Jan. 31 marked the start of the 2014 tax filing season, and if you haven’t yet started working on your returns, here’s another reason to get motivated: Tax fraudsters and identity thieves may very well beat you to it.
According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
There are countless shops in the cybercrime underground selling data that is especially useful for scammers engaged in tax return fraud. Typically, these shops will identify their wares as “fullz,” which include a consumer’s first name, last name, middle name, email address (and in some cases email password) physical address, phone number, date of birth, and Social Security number.
The shop pictured above, for example, caters to tax fraudsters, as evidenced by its advice to customers of the service, which can be used to find information that might help scammers establish lines of credit (PayPal accounts, credit cards) in someone else’s name:
“You can use on paypal credit, prepaid cards etc. After buying try to search by address and u can see children, wife and all people at this address,” the fraud shop explains, advising customers on ways to find the names and additional information on the taxpayer’s children (because more dependents mean greater tax deductions and higher refunds): “It’s great for tax return method, because u can get $$$ for ‘your’ children.”
This particular service is not unique; it currently offers fullz information on more than 13,000 U.S. citizens. As such it is just an example, and a small one at that; in 2011, I wrote about a similar “fullz” service called Superget.info, which sold information on hundreds of thousands of Americans — if not millions. In October 2013, I reported that this same Superget.info service actually bought its information from a company that was purchased by Experian, one of the three major credit bureaus.
If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.
That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.
The Federal Trade Commission recently held a Tax Identity Theft Awareness Week to raise public awareness on this issue. Check out the FTC’s homepage on this for additional resources and information about this increasingly common form of fraud.
I have everything ready and would love to file my taxes today. Unfortunately the IRS won’t have Form 8960 ready until February 13th so I have to wait until then. Ridiculous! I hope the crooks don’t beat me to it.
Congratulations on having income high enough to need Form 8960. 🙂
Hopefully the FBI will track down these rascals soon…like they did with that Ngo character.
We really do need to start publicly executing the sorry meatbags that steal people’s identities. There’s too little consequence as it stands now.
Hell, just have a couple of the rightful identity owners afforded the opportunity to pull the trigger. I’m all for their being very permanent solutions to these crimes.
As much as I hate to admit it, and suggest even more cumbersome regulations, congress needs to tighten victim’s rights in these ID theft cases. All the damage control rests with the victim, who was completely innocent 95% of the time.
Maybe they need to make credit monitoring the law, and make the financial industry pay for it! I say this especially since the Experian case. If these agencies can sell our data to any Tom, Dick, or Harry on the block, then let them deal with the circumstances!!
I’m sure many are even more peeved than me at this point – especially after the Target debacle – but even that one is just the tip of the ice-berg I’m afraid! >:(
This seems like a very easy problem to solve. It’s been around for ever. What’s the holdup?
It should be extraordinarily easy for the IRS to compare signatures from several years electronically and bounce the return if there’s no match. Similarly data mining can compare the address for the refund with the address on the W-2, 1099s etc. Any discrepancies cause a reject. Direct deposit bank account submissions can be equally easy to validate.
I fail to see why the IRS can’t put in simple checks to safeguard both the process and the public.
Regarding IRS security, as long as there is no penalty for lack of security, there will not be any money spent on security.
It does not really matter which company is neglecting security; as long as they are not liable for the results, there will be very little monies spent for security.
Unfortunately, this is not true.
There are millions spent every year by the IRS alone on “information security”.
… and yet, here we are, having this conversation…
I’m not sure what “signature” SolutionFinder is talking about. Are you talking about some sort of Bayesian analysis of the returns? Or are you talking about actual written signature? I don’t think I’ve signed a tax return in years.
There is no physical signature when the return is filed electronically, and your address matching solution would catch too many false positives. People do move from time to time between filing annal returns. ID thieves have proven how easy it is to setup a joint account with someone using the victim’s ID. The Direct Deposit goes in under the victim’s name and is withdrawn by the thief sharing the joint account.
Find better solutions next time.
Except that we file electronically now and there isn’t any signatures on the forms.
How can someone file a return for a refund without a W2, 1099, etc.? Or are people taking the unearned income credit being targeted?
Pretty easy, I would imagine- pull down the relevant data for an individual, bounce it against the auto-retrieve systems that some of these programs use to pull your W2 down electronically, and there you have it.
