By Laura Saunders
Robert Scott Jack took precautions most people never dream of to
prevent tax identity theft.
Mr. Jack, a retired federal cybersecurity expert in Alexandria,
Va., who now works as a consultant, shunned online tax-preparation
programs that store data on the Internet. He researched the
security features of different software programs and opted for a
packaged--not downloaded--product. He checked the package for signs
of tampering before loading it into his secure home computer.
Yet soon after he tried to electronically file his federal tax
return through TurboTax on Feb. 14, the company told him it been
rejected because someone already had filed using his Social
Security number.
"I was disappointed and frustrated," Mr. Jack says. He knew that
"sweeping up the broken glass" would take three days of scrambling
to lock down financial accounts, plus many more months of waiting
for resolution.
Plenty of other taxpayers are feeling the same frustration.
In early February, a surge of fraudulent state tax returns
forced Intuit, the maker of TurboTax--by far the most popular
tax-prep program--to suspend state e-filings for 24 hours.
Several states, including Utah, Kentucky, North Dakota and
Minnesota, suspended processing returns for a few days. State
officials were alarmed because many of the false filings included
data apparently drawn from taxpayers' 2013 tax returns.
Since then there have been many reports of fraudulent federal
returns linked to TurboTax that also apparently used 2013
information.
Both the Federal Bureau of Investigation and the Internal
Revenue Service's criminal division are probing the issues at
TurboTax, according to a person familiar with the matter, and
Congress is looking into them as well. A spokeswoman for Intuit
says the company isn't the target of an FBI investigation, and
Chief Executive Brad Smith says that the company hasn't had a data
breach.
Much remains unclear about this year's rash of fraudulent
filings--especially how they compare in size or success to others,
or whether they affected a disproportionate number of TurboTax
users.
While the IRS publishes little data on tax identity theft,
information released by others points to a serious issue. According
to Government Accountability Office reports, the IRS lost an
estimated $5.8 billion to fraudulent refund claims in 2013, the
most recent data available, while blocking about $24 billion in
attempts. In 2013 there were almost 2 million suspected taxpayer
identity theft incidents, compared with about 440,000 in 2010,
according to the Treasury Inspector General for Tax
Administration.
Curbing this type of theft may require multiple efforts by
businesses, the IRS and Congress, says Neal O'Farrell, a
cybersecurity specialist at the Identity Theft Council, a nonprofit
advocacy group in Walnut Creek, Calif. But there are steps people
can take to help prevent tax identity theft--and to cope after it
happens.
Ask for an IP PIN. The IRS issues victims of tax identity theft
a six-digit Identity Protection PIN for use in filing returns once
cases have been resolved. Returns can't be filed without the
number, and the taxpayer receives a new one every year.
But you don't have to be a victim to obtain such a PIN. Starting
this year, an IRS pilot program is giving PINs to people who filed
federal returns as residents of Georgia, Florida, and the District
of Columbia last year. (These are the areas with the highest
percentage rate of tax identity theft.) To get one, apply at
www.irs.gov.
The IRS also recently sent letters offering PINs to about 1.7
million people who were selected because the agency had seen
suspicious activity in their accounts.
In addition, people who are potential victims of identity
theft--be it from a stolen purse or a data breach--can notify the
IRS by filing Form 14039, "Identity Theft Affidavit," and checking
Box 2. The IRS may or may not grant a PIN, but filing the form
could qualify taxpayers for other heightened security measures,
according to an IRS spokeswoman.
Andy Mattson, a certified public accountant at Moss Adams in
Campbell, Calif., hasn't been a victim of identity theft. But he
received a PIN from the IRS after a 2012 data breach of South
Carolina's tax system exposed the information of 3.8 million
individuals, including his--because he prepares corporate tax
returns filed there.
Mr. Mattson urges everyone who is at risk to file Form 14039.
"It only takes a few minutes and could save many hours of your time
or a professional's," he says.
Shun email links and attachments. Realistic-looking emails can
harbor malware that could steal your information--a practice known
as phishing. The massive South Carolina data breach, for example,
occurred after state tax employees opened links in phishing emails,
according to an official report.
Experts say it's unfortunate that many legitimate offers from
financial firms come with embedded links. "Marketers are looking
for reactions they can measure, but as a result consumers become
less cautious and fall prey to malicious emails that seem real,"
says Mr. O'Farrell, who also advises consumer-credit firm Credit
Sesame. Instead of clicking a link, he says, enter through the
company's website.
The IRS reminds taxpayers that it never initiates contact by
email, text messages or social media.
