Stopping tax identity theft: practical advice for CPAs and clients: learn preventive actions and ways to correct problems after a thief has struck.
Tax return and other tax-related identity theft is a growing
problem that CPAs can help their clients with–both in taking preventive
actions and in correcting problems after an identity thief has struck.
Tax return identity theft occurs when someone uses a taxpayer’s
personal information, such as name and Social Security number (
Social Security Number
without permission to commit fraud on tax returns to claim refunds or
other credits to which a taxpayer is not
tr.v. en·ti·tled, en·ti·tling, en·ti·tles
1. To give a name or title to.
2. To furnish with a right or claim to something:
, or for other crimes.
Thieves normally file early in the tax-filing season, often before
has received Forms W-2 or 1099, to thwart information matching
and avoid receiving duplicate return notices from the IRS. Taxpayers
sometimes discover they are victims of identity theft when they receive
a notice from the IRS stating that “more than one tax return was
filed with their information or that IRS records show wages from an
employer the taxpayer has not worked for in the past” (FS-2012-7
In 2011, the IRS processed about 145 million returns. About 109
million were claims for refunds, with an average refund amount of almost
$3,000. As of May 16, 2012, the IRS had pulled 2.6 million returns for
possible identity theft, and that trend is on the increase. The IRS
recently reported an inventory of more than 450,000 identity theft
cases. For the 2011 filing season, the Treasury Inspector General for
Tax Administration (
) estimated that identity-theft-related fraud
accounted for approximately 1.5 million tax returns in excess of $5.2
CONSEQUENCES OF IDENTITY THEFT
Tax return identity theft delays legitimate taxpayer refunds
because the return appears to be a duplicate return and may be a sign of
other fraud or identity theft problems. IRS support to solve traditional
and nonfraud problems may be delayed as well when IRS resources are
diverted to combat identity theft. Other tax-related identity theft can
cause problems for the taxpayer as well. If an individual fraudulently
used a taxpayer’s SSN to get a job, the taxpayer may have extra W-2
Containing or derived from error; mistaken:
[Middle English, from Latin err
reported (and perhaps also extra taxes withheld),
leading to a correspondence matching audit. The National Taxpayer
Advocate notes that time and money are spent to clear the
individuals’ names, during which “victims may lose job
opportunities, may be refused loam, education, housing or cars, or even
get arrested for crimes they didn’t commit” (IRS Publication
4535, Identity Theft Prevention and Victim Assistance).
Further, until recently, the IRS would hold suspicious refunds
while verifying the underlying W-2 information, for up to 11 weeks. With
the increase in the number of cases and budget limitations, refunds may
take longer. So, the IRS says, “[I]dentity theft can impose a
significant burden on its victims, whose legitimate refund claims are
blocked and who often must spend months or longer trying to convince the
IRS that they are, in fact, victims and then working with the IRS to
untangle their account problems” (IR-2012-66).
A typical identity theft starts when thieves have (illegally)
bought or stolen information from individuals, employers, hospitals, or
nursing homes or have used the public list of deaths with SSNs issued by
the Social Security Administration. With a number or list of numbers,
they file false tax returns for refunds. For example, investigators
found a single address that was used to file 2,137 tax returns for $3.3
million in refunds (see TIGTA Rep’t No. 2012-42-80). Most thieves
prefer to receive the refund using direct deposit or
tr.v. pre·paid, pre·pay·ing, pre·pays
To pay or pay for beforehand.
cards. In another example, 590 tax refunds totaling more than $900,000
were deposited into a single bank account. Although banks have strict
rules to verify the identity of account holders, they don’t have
the ability to monitor whether the direct deposit is for a legitimate
Exhibit 1 Sample of Phishing Email Title/Subject of email: Your Tax Refund Payment Update [attachment to email is "Refund Form.html"= link to webform] From: email@example.com After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $ 826.28 Submit the tax refund request and allow us 3-5 business days in order to process it. A refund can be delayed for a number of reasons. For example submitting invalid details which we don't have on record or applying after the deadline. Download, fill and submit your Tax Refund Form in order to complete the process. [c] Copyright 2010. IRS.gov | Internal Revenue Service | United States Department of the Treasury
Although the IRS planned to spend about $330 million in 2012 to
combat identity theft, the IRS has limited resources and needs
additional funding to combat this problem. Identity theft also happens
to tax systems in other countries, but the extent of the problem is
lessened in countries where the government can immediately (or in
“real-time”) match income and withholding with the tax return.
IRS Commissioner Douglas Shulman called for real-time matching in his
prepared remarks at the
See American Institute of Certified Public Accountants (AICPA).
Fall 2011 National Tax Conference for the
purpose of reducing the number of taxpayer audits, but such a system
should help reduce identity theft fraudulent tax returns as well
IDENTITY THEFT IN THE MAKING: HOW ID IS STOLEN
Common ways to obtain personal information include email or
. Thieves are looking for
v. dis·card·ed, dis·card·ing, dis·cards
1. To throw away; reject.
a. To throw out (a playing card) from one’s hand.
tax returns, bank records, credit card receipts or other
records containing personal and financial information” (FS-2008-9
(January 2008)). For example, some taxpayers receive email messages
allegedly from the IRS advising them that they are under investigation
or have a refund pending. To get the victim to respond, the email may
threaten a dire consequence (see Exhibit 1 for a typical phishing
message). Often, the recipient is asked to click on a link to access
what appears to be–but is not–the legitimate IRS website.