I would like to add some context. Tax return fraud has been a problem that is growing rapidly. The IRS has been diverting more resources into the problem.
But given the declining budget allocated to the IRS, every dollar taken to identify theft division is taken from somewhere else such as the IT department, call centers or auditing.
Ideally the IRS should overhaul their systems and implement data mining techniques but it is easier said than done given the dearth of talented IT managers needed to carry out a successful undertaking. The IRS has only recently implemented relational databases something that should have been done way earlier.
People move. Electronic returns are demanded by the public, yet not possible to sign- and since the TinFoilHat crowd thinks it’s t”ZOMG TEH MARK OF TEH BEAST!!”, you can’t even have a cryptographic national ID card which would enable a high degree of certainty as to the filer’s identity.
The latest debacle foisted upon us- the “Affordable” Care Act – is going to basically be one huge honeypot of data for these fraudsters… and not in the “you think it’s a mother-load of data, it’s actually a tarball with which to catch you” manner, but a “everything the indiscriminate criminal needs, laying on an unprotected server in clear-text” way….
This was exactly my thought.
And I’m glad to know that the IRS–so good at persecuting people for their political beliefs, and soon to be very good at tracking down anyone who wants to avoid the ACA–is also very good at handing out money to fraudsters. That seems to be de rigueur for ANY federal program these days.
Regarding purse and wallet theft/pickpockets and subsequent stolen identities, this is advice I was given years ago:
Keep your Social Security card at home, unless you’re going to be involved that day in a transaction that needs it – such as when you’re about to start a new job. The only time your card should be in your wallet is when you absolutely need it.
The same rules apply for a checkbook and department store credit cards that you don’t use every day. I have a second wallet I keep at home, and when I need to write a check, or I need those credit cards for a day – Walmart card, etc, I take it out of that wallet and put the card into the one I carry with me.
There’s almost nothing individuals can do about online identity theft and the reselling of our personal information, but at least you can control what happens with what’s inside your wallet.
It’s unfortunate that the IRS will not take proactive steps to prevent filing of false returns, by issuing PINs in advance of identity theft. I’d be willing to jump through a few bureaucratic hoops to get a PIN and know that my return was much better protected.
The IRS could also simplify and speed up the process for people whose refunds have been hijacked. At present, the victims face an unnecessarily tough slog to get the refund to which they are rightfully entitled.
George wrote: “How can someone file a return for a refund without a W2, 1099, etc.?”
Work for some branches of government and your salary info is public record (and freely searchable on news sites.) I work for the state of NC and our salary info is searchable by name or title. Filling in guesstimates for the other fields on a W-2 isn’t too hard once you know roughly what someone makes.
The IRS should be able to match signatures as SolutionFinder said. They should be able to match W-2 and Form 1040 addresses. They should be able to note if a certain SSN is used in more than one area (this should go hand-in-hand with E-Verify). They should be able to verify the address with the credit agencies. They should verify that the number of children is not impossible (multiple births since last filing or multiple adoptions without the paperwork for them). And so on.
By the way, Brian’s story is a reason why people should not arrange their taxes so they will receive a refund; arrange them so you will have to pay a little.
While I agree with you in theory, I’m pretty sure if someone is willing to commit this level of fraud that they wouldn’t mind taking the extra step of filing a fraudulent return to increase the size of the refund. Even if you arranged to end up having to pay a little, with falsified deductions that little payment could end up being a refund.
Just do like Mitt Romney and stash all your earnings in the cayman islands.
Or, if one prefers, the Kennedy clan which makes use of ‘trust’ funds stashed how many places; try figuring the ‘tax’ they pay each year on disbursements from that …
Actually its pretty easy to determine, since trust funds are required to report all disbursements.
I personally don’t have one, but I’ve known a couple people who did, and they most definitely had a little form to attach to their tax return each year they got a disbursement.
Yep! The K1 form, as it comes from schedule K.
Years ago, I read that Medicare was supposed to give recipients a new ID number in lieu of our present Social Security number. What happened to that idea?
I carry my Medicare care with me because of doctors’ visits and frequent trips to the ER.
Interesting that the IRS has recommendations on the protection of my SSN, but they include it on _every_ piece of snail mail correspondence that I receive from them. If you look, you’ll even see that they ask you to write it (along with the tax year and form number) on any payment that you send in to them.