Stay proactive. As of now, there is no way to find out if
someone has already filed a tax return using your Social Security
number until you send in your own. Filing early can beat thieves to
the punch, but taxpayers with investments or complex returns often
must wait for paperwork to arrive.
Meanwhile, practice cyber-hygiene--especially in the wake of
data breaches such as the massive one at health insurer Anthem,
which may have exposed the sensitive personal information of nearly
80 million people, according to the company.
"There's so much stolen information out there now, and it's all
for sale, " says Mr. O'Farrell.
Experts advise using strong passwords and changing them
frequently. Update computer applications, especially antivirus
software, and make sure that Wi-Fi access is
password-protected.
If you prepare your own taxes using a commercial product, make
sure your personal information is accurate when you log into the
account--especially the bank account number listed for direct
deposit of a refund. Inaccurate information could be a telltale
sign of a fraudster.
Be careful with paper mail, especially during tax season, when
sensitive documents arrive. Guard against theft of such documents
and be careful when disposing of them, as thieves can make use of
partial information such as a date of birth or bank account
number.
Think twice before paying for ID-protection services, experts
say. Typically they don't claim to prevent tax identity theft,
which is the most common type of such theft, according to Federal
Trade Commission statistics. Most services actually help more with
recovery than prevention.
What about filing a paper tax return? That may not help either.
If thieves can get your Social Security number and other
information via another source, they can still file a false return.
An e-filing rejection notice from the IRS is often the first sign
of identity theft, Mr. Mattson says, so the extra time it takes to
process a paper return delays the discovery and could compound the
damage.
If you are a victim, act fast--and then plan to wait. The IRS
has a list of steps for victims to take at www.irs.gov before
calling the agency. They include filing a police report, an
affidavit with the IRS and a complaint with the Federal Trade
Commission; contacting one of the three major credit-reporting
companies to place a 90-day fraud alert on your credit records; and
closing any fraudulent accounts opened in your name.
Victims may want to impose a credit freeze with the
credit-reporting firms, which can prevent extensions of credit
using their identity. They should also file their tax returns on
paper, the IRS says.
After taking these steps, Mr. Jack contacted the firms holding
every financial account he and his wife had, including pension and
401(k) plans. He didn't close the accounts, but the sponsors did
issue fraud alerts and in some cases added an extra layer of
security.
Victims say the mad dash to deal with tax identity theft
typically takes two to three days, followed by a long wait while
the IRS completes its investigation. How long? A spokeswoman for
the agency say 120 days is the norm, but Mr. Jack and other recent
victims say they have been told to expect resolution in 180
days.
In complex cases, the wait can be longer and the process more
frustrating. National Taxpayer Advocate Nina Olson has chided the
IRS because taxpayers in such cases don't have a single contact
person within the agency, among other issues. Taxpayers "shouldn't
have to navigate the maze of IRS operations, recounting their
experience time and again," she said.
In response, the IRS says that the current system allows
taxpayers to get help when they need it and doesn't depend on a
particular employee's availability.
Tax refunds aren't paid until a case is closed, which is one
more reason to minimize them by not having too much money withheld
from paychecks.
Urge Congress to act. Top lawmakers in both the House and Senate
are probing this year's spate of tax identity thefts, and the
Senate Finance Committee is expected to focus on them in a hearing
on tax scams in March.
Experts say the fraudulent-filing epidemic is partly of the
government's own making, because easy e-filing and rapid
refunds--both priorities in Washington--also offer myriad
opportunities to criminals. The IRS often doesn't get wage data
until late spring, long after many tax refunds have been paid, so
it is at a disadvantage.
Legislation is required, however, to change key elements of the
current system, such as speeding up data delivery or allowing
employers to mask a portion of an employee's Social Security number
on a W-2.
The IRS, which has had its budget cut by $1.2 billion over the
past five years, recently estimated that $82 million more spent on
identity theft prevention could save nearly $1 billion in revenue
by 2018.
Keep perspective. Experts say tax identity theft can actually be
one of the least harmful types of identity theft. Although the
process is painful and slow, taxpayers can work out their problems
with the IRS.
Far more difficult, Mr. O'Farrell says, is a rarer type of
identity theft in which a criminal commits a violent crime in
someone else's name, say, or has a string of drunken-driving
arrests. Then the victim "may have to hire lawyers and go to a
state he has never visited to declare to a judge that someone has
used his identity," he says.
Still, tax identity theft is no picnic. Kim Ledbetter, who works
at a Toyota dealership in Paris, Texas, received a letter from the
IRS on Feb. 5 and then learned that someone had filed both a
federal and a Missouri return in his name.
"At first I thought we were being audited," he says, "but this
is much worse."
Email: taxreport@wsj.com
Access Investor Kit for Intuit, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4612021034