask. Give it only when required.
• Protect your financial information.
• Check your credit report every 12 months.
• Secure personal information in your office.
• Protect your personal computers by using firewalls, anti-spam/virus software.
• Never give personal information over the phone, through the mail or on the Internet, unless you have initiated the contact or you are sure you know who you are dealing with.

Though most of these seem like common sense, victims still get “taken” each year.

Conclusion

Identity theft will continue to grow and attorneys and their clients need to be aware of the potential risks, preventative measures, and what to do when a client's identity have been compromised. Attorneys need to protect the confidentiality of client information.

With the advent of technology, e-filing has become a mixed blessing given the relative ease of identity theft. When your client becomes a victim, moving quickly and knowing what to do does make a vital difference. Most importantly, this is a process of managing client expectations and frustrations ' especially when the client is expecting a large refund. It is not uncommon for some affected clients to irrationally blame the attorney or tax professional for somehow contributing to the situation. Follow-up regularly and keep the client informed. Keep timely written notes of all actions.

Resources for Taxpayer Fraud

It is also suggested that your client contact the major credit bureaus:

• Equifax: www.equifax.com, 1-800-525-6285
• Experian: www.experian.com, 1-888-397-3742
• TransUnion: www.transunion.com, 1-800-680-7289

Other Resources

• Visit the Federal Trade Commission: www.ftc.gov'or call the Identity Theft Helpline: 1-877-438-4338
• Visit the IRS: http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

Richard H. Stieglitz, CPA, a member of this newsletter's Board of Editors, is a tax Partner in the New York accounting firm of Anchin, Block & Anchin LLP. He can be reached at 212-840-3456 or via e-mail at [email protected]. David Albrecht, EA, is a Senior Manager of Tax Controversy in the New York accounting firm of Anchin, Block & Anchin LLP and formerly worked at the IRS Criminal Investigation. He can be reached at 212-863-1434 or via e-mail at [email protected].