Identity theft is a growing problem, and tax-related identity theft in particular continues to increase each year. In 2015, tax-related identity theft continued to hold a high spot on the IRS's annual "Dirty Dozen" tax scams list. According to the U.S. Government Accountability Office, fraudulent refunds paid in 2013 totaled $5.8 billion (see GAO Rep't No. 15-119). CPAs and tax preparers can play a vital role in assisting both individual and business clients who have become identity theft victims, and they can also recommend preventive measures to help their clients lessen the risk of identity theft.
What Is Tax Return Identity Theft?
Tax return identity theft occurs when the taxpayer's personal information, such as name, Social Security number (SSN), employer identification number, or other identifying information, is used without the taxpayer's authority to file a fraudulent tax return (usually to claim a fraudulent refund or to obtain tax benefits). This type of identity theft carries serious consequences. It can take victims months just to prove their identity to the IRS, which in turn delays the processing of legitimate refund claims. According to the IRS, individual victims of identity theft "may lose job opportunities, be refused loans, education, housing or transportation, and may even be arrested for crimes they didn't commit" (IRS Publication 4535, Identity Theft Prevention and Victim Assistance). Business clients may incur significant damage to their reputations, in addition to financial losses and the costs incurred to resolve the issues with numerous agencies.
Individual Taxpayer Detection: Most Common Warning Signs Tax Practitioners Will Encounter
When a client's SSN has been compromised, he or she may experience the following:
- The return is rejected, usually with an IRS reject code that indicates the taxpayer's SSN already has been used.
- The client receives a notice from the IRS requesting additional information to process the return accurately or an adjusted refund notice with changes to the Form 1040, U.S. Individual Income Tax Return, when the taxpayer has not actually filed the return.
Business Taxpayer Detection: Most Common Warning Signs Tax Practitioners Will Encounter
Business identity theft may be more difficult to detect than individual identity theft, as the signs that indicate business identity theft may also be the product of a simple processing or filing error. The following are signs that warrant additional investigation:
- The client files an original tax return for a particular tax year, but it is accepted as an amended return;
- The IRS issues a notice to the client regarding fictitious employees; or
- The client discovers activity related to a business that is inactive or that has already been closed, after all account balances pertaining to that entity have already been paid.
How Can Tax Practitioners Make This Process Less Stressful for Clients?
For individual identity theft, in order to be able to deal directly with the IRS on a client's behalf, the tax practitioner should file IRS Form 2848, Power of Attorney and Declaration of Representative, signed by the taxpayer to obtain a power of attorney (POA). Either the CPA or the client can contact the IRS to put a "red flag" on the account due to the identity theft. This identity theft indicator flags the taxpayer's identification numbers, as well any tax returns submitted in the future using the taxpayer's identification numbers, so that the IRS can monitor the account for potential fraud. In addition, once the IRS puts an identity theft indicator on the taxpayer's account, it will not release any transcripts related to the taxpayer's account without further authentication.
The CPA will want to complete Form 14039, Identity Theft Affidavit, but only for the specific individual who had his or her identity stolen. This form does not need to be completed for both the taxpayer and spouse if only one is a victim. A form of identification must accompany Form 14039, preferably a copy of a passport or a state driver's license.
There are two ways to send the Form 14039 to the IRS, depending on when the fraud was discovered. If the taxpayer is filing the tax return at the time of the notice or e-file rejection, the taxpayer needs to send Form 14039 in with the paper copy of the return. At this point, the return cannot be e-filed. If the fraud was discovered when extending the return electronically or by receiving a notice, the CPA would need to fax or mail the IRS the Form 14039 as soon as possible. Some of the notices have fax numbers included so that taxpayers can fax in their reply to the notice and the Form 14039. The tax return may be able to be filed electronically eventually, after the IRS clears the account.
The IRS may provide a fraud victim with an identity protection personal identification number (IP PIN), which is a six-digit number the taxpayer must use to verify the return's legitimacy. An IP PIN prevents someone else from filing a fraudulent return under the taxpayer's SSN. The IRS issues a new IP PIN every subsequent year. The IRS will send the taxpayer a CP01A notice if it issued the taxpayer an IP PIN. Taxpayers may receive an IP PIN from the IRS if they received an IP PIN last year, received a CP01A or CP01F notice (inviting them to get an IP PIN), or filed a tax return as a resident of Florida, Georgia, or the District of Columbia.
In addition, taxpayers should file a report with their local police department, report the identity theft to the Federal Trade Commission (FTC), contact one or more major credit bureaus to place a fraud alert on their records, close any accounts opened fraudulently, and make their banks, lenders, and credit card providers aware of the situation. After submitting the Form 14039, the taxpayer and the CPA listed on the Form 2848 may receive a confirmation receipt from the IRS.
The actions for businesses that are victims of identity theft are similar to those recommended for individuals. They should always respond to IRS or state notices immediately. Businesses should file a report with their local police department, report the identity theft to the FTC, contact the major credit bureaus (Dun & Bradstreet, Equifax, Experian, and TransUnion) to place a fraud alert on their records, and close any accounts with fraudulent activity. The businesses should continue to monitor their credit reports, online business registration information, and business account activity with the IRS and other state agencies (even for closed businesses). In addition, the businesses should review and update their computer security policies.
Usually, the IRS takes 180 days to process an identity theft case after a taxpayer files a Form 14039. At this point, the taxpayer or CPA cannot do much more until the IRS reviews the account and confirms the return's authenticity. It is common for clients to experience delays in receiving refunds due to the review of their accounts. It is not uncommon for the CPA to have to call the IRS to check on the status of the refund to help push the process along. The practitioner should provide literature to identity theft victims that lists the various steps they should take in this situation.