The IRS does not send
Not looked for or requested; unsought:
, tax-account related emails to
taxpayers and never asks for personal and financial information,
including PINs and passwords, via email. The IRS advises that
“[s]ince the IRS rarely contacts taxpayers via e-mail, and never
about their tax accounts, taxpayers should be cautious about any e-mails
that claim to come from the IRS” (FS-2008-9). (People receiving a
suspicious email from the IRS are encouraged to report the email by
calling the IRS at 800-829-1040 or forwarding the email to
firstname.lastname@example.org; note in Exhibit 1 how the email uses
“irs.org” not “irs.gov.”)
IDENTITY THEFT DETECTION: HOW IDENTITY THEFT IS CAUGHT
The IRS has several filters that address different issues. These
filters are designed to distinguish legitimate returns from fraudulent
ones and to prevent the
/re·cur·rence/ () the return of symptoms after a remission.recur´rent
of identity theft. If a tax return is
caught by a filter, it is manually reviewed to validate the
taxpayer’s identity. If the IRS identifies a suspicious return, it
corresponds with the taxpayer to verify the correct information.
Alternatively, if a second, unauthorized person is using the
taxpayer’s SSN, the taxpayer may receive a correspondence audit
notice informing the taxpayer that he or she failed to report income
from another (
adj. 1) in error, wrong. 2) not according to established law, particularly in a legal decision or court ruling.
When a taxpayer’s identity has been stolen, the legitimate
taxpayer may be issued a confidential identity protection PIN (IP PIN)
that identifies the taxpayer as the legitimate party using the SSN and
other identifying information. The IRS issues these numbers to taxpayers
who have reported that their identities have been stolen, verified their
identities, and had an identity theft indicator applied to their
accounts. Not all victims of identity theft will receive an IP PIN–the
IRS says that taxpayers who submitted Form 14039, Identity Theft
, and proper documentation or taxpayers whom the IRS has itself
identified as victims will receive them. During the 2012 filing season,
the IRS issued 250,000 IP PINs, up from about 54,000 the year before.
Once the IP PIN has been issued, it must be present and correct on the
specific tax return for which it was issued. For the 2012 tax year, the
six-digit IP PIN is inserted at the bottom of page 2 of Form 1040, to
the right of the taxpayers’ signatures.
If two taxpayers are
married filing jointly
and each taxpayer
receives an IP PIN, the couple should use the IP PIN of the SSN that
appears first on the tax return. Tax preparation software is generally
equipped to ask taxpayers if they received an IP PIN. If a taxpayer is
filing a printed copy of the return, however, this number will not
print, and should be
tr.v. hand·wrote , hand·writ·ten , hand·writ·ing, hand·writes
To write by hand.
[Back-formation from handwritten.]
in the space provided. A request for an
extension or installment agreement using an IP PIN must be made on
paper, but the tax return may still be filed electronically.
A new IP PIN is issued every subsequent year as long as the theft
indicator remains on the legitimate taxpayer’s account. Returns
with an IP PIN are processed more efficiently, in that they bypass the
regular filtering system, and the IP PIN prevents fraudulent returns
from being processed. The IRS began a pilot program in 2010 to mark the
accounts of deceased taxpayers to prevent misuse by identity thieves.
IDENTITY THEFT CORRECTIVE ACTIONS: WHAT TO DO IF AN IDENTITY IS
As trusted financial advisers, CPAs may be asked what to do if a
client’s identity is stolen. The
should consider advising or
helping the client with several steps:
1. For tax and nontax identity theft, report the theft to the
Federal Trade Commission at 877-438-4338, ftc.gov/complaint, or
2. File a report with the local police.
3. Close any affected bank and credit card accounts.
4. Inform the credit bureaus and consider putting a
on the accounts (see tinyurl.com/ygwoo2j). A credit freeze restricts
access to credit reports, making it unlikely that thieves can open new
accounts in the client’s name. Credit freeze laws vary from state
5. If personal information is lost or stolen during the year,
contact the IRS Identity Protection Specialized Unit at 800-908-4490,
and complete Form 14039, if necessary. Expect to be patient, though. The
National Taxpayer Advocate noted in her semiannual report that
“this unit has been unable to answer about two out of every three
calls it has received from taxpayers so far this year. At times during
the filing season, it was answering only about one out of every nine
calls it received–and those who managed to get through waited an
average of over an hour to speak with an employee.”
6. Respond to all IRS notices immediately, using the name and
number printed on the notice.
7. Tax preparers should ask their clients if they received an IP
IDENTITY THEFT PREVENTION TECHNIQUES
Since identity theft is so prevalent and growing, a CPA may
consider providing general preventive advice through newsletters,
websites, and other communications. This advice may include:
1. Have clients arrange for masked SSNs where possible, e.g., on
insurance cards, so that client SSNs are closely protected and
circulated as little as possible.
