There’s a lot to dislike about taxes, but the Internal Revenue Service has quietly given taxpayers one thing to appreciate: Less of us are seeing our tax refunds get hijacked through identity-theft scams.
Credit for this goes to the IRS, as well as state tax agencies, tax-preparation services and financial institutions, all of whom have had to cooperate to stop thieves from filing fake returns for real people that yield refunds they redirect to themselves. The progress has been impressive, but there’s still a lot more to be done.
Finally, some progress
According to the IRS, taxpayer identity-theft reports plunged from 677,000 in 2015 to 401,000 in 2016 down to 242,000 in 2017. To put that in context, the IRS received 135.7 million tax returns in 2017.
Further, the IRS had pared down the backlog of identity-theft cases to about 34,000 at the start of fiscal year 2017, versus 372,000 at the start of the 2013 fiscal year.
A January 2018 report from the Government Accountability Office noted that in 2016, the IRS blocked at least $10.56 billion of a minimum of $12.24 billion in identity-theft tax-return fraud. But it did pay out $1.68 billion. And while that’s a painful number, it’s also just 0.11% of the $1.46 trillion in income taxes paid in 2016.
The IRS also thanked banks for helping to recover $281 million in fraudulent returns in 2016. The agency even provided many more taxpayers with six-digit personal identification numbers that authenticate their returns — about 3.5 million for this filing season.
Crooks still want your money, but they’re now having a harder time stealing it.
“The data does indicate that there are a greater number of attempts, but that fraudsters are finding less success in those attempts,” said Al Pascual, senior vice president for research at Javelin Strategy and Research.
“The IRS has shown remarkable progress in cracking down on tax identity fraud in recent years,’ said John Breyault, vice president for public policy at the National Consumers League. “That the agency has been able to do this despite continual underfunding by Congress is a credit to the IRS and the larger tax preparation industry.”
Faster W-2s and sharing data make fraud harder
That January GAO report credited a 2015 law that moved up the deadline for employers to transmit the W-2 forms documenting their employees’ income from the end of February to Jan. 31. The same law required the IRS to hold many refunds until Feb. 15, so that it could have more time to catch phony returns.
The GAO reported that by Feb. 15, 2017, the IRS had received more than two times as many W-2s, more than 214 million, as it had by Feb. 15, 2016.
This report, however, criticized the IRS for not penalizing tardy employers and suggested Congress act to lower the current 250-employee threshold for required electronic filing. Today, firms below that limit can file on paper; some 23 million W-2s arrived that way last year, delaying the IRS’s scrutiny of them until March.
A separate GAO report released in November endorsed the IRS’s venture into sharing data with states, tax-preparation firms and financial institutions in an ISAC, short for “Information Sharing and Analysis Center.”
ISACs have become a common medium for confidential public-private cybersecurity collaboration since President Clinton endorsed them in a 1998 directive.
The IRS ISAC, however, has suffered from both a late start and partial participation: Only 28 states fully participated in it as of November, and only another three states could get tax-refund fraud alerts through this confidential organization. The IRS reports that all states can get fraud alerts but didn’t clarify how many more states are full participants.
Fraudsters aren’t standing still
Meanwhile, tax-fraud thieves are trying new tactics. The newest scam, as outlined in a Feb. 13 IRS advisory, is to use a taxpayer’s real info — often stolen from tax providers who opened a malware attachment in an email that infected their systems — to drop a refund into the taxpayer’s own account.
(NCL’s Breyault worried in particular that smaller, mom-and-pop tax-prep shops aren’t taking sufficient care against this threat.)
The crooks then contact the taxpayer and impersonate IRS or debt-collection officials to warn of dire consequences if they don’t follow their instructions to return the wrongly-deposited refund.
You should do no such thing. The IRS says you should have the bank return the direct deposit; if a check arrived, mail it back to the IRS.
Your next step should be to complete form 14039 and send that in with your return — yes, you still have to file that. If the IRS invites you to get an identity-protection PIN, do that as well.
One repeat tax-fraud victim said he hopes that this PIN will finally usher in a normal filing season.
Jules Polonetsky, CEO of the Future of Privacy Forum, had his returns bogged down for two years after crooks stole his identity—maybe using data from the 2015 Office of Personnel Management breach, maybe with data lost in smaller breaches at his health insurer or one of his investment accounts.
He now has that six-digit code and only needs it to make one thing possible: “I will be able to file and no one else.”
More from Rob: