There are at least 1,040 reasons to love Florida. Who isn’t drawn to the sunshine, the pristine beaches, the food… and the tax fraud racket? For decades, South Florida has been the Silicon Valley for scam artists, drawn by the weather and the opportunity to make lots of money without actually doing much work. According to the Federal Trade Commission, Florida holds the highest per capita rate of identity theft complaints, followed by Georgia and California. While Medicare fraud, mortgage fraud, and securities fraud have traditionally been the bread and butter of South Florida scam artists, tax refund scams are definitely the new darling. But as the IRS recently announced, it’s the dawn of a new day for tax fraud prevention.
On Oct. 20, 2015, the IRS posted a news release that it and leaders in the tax industry are working together, in a partnership dubbed the Security Summit, to beef up efforts on limiting tax-related identity theft for the 2016 filing season. So far, 34 states and 20 tax preparation companies have agreed to share information, in real time, in an effort to curb tax fraud. The public-private sector partnership has announced success in identifying and testing more than 20 new data elements on tax return submissions that will be shared with the IRS and the states to help detect and prevent identity-theft related filings. In particular, the fraud detection system is able to identify:
- Whether tax returns come from the same foreign internet address;
- Whether tax returns are being filed from the same device; and
- How long it takes to prepare a return online, from the time a person logs in, to when the return is filed electronically—if a tax return appears to be automatically generated by a machine, it is more easily identified.
Security Summit participants hope that this new fraud detection system will provide a better defense against false returns and fraudulent refunds.
While this private/public effort is a unique and positive collaboration, the reality remains that the risks posed by cybercrimes will not immediately be stomped out. Until then, every organization is still on the hook for protecting the privacy of personally identifiable information (PII).
Various federal and state laws require that a covered entity must provide notification of a breach of PII to affected individuals. Many of these laws also require that the notice provide steps to affected individuals so that they can further protect themselves from potential harm. Given that tax-related identity theft was the most common form of identity theft reported to the Federal Trade Commission in 2014, it is imperative organizations have a handle on what steps individuals should do to protect themselves in the event of a breach involving tax-related data.
Not every data breach results in identity theft, and not every identity theft is tax-related identity theft. Tax-related identity theft occurs when someone uses an individual’s Social Security number to file a false tax return claiming a fraudulent refund. A tax account is most at risk if the data breach involves both a SSN and financial data, such as wages. Data breaches simply involving credit card numbers, health records without SSNs, or even drivers’ license numbers, while certainly serious, likely will not impact a tax account.
For breaches implicating tax-related identity theft, IRS guidance includes the following:
The notice to individuals should warn them to be alert for possible identity theft if they receive an IRS notice or letter stating that:
- More than one tax return was filed using their SSN;
- The individual owes additional tax, refund offset or has had collection actions taken against them for a year they did not file a tax return; or
- IRS records indicate the individual received wages from an unknown employer.
Individuals should further be warned that the IRS doesn’t initiate contact by sending an email, text, or social media message that asks for personal or financial information. If individuals receive an email that claims to be from the IRS, they should not reply or click on any links. Instead, they should forward it to firstname.lastname@example.org.
Beyond content required by applicable state breach notification statutes, IRS guidance indicates that notice letters should also prompt individuals whose SSNs are compromised to take the following additional steps:
- File a report with law enforcement.
- Report identity theft at ftc.gov and learn how to respond to it at identitytheft.gov. A complaint to the FTC may be made either online at ftc.gov or by phone at 1-877-FTC-HELP.
- Contact the IRS Identity Protection Specialized Unit at 1-800-908-4490.
- Send a copy of the police report or an IRS ID Theft Affidavit Form 14039 to the IRS with proof of your identity, such as a copy of your Social Security card, driver’s license or passport.
File Early (not often)
Finally, individuals should be reminded that, when it comes to tax identity theft, the best defense is to file tax returns as early as possible to get ahead of criminals attempting to use Social Security numbers to obtain fraudulent refunds.