This may have been fine in 1980, but isn’t a change WAY overdue? How have they not come under very intense fire for this practice?
They ask for tax ID and form number so they know where to apply the payment if the check gets separated from the payment voucher.
Don’t like that? Enroll in the Electronic Federal Tax Payment System. https://www.eftps.gov/
As a tax preparer (Enrolled Agent) I found this post especially interesting. Good accuracy for a non-tax-focused writer. This topic looms large in the tax prep world; you might find it fascinating, Mr. Krebs.
I’ve heard of cases where police found ID thieves camped out in hotel rooms with laptops, TurboTax, and a list of those “fullz” you mentioned.
In another case, ID thieves killed a mailman to get his mailbox master key and swipe tax documents from mailboxes.
Or, tax prep offices have had their computers stolen, for a trove of taxpayer info and an Electronic Filing ID Number. (Makes me use TrueCrypt on my tax computer.)
The IRS has a Criminal Investigations Divison; its officers have badges, guns, and arrest powers. NOT a good day if those guys show up at your door. And they do get out fairly often:
In response to ideas for fixing IRS’ ID theft problem:
A big issue is that the IRS’ return processing units have been told for years that their mission is to get tax refunds out as fast as possible. As returns stream in by the millions for about 3 months of the year, there is only time for doing the most basic validations without having taxpayers get anxious waiting for their refunds. Their computer system isn’t so hot, either – it might still be using magnetic tape some places.
Another thing: the IRS cannot compare and verify documents it doesn’t have yet. The 1040 season starts in January. The deadline for sending W2 and 1099 forms to the gov’t can be as late as the end of March. (Deadline for giving them to recipients is end of January.) And W2 forms go to the Social Security Administration, not the IRS.
Eventually, the IRS does do all of the suggested verifications, and then sends out letters beginning the process to reclaim improper refunds. (Except ID thieves use bad addresses, and probably had the refunds issued to reloadable debit cards via direct deposit.)
And kudos, Mr. Krebs, for knowing about Form 14039, the identity theft affidavit. Unfortunately, so do ID thieves. An IRS Criminal Investigations Division officer at a seminar once said he’s seen ID thieves file the 14039s themselves. And then another tax return, and then another 14039… after the 3rd time, the IRS refuses the 14039. Poor taxpayer; getting that situation fixed is going to be painful.
Here’s how bad it can get:
Well..I guess if you’re referring to how badly some CPA’s website can get hacked.. You’re certainly right –> http://dinesentax.com/3993/taxpayer-identity-theft-part-18
Click it, if you dare…..
What? I must be missing something. I have been to that site often. And checked the page before posting; nothing seemed unusual.
That link, when viewed in Firefox using the Noscript plugin shows that someone has planted a bunch of keywords and links related to well known Pharm scams. Its basically black hat SEO. At best, that’s all there is and it should be easy to fix. The scary part is that possibly the credentials for administration of the site have been stolen. Who knows how it happened, there are so many possibilities (hopefully just a weak password.) The bad news is that search engines pick up on this sort of shenanigans and the page rank (which should be high for this kind of quality information) will suffer. So, you might want to let this fellow know.
Bill is correct. The illicit search terms do not get rendered when viewing normally through a browser, but when you view the “source” you see them.
That page was definitely compromised.
The website developer says the site wasn’t hacked. Rather, one of the plugins they use got compromised, and then put out an “updated” version that added all those links. Desperate, those pharma people are.
I am a victim of ID-theft related tax fraud, and yes I am familiar with 14039 (now) although my tax preparer was not. For this year’s return the IRS sent a PIN number that they’ve instructed me to add to my return when I send it in. Not sure if this will help. Hopefully this year, I’m not on their (the ID thieves) list.
A lot of prison inmates do this type of fraud, I mean they have a lot of time on their hands.
By the way, I’ve seen a few collections of “fullz” complete with the address, social security number , birthday ,and credit card information. I don’t get it, people will just hand over all their information without even thinking about internet fraud or the consequences of social engineering.
I would think a lot of the information that come from sites like Superget.info, must come from phishing scams.
