Tax Identity Theft

The U.S. Federal Trade Commission (FTC) reported nearly 1.4 million reports of identity theft in 2021, with a primary driver of that spike being tax identity theft.

It’s obvious that individuals can’t afford to ignore the threat of tax identity theft, but the IRS has taken some measures to combat the epidemic that has implications for employers, too. Businesses also need to be aware of the risk of tax identity theft they face. Criminals aren’t just pursuing Social Security numbers (SSNs)—they’re also going after employer ID numbers (EINs) assigned by the IRS.

What Is Tax Identity Theft?

Tax-related identity theft occurs when someone uses a stolen Social Security number (SSN) to file a tax return to claim a fraudulent refund. The victim may be unaware of this until he or she attempts to file a return and learns that one has already been filed. Alternatively, the IRS might send a taxpayer a letter saying it has identified a suspicious return with the taxpayer’s SSN. The U.S. Government Accountability Office found that the IRS paid out $5.8 billion dollars in fraudulent refunds for the 2013 tax year.

In addition, a fraudster might use another’s SSN to obtain a job. The employer then reports that person’s income to the IRS under the stolen SSN. The victim, obviously, won’t include those earnings when filing his or her tax return, so IRS records will indicate that the victim underreported income.

How Does Tax Identity Theft Occur?

A taxpayer's SSN can be stolen through a data breach, a computer hack or a lost wallet. Although identity theft affects a small percentage of tax returns, it can have a major impact on victims by delaying their tax refunds.

Additionally, these thefts can often be traced back to the victim’s place of employment. Insiders at a company may steal the numbers and other employee or customer information. Perpetrators also might wait until staff members let their guards down and leave SSNs readily accessible on computers or in waste receptacles. And, of course, individuals may simply be careless with their SSNs and other sensitive information.

While large companies like banks and hospitals are favorite targets, the improper lifting of just a single SSN can wreak havoc for one of your employees or customers. That means smaller companies are at risk, too.

But filing fraudulent returns isn’t the only way that taxpayers are victimized. Scam artists are using multiple channels to conduct their tax-related identity theft schemes, including:

Phone schemes. This past April, less than 10 days after the tax return filing deadline, the IRS highlighted a new phone scam conducted by fraudsters who program their computers to display the phone number of the local IRS Taxpayer Assistance Center (TAC) on the taxpayer’s Caller ID. If the taxpayer questions the legitimacy of the caller’s demand for a tax payment, the caller directs him or her to IRS.gov to verify the local TAC phone number.

The perpetrator hangs up, calls back after a short period — again “spoofing” the TAC number — and resumes the demand for money. These scam artists generally require payment on a debit card, which allows them to directly access the victim’s bank account.

In another phone scheme, the criminals claim they’re calling from the IRS to verify tax return information. They tell taxpayers that the agency has received their returns and simply needs to confirm a few details to process them. The taxpayers are prompted to provide personal information such as an SSN and bank or credit card numbers.

Digital schemes. Emails that appear to be from the IRS are part of phishing schemes intended to trick the recipients into revealing sensitive information that can be used to steal their identities. The emails may seek information related to refunds, filing status, transcript orders or PIN information.

The scammers have developed twists on this approach, too. The emails might seem to come from an individual’s tax preparer and request information needed for an IRS filing. Or the information request could arrive via text messages. Whether by text or email, the communication states that “you are to update your IRS e-file immediately” and includes a link to a fake website that mirrors the official IRS site. Emails also could include links that cause the recipients to download malware that infects their computers and tracks their keystrokes or allows access to files stored on their computers.

How to Know if Your Identity Has Been Stolen              

There are several key indicators that you may have fallen victim to tax-related identity theft. You should be on guard if you receive a notice from the IRS or learn from your tax advisor that:

• More than one tax return was filed for you
• You owe additional tax, have a refund offset or have had collection actions taken against you for a year you did not file a tax return
• IRS records indicate you received more wages than you actually earned
• Your state or federal benefits were reduced or cancelled because the agency received information reporting an income change

Tips to Avoid Tax Identity Theft

There are a number of simple, practical steps that you can take to avoid becoming a victim. These include:

• Don't carry your Social Security card or any documents that include your SSN or Individual Taxpayer Identification Number (ITIN) on your person.
• Don't give a business your SSN or ITIN to someone just because they ask. Give it only when absolutely required.
• Check your credit report every 12 months.
• Review your Social Security Administration earnings statement annually.
• Secure personal information in your home with a fire safe.
• Protect your personal computers by using firewalls and anti-spam/virus software, updating security patches and changing passwords regularly for internet access accounts.
• Don't give personal information over the phone, through the mail or on the internet unless you have initiated the contact or you are sure you know who you are dealing with.

  Additionally, businesses can take several steps to help reduce the risk of theft of SSNs and EINs, including:

• Using antivirus and other security software on all workplace computers
• Updating data security plans regularly to reflect new risks
• Educating employees about phishing schemes
• Truncating or redacting the numbers where possible
• Keeping the numbers and other sensitive information in a secure location and restricting access on a need-to-know basis
• Updating business filings with the IRS and the secretary of state for your state when contact information changes
• Monitoring your credit reports, IRS and state tax authority accounts, and other business filings,
• Filing tax returns and W-2s, W-3s and 1099s as early as possible
• Developing an action strategy for dealing with tax identity theft, including identifying whom to notify in the event of theft

Businesses should bear in mind — and remind their employees and customers — that the IRS doesn’t initiate contact with taxpayers by email, text messages or social media to request personal or financial information.

What to Do if Your Identity Has Been Stolen

If you find you have been a victim of tax-related identity theft, you should immediately do all of the following:

• File a report with the local police
• File a complaint with the Federal Trade Commission (FTC) or the FTC Identity Theft hotline (1-877-438-4338)
• Contact one of the three major credit bureaus to place a "fraud alert' on your account (Equifax, Experian, or TransUnion)
• Close any accounts that have been tampered with or opened fraudulently

In addition, if your SSN has been compromised and you know or suspect you may be a victim of tax-related identity theft, you should:

• Respond immediately to any IRS notice and call the number provided
• Complete IRS Form 14039, Identity Theft Affidavit
• Continue to pay your taxes and file your tax return, even if you must do so by paper
• If you previously contacted the IRS and did not have a resolution, contact the Identity Protection Specialized Unit (1-800-908-4490)