Preventive Measures for the Taxpayer and Practitioner
CPAs can provide clients simple recommendations for preventing identity theft. Some suggestions may seem obvious but are very important. Taxpayers should shred important documents such as old tax returns, credit card and bank statements, medical bills, and other records containing financial data. Also, CPAs should warn their clients to be cautious of emails from the IRS and should encourage them to report to the IRS any email that purportedly is from the IRS but is actually fraudulent phishing email (see "IRS Completes the 'Dirty Dozen' Tax Scams for 2015," available at www.irs.gov). The IRS does not send taxpayers email asking for personal and financial information.
As suggested before, CPAs should consider providing written forms of advice to clients through email blasts, websites, or other communications. This may include the following suggestions:
- Truncate SSNs where possible or mask SSNs on insurance cards;
- Monitor credit reports at least annually;
- Request that clients forward any IRS notices immediately;
- Keep Social Security cards and financial information in a secure location and properly dispose of documents with SSNs or account numbers;
- Give out an SSN, birthdate, or address only if required;
- Buy and use a shredder;
- Protect personal computers with firewalls, anti-spam, or anti-virus software, regularly change passwords, and password-secure wireless connections; and
- Be mindful of the personal information divulged on social media, as hackers are getting more and more sophisticated.
In addition to the steps outlined above, CPAs can help their business clients protect themselves by suggesting the following:
- Use anti-virus and other security software on all office computers and update data-security policies;
- Educate employees about phishing (attempts by fraudsters to acquire information via electronic communications by posing as a legitimate entity);
- Remind employees not to open links or attachments from emails they were not expecting to receive;
- Update business filings with the IRS and with the secretary of state (or equivalent office) as soon as any contact information changes;
- Monitor the business's credit profile at least annually;
- If possible, consider filing business tax returns earlier in the tax season; and
- Forward phishing emails purported to be from the IRS per the forwarding instructions on the IRS website.
IRS and AICPA Update: New Initiatives to Combat ID Theft and Protect Taxpayers
As the 2016 filing season approaches, the IRS continues to expand its efforts to stop identity theft and refund fraud. The Service is increasing both the number and efficiency of the identity theft data models and filters that it uses to identify potentially fraudulent returns. These types of pre-refund filters stop the vast majority of fraudulent returns. The IRS also has expanded its partnerships with financial institutions and state agencies.
Starting in 2015, a single financial account can receive only three direct deposit refunds. Refunds over this limit will convert to paper checks and will be mailed to the taxpayer. Additional steps the IRS is taking to help victims include:
- IP PIN program: A six-digit number taxpayers can use when filing a return.
- IP PIN expansion: An opt-in opportunity for other victims who are not in the IP PIN program, as discussed previously.
- Victim case resolution: Working to streamline its internal processes and reduce the turnaround time to resolve cases; the typical case currently takes 180 days to resolve.
- Acceleration of due dates of information returns: Temporary regulations (T.D. 9730) eliminate the automatic extension of time to file forms in the W-2 series, which is allowed under current law.
In early 2015, identity thieves were able to access online over 334,000 tax transcripts through the IRS's Get Transcript application. In response, the IRS temporarily deactivated the system. The hackers responsible for this breach used data-mining and analysis technology to find information that they could enter in the application to get past the IRS's filters, i.e., they scraped social media to gather taxpayers' personally identifiable information.
In a Washington Tax Brief webcast in August, the AICPA Tax Division staff updated members on the Institute's tax advocacy efforts, including legislative and regulatory positions. The webcast reviewed the AICPA's current positions and considerations with the IRS on:
- Expanding the IP PIN program;
- Creating a single point of contact for victims;
- Truncating ID numbers on forms not filed with the IRS;
- Placing limits on multiple tax refunds and restrictions on prepaid cards;
- Mailing notifications of address changes to old and new addresses;
- For errors on information returns, setting a de minimis misstatement threshold of $50;
- Creating an electronic platform for Form 1099 filings, a website that would be available for taxpayers to securely prepare, file, and distribute Forms 1099;
- Including a scannable code with electronically prepared paper returns;
- Expanding the IRS's limited access to the National Directory of New Hires to help it identify and prevent fraudulent filings and claims for refund;
- Increasing electronic filings for quicker information matching; and
- Raising the criminal penalty for misappropriating taxpayer IDs, making it a felony with a fine of up to $250,000 or imprisonment for up to five years.
The IRS and AICPA have several resources, both for practitioners and for taxpayers, related to tax-related identity theft. The Tax Section of the AICPA website has a Tax Identity Theft Toolkit exclusively for Tax Section members, which includes a sample letter to clients. The IRS has numerous publications available related to identity theft as well.
Tax-related identity theft is an increasing problem. The IRS is making progress in preventing identity theft, but it is working with a limited budget, and hackers continuously are developing more sophisticated ways of committing fraud. CPAs and tax practitioners can be a valuable resource to both business and individual clients, to help prevent and correct identity theft. CPAs should continue to monitor the resources outlined above as the IRS continues its efforts to combat tax return identity theft and refund fraud.
Michael Koppel is with Gray, Gray & Gray LLP in Canton, Mass.
For additional information about these items, contact Mr. Koppel at 781-407-0300 or firstname.lastname@example.org.
Unless otherwise noted, contributors are members of or associated with CPAmerica International.