For those of us from outside the US, can someone explain how this works? Where I come from your tax handling typically consists of the tax department sending you a notification saying “here’s what you earned this year, here’s how much tax was deducted, see you next year”. For people who have a more complicated return than that, you fill it in online and have the option of having any refund credited towards next year’s return, or paid into your bank account, from which the transaction can be reversed if fraud occurs. So where’s the flaw that’s being exploited?
All right, you asked for it.
The United States has 535 members of Congress who love using tax law to do all sorts of things besides raise money to run the government. Want to discourage certain behaviors? Tax them. Want to promote certain behaviors? Give tax benefits for them. Welfare programs, educational incentives, housing policy, industrial policy, alternative / efficient energy “green” programs, and now health care – it’s all in there. As a result, the US tax system is a mess. It gets more complicated by the year, and anyone who gets benefits never wants to give them up. This stymies any attempts to simplify things.
First, the Social Security number. Originally developed as an account number for USA’s national pension plan, it has effectively become a national ID. Every tax agency relies on it heavily to track incomes, taxes, and payments. It’s very difficult to do anything financial-related without the SSN, because any financial institution can be responsible for reporting transactions to the IRS – requiring the SSN.
The USA has some of the same tax system you describe. Employers hold back part of their workers’ paychecks and send it to tax agencies like the IRS to prepay the workers’ tax. But the withholding rate is not fixed. To some extent, workers can specify how much tax gets withheld – even zero if they didn’t owe tax last year and expect the coming year to be the same. Or they can voluntarily increase withholding, if they expect a big tax bill for some reason. At the end of the year, employers give workers a W2 form showing how much they were paid and how much tax was withheld. If more tax was withheld than owed, the worker gets a refund.
With e-file software, the user can key in the numbers from the W2 form. It is entirely possible for a taxpayer to enter a larger-than-actual withholding amount and claim a big refund. Since the tax agencies might not have usable data from the W2 form until weeks after the taxpayer claims the refund, they have no way of verifying it. So they issue refunds first and ask questions later.
Former head of IRS, Commissioner Doug Shulman proposed a “real-time tax system,” to immediately verify taxpayer data. But people who work near or within the IRS know that’s just a dream. One well-experienced IRS agent speaking at a seminar I attended responded to that idea with sardonic laughter and said something like, “It will not happen within in our lifetimes.” Why is it so hard? See healthcare.gov. Multiple gov’t bureaucracies (with political agendas) have massive and diverse legacy computer systems, and insanely complex business rules, all of which must play nicely together.
But the real culprits for tax-related ID theft are things called “refundable tax credits.” Again, the US Congress uses tax benefits to promote certain behaviors. Some of those benefits can generate a refund even if no tax is due and no tax payments were ever made.
Case in point: the Earned Income Credit (EIC.) This is a social welfare program done via tax law. People with certain situations and income levels qualify for payments from a welfare program like Temporary Assistance for Needy Families. (http://www.acf.hhs.gov/programs/ofa/programs/tanf/about) Since those payments are not taxed, and wages from employment would be – the 7.65% pension/medical-progam payroll tax at least – people in those programs can have a reduced incentive to find work.
The EIC program is basically a “negative tax,” saying “Thank you so much for going out and getting a job; here’s a tax refund check.” The credit is paid on a bell curve with low incomes not getting much and then tapering off as income goes higher. For the 2013 tax year, a married couple with 3 children and an annual income in the $13,000-22,000 USD range can get a “tax refund” of $5,891 – far exceeding the $1,600 or so of payroll tax they’d have paid. This is the part where ID thieves try to find dependent children to claim, as shown in the above article.
Not just ID thieves, either: other fraudsters carefully craft tax returns to max the credit. They succeed to the tune of ~25% of the payments made under the program, over $13bn USD. http://www.treasury.gov/tigta/press/press_tigta-2013-33.htm
And not just the EIC progam – any refundable credit will do. Look up the First Time Home Buyer’s Credit for another prime example. Fill out a form properly, and the gov’t will send money. That attracts fraud every time.
Here you have the picture; this is what I heard from IRS CID agents at a seminar once. ID thieves get enough personal info – most importantly the SSN – to file a tax return via e-file software, using a fake mailing address. They enter data for a fictional W2 form with a large withholding amount, and elsewhere enter the proper numbers on the proper forms to maximize all available refundable credits. They enter direct deposit info that routes to a reloadable prepaid debit card and visit an ATM after their refund is available. They continue the process until their supply of personal info runs out or IRS CID agents show up. Even organized crime has done this; it can pay as-well-or-better than drug dealing ($5,000 USD or so for maybe 20 minutes effort of a fast typist) and has much lower chances of being shot by rival gangs.