2. Watch credit reports from the three major credit bureaus;
consider offering this as an off-season service or adding a timely
reminder with contact information to the firm newsletter. (Contact
details for the fraud departments of the three major credit bureaus are:
Equifax–equifax.com, 800-525-6285; Experian–experian.com,
888-397-3742; and TransUnion–transunion.com, 800-680-7289.)
3. Advise clients to forward all information appearing to be from
the IRS promptly and to not click on links or open attachments from
emails claiming to be from the IRS.
4. Advise clients to safeguard their Social Security cards, store
them in a safe and secure location, and not discard any documents with
an SSN on them.
5. Advise clients to resist giving businesses an SSN or other
personal information just because they ask for it; often it is not
Medtalk The spread of a pernicious process–eg, CA, acute infection Oncology Metastasis, see there
of SSN information is risky.
6. Advise clients to protect financial information by investing in
and using a shredder before discarding documents.
7. A taxpayer should secure personal information in one’s own
home. For example, copies of tax returns can be kept in a locked file
cabinet or safe.
8. Taxpayers should protect personal computers by using firewalls
and anti-spam or anti-virus software, updating security patches, and
regularly changing passwords for internet accounts with sensitive
information, such as online banking sites.
CPAs may be able to take additional preventive steps for tax
returns, where the client is cooperative:
1. File clients’ returns early if possible.
2. E-file returns to be notified of duplicate return notices more
3. Consider truncating or
1. The concealment or the screening of one sensory process or sensation by another.
2. An opaque covering used to camouflage the metal parts of a prosthesis.
SSNs on Forms 1098, 1099, and
5498 consistent with Notice 2011-38.
4. Communicate with the client to change client expectations:
Refunds might take longer in future years as additional system security
steps are taken.
5. Finally, CPAs with new online clients should be very careful to
confirm the identity of those new clients, so that an identity thief
cannot trade on an unwitting CPA’s credibility in filing false
CPAs can find additional information at:
* IRS website (tinyurl.com/9y791hl), and
* IRS resources including the Taxpayer Guide to Identity Theft
page, available at tinyurl.com/9gvyxtv, or the Identity Protection page,
available at tinyurl.com/9y2qrrp.
Authors’ note: The authors thank the AICPA IRS Practice and
Procedures Committee for help with this article.
* Tax-related identity theft is a growing problem that requires
CPAs to learn how to help clients who are victims and how to help
clients avoid becoming victims.
* Identity thieves use taxpayer information obtained illegally,
sometimes by email or telephone phishing, or by Dumpster diving.
* Identity thieves often file returns early before a legitimate
taxpayer has had a chance to file and before the IRS has received Forms
W-2 and 1099 to match with returns.
* Once an identity is stolen, a number of steps can be taken to
* The IRS issues special taxpayer identification numbers to victims
to allow them to have their future returns processed without undue
* There are a number of preventive steps CPAs can advise their
clients to take to avoid becoming victims of identity theft.
Valrie Chambers (valrie.chambers@ tamucc.edu) is a professor of
accounting at Texas A&M University–Corpus Christi. Rabih Zeidan
(email@example.com) is an assistant professor of accounting at
Texas A&M University–Corpus Christi.
To comment on this article or to suggest an idea for another
article, contact Sally P. Schreiber, senior editor, at sschreiber@
aicpa.org or 919-402-4828.
* “Preventing Identity Theft Throughout the Data Life
Cycle,” Jan. 2009, page 58
Use journal of accountancy.com to find past articles. In the search
box, click “Open Advanced Search” and then search by title.
* “Identity Theft and Fraudulent Tax Returns” CPA
Insider, June 11, 2012, tinyurl.com/cul9ead
* “Identity Theft: What Is It and What Is the IRS Doing About
It?” Tax Insider, Dec. 8, 2011, tinyurl.com/7xubnvc
Sign up for the AICPA’s Insider e-newsletters and view back
issues at cpa2
* The CPA’s Handbook of Fraud and Commercial Crime Prevention
* Silent Safety: Best Practices for Protecting the Affluent
For more information or to make a purchase, go to cpa2biz.com or
call the Institute at 888-777-7077.
The Tax Adviser and Tax Section
The Tax Adviser is available at a reduced subscription price to
members of the Tax Section, which provides tools, technologies, and peer
interaction to CPAs with tax practices. More than 23,000 CPAs are Tax
Section members. The Section keeps members up to date on tax legislative
and regulatory developments. Visit the Tax Center at aicpa.org/tax. The
current issue of The Tax Adviser is available at thetaxadviser.com.
Member Section and
n post facilitation stretch; therapeutic approach utilized during proprioceptive neuromuscular facilitation in which the patient begins the stretch midway between the fully relaxed and fully stretched position and uses maximum level of effort to
Membership in the Personal
provides access to specialized resources in the area of personal
financial planning, including complimentary access to Forefield Advisor.
Visit the PFP Center at aicpa.org/PFP. Members with a specialization in
personal financial planning may be interested in applying for the
Personal Financial Specialist (PFS) credential. Information about the
PFS credential is available at aicpa.org/PFS.