Need a job? Have financial and/or law enforcement skills? IRS CID is probably hiring.
Wow, I had no idea. Thanks for taking the time to write all that up.
khigh did a good job of covering the reasons that money is available.
I’d like to cover the other side: why the government doesn’t have sufficient information to validate the return.
1. Some countries issue a national ID (some even include PKI which could be used to sign transactions)
2. Some countries require you to inform them of your current address of residence and update them whenever it changes.
3. Some countries may require all bank accounts to be registered.
4. Some countries may require you to register all names that you use.
The US does none of these. (Johnathan Doe can do business as John or Johnny Doe, and a bank will happily deposit a check to him under all of these names, even J. Doe. )
While individual agencies may have some information about you, it’s generally confidential between you and the agency for whichever purpose indicated by the agency. The Department of Veterans Affairs may have your information, or the Selective Service Agency, but it’s not available to the IRS.
The IRS is encouraged and encourages the use of Bank Routing information to enable an Electronic Funds Transfer for the refund, instead of a paper check (in the past, thieves would break into mailboxes and steal these…).
Unfortunately, I don’t think that banks do much validation of ETFs. They will check things when someone complains, and if the amounts exceed some limit, they may be required to file a report, but I don’t think that the name on the transaction is important.
Since the fraudsters receive the money in the accounts, they won’t complain to the banks. And since the IRS is required to keep the tax records private, they can’t share them to you when you complain. If they could, then a fraudster would simply file forms claiming that the real person’s filed return was fraudulent and retrieve it for use in new fraud…
I would have thought this would have changed after the HSA 2002, when they made it durn near impossible to fake a snail mail address. I can’t even receive mail that is addressed to my physical location at my P.O. mail box, because regulations deny it, even though the computer data base knows those two addresses co-exist!
The government is totally responsible for this mess and only the government can fix it.
This problem can not be fixed until the government prohibits a single number(SSN) from being used as an ID number, tax number, medical number and financial number.
Each should be a unique ID that can not be used to derive the others.
How does this solve anything? The bad guys just add three more columns to their spreadsheet. And if they can’t discover all four, doesn’t matter. If one number is enough to do something good, it is also enough to do something bad.
khigh, thank you for the link (I just registered).
Wouldn’t you know it, though, I just looked at my January statement again and the first five of my SSN are MASKED! That must be a 2014 “enhancement”…go figure.
Yup. They’re learning.
First five? Area code and group id? How much info would I need to guess those two items. Age and location are already in the list…
It happened to me 5 years ago. Was a nightmare getting it sorted out. Now the IRS sends me a unique filing PIN each year via post.
Imagine that, thieves (malware thugs) robbing thieves (the IRS).
Too bad the tax paying public picks up the final bill.
We have a fundamental and pandemic problem in the current state of information security. As I see it (though I have not formally done it), if we model the security used in digital transactions, the mathematics shows it’s broken.
In order to personally identify ourselves, we have to give out PII. The problem is: each time we transfer such information, we loose direct control of that same information–it becomes less personally identifiable (it looses trustability). At the barest of minimums, the person we just gave the information to can now identify themselves as us in a similar transaction. If that information is stored anywhere which is not perfectly controlled by the sole individual (the one identified), then miscreants of all sizes and stripes can exploit it for their own self-interest. The American SSN is a very obvious case in point.
But, on the other hand, if the PII, as we’ve implemented it, isn’t known by both sides of a transaction, then it does not identify.
It used to be we all lived in small towns with porches. And the thing you carried around with you to verify who you were was something you couldn’t forge nor give away. It was your face. And transactions were based on trust and the integrity of one’s character. Over time, these became known in the community’s mind. And so trust and integrity, or the lack thereof, became identified with that face. The PII, if you will, was community recognized, but inseparably part of who a person was.
Somehow or other we think we can model such things with bits and protocols, and constrain these transactions to individualized relationships.
I’m not sure an equitable solution lies in that space, especially within a digital, global economy predominately controlled by large institutions. Since it’s a fundamental failure, any “fix” is nothing more than wrapping ever increasingly expensive non-solutions around an inherently broken design. A hell we do not want.
“Lasciate ogne speranza, voi ch’intrate” (“Abandon all hope, ye who enter here”).
It’s an interesting problem, and I can’t see how we can ever implement a good solution because politicians will necessarily be involved. They’re just too self-serving. Look how they’ve mangled the simple notion of requiring a voter to present an authoritative ID in order to vote, to ensure that the correct person is voting, is eligible to vote, and will vote exactly once. This sound idea has been turned into a circus of political pandering with all sorts of non-related or marginally-related issues dragged in. Suddenly it’s about money, discrimination, human rights, life, liberty, and the pursuit of happiness. (Did Frank Luntz switch sides and start advising the Dems?) It seems most politicians are making careers in politics, thus securing votes are their highest priority. I don’t see how they can be trusted to promote technically innovative or even sound ideas. Look at the health care web site. The developers had four years to work on it. It could have been state-of-the-art, efficient, and secure. What the heck happened?
You’re totally, %100 right. If it’s left to the politicians, it’ll just be more of the same, or worse.
That leaves it to us, pointing out (and i’m not talking about immigration or voting here) that these issues are more than just a nuisance. They are actually matters of national security. As someone astutely pointed out (and I forget who, so my apologies) “The Venn diagram of Russian organized crime and Government almost completely overlap.”
Right now, Brian has been covering the BIG, multi-million users affected, type exploitations. But, for every one of those, probably thousands more exist shooting their thin, black tendrils into the very heart of our daily financial lives. Economic sabotage, while not as sensational as explosions and gore, are every bit as damaging (and perhaps more) to our country. If a Nation State, or perhaps an alliance thereof, were to wage all out electronic war on this country…. Well, let’s say I don’t have much faith in WinXP and SCADA systems to keep us safe.
Mr. Sangrey – Interesting point. In addition, biometrics solutions won’t help…if they are lost or stolen, how will we reset our own attributes…impossible.
Hey Brian, another great article and an interesting read even for a non American. Just fyg, the embedded hyperlink to the ‘IRS form 14039’ at the bottom is broken. The title is fine but the ‘href’ is missing an ‘f’ at the end of it.
The fraudsters hit my mom a couple years ago. I’ve just received my last W2 and I’m preparing to file my taxes as quickly as possible. What bothered me the most about my mother’s situation was the lack of support she received. It seems like there’s nothing in place to help individuals when they’ve been frauded and left without the money they’ve worked for. A simple “I’m sorry” and “Well I don’t know what to tell you” isn’t good enough. It then took an additional four months for her to receive her money because they accidently “wrote the wrong address”.
Next year I’ll be filing the day of.
@times i think the moslems have it right with the chopping of of hands, then feet and then heads for crimes like theft… Broadcast it live and watch the crime figures fall!!!
Isn’t there a history story somewhere about Britain having pickpockets doing their thing in a crowd of people watching someone being hung for picking pockets?
Hello Brian, I have sent you a personal email. Please take your time reading it. I’m on same page as you, I feel it very interesting to be following these people back in their neck. I have been doing this since my identity got stolen 3 years ago and it has still not been entirely resolved, there is still these “hick-ups” of identity theft. So if you could help me would mean a lot to me. Just respond on the email and I would be more than happy. Since my concern is not about the money I lost, It’s about to do what’s right.
I assisted someone who was a victim of this type of fraud and it took about a year to get the case resolved with the IRS and to get the person’s tax records corrected so they were no longer listed as deceased. Apparently they are overloaded with such fraud cases and do not that the staffing to handle the load.
I was pretty amazed to discover that anyone can send in a change of address notice to the IRS and no verification is required to make the change, but if you are the victim of such a change, you will need to provide multiple forms of verification and wait a very long time to get it changed back.
The FBI used to spend million sending out forms and instructions which they’ve all but stopped because so many are using software. Why can’t they take some of these savings and every year send a letter to taxpayers with tax information and their own private pin to verify refunds and other communications with them? It will cut down on the fraud and the lack of a pin would require further verification before a check is sent. Just like banks the IRS is being penny wise and pound foolish with security, besides the post office needs the business.