April 22, 2014

An unusual number of physicians in several U.S. states are just finding out that they’ve been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians.

taxfraudScott Colby, executive vice president of the New Hampshire Medical Society, said he started hearing from physicians in his state about a week ago, when doctors who were just filing their tax returns began receiving notices from the Internal Revenue Service that someone had already filed their taxes and claimed a large refund.

So far, Colby has heard from 111 doctors, physician assistants and nurse practitioners in New Hampshire who have been victims of tax fraud this year.

“I’ve been here four years and this is the first time this issue has come across my desk,” Colby said.

In this increasingly common crime, thieves steal or purchase Social Security numbers and other data on consumers, and then electronically file fraudulent tax returns claiming a large refund. The thieves instruct the IRS to send the refund to a bank account that is tied to a prepaid debit card, which the fraudster can then use to withdraw cash at an ATM (for more on how this works, see last week’s story, Crimeware Helps File Fraudulent Tax Returns).

Unlike the scam I wrote about last week — which involved the theft of credentials to third-party payroll and HR providers that are then used to pull W2 records and file bogus tax returns on all company employees — the tax fraud being perpetrated against the physicians Colby is tracking is more selective.

“We’ve done a broadcast to all of the hospital systems in the state, and I have yet to receive one [victim] name from a non-clinician,” Colby said. “And you would think if it was an HR or payroll issue that at least a couple of administrative, non-clinical folks would have been in the mix, but that is not the case.”

AN EPIDEMIC OF TAX FRAUD?

Colby said he’s heard similar reports from other states, including Arizona, Connecticut, Indiana, Maine, Michigan, North Carolina and Vermont.

Elaine Ellis Stone, director of communications at the North Carolina Medical Society, said her organization has been contacted by more than 100 individual doctors and medical practice managers complaining about tax fraud committed in the names of their doctors and other medical staff.

“We’ve been getting a lot of calls from people who’ve experienced this scam,” Ellis Stone said. “We don’t yet know exactly why this type of crime is surfacing so much this year, but we haven’t seen this kind of volume in years past.”

Ellis Stone said that initially, the medical society thought the tax fraud incidents might be related to a move last week by Medicare’s first-ever release of information on payments to some 880,000 medical providers nationwide. As part of that data dump, the Centers for Medicare and Medicaid Services listed the National Providers Identification (NPI) number of each doctor; NPI numbers are used by the federal government to keep track of physicians for Medicare and Medicaid billing purposes.

She said initially when her organization reached out the American Medical Association (AMA) to see if they had any theories about the source of the fraud, someone suggested that the recent release of so many NPI numbers may have allowed thieves to somehow look up Social Security numbers and other sensitive data on doctors. But according to Ellis Stone, those NPI numbers have long been available from the U.S. Centers for Medicare and Medicaid. 

Robert Mills, the AMA’s media relations coordinator, confirmed that the association is hearing from state medical societies that tax identity theft seems to be a greater problem this year than in the past. But he stressed that this scheme seems to be targeting professionals generally, not just physicians.

That’s my take on this as well: There may indeed have been some kind of breach of a physician database that fueled this year’s fraud surge against doctors, but my hunch is that we might also see the same sorts of stats being gathered by state organizations focused on other professions. In other words, the incidence of this type of crime is likely off the charts this year.

That said, a story I’m working on for later this week will examine tax fraud schemes committed by a crime gang that appears to be disproportionately targeting employees at several state healthcare organizations.

DOUBLE DIPPING

According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

Tax fraud is an especially insidious form of identity theft because thieves often also create new financial accounts in their victims’ names. That’s because the same information used to file tax returns on someone can be useful in opening up new credit card and loan accounts.

“Some of the docs I’ve spoken with also have received notification that someone is trying to set up new bank accounts in their name,” New Hampshire’s Scott Colby said.

What’s more, victims of tax fraud one year may also find they are targeted by thieves again the next tax season.

Gordon Smith, executive vice president of the Maine Medical Association, said his office has heard from approximately 30 physicians in his state about tax fraud over the past couple of weeks.

“Their stories are all very similar,” Smith said. “I talked to one [doctor] who had this happen to him two years in a row now.”

If you become the victim of identity theft, either because of tax fraud — or due to fraud outside of the tax system — you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.


66 thoughts on “States: Spike in Tax Fraud Against Doctors

  1. TheOreganoRouter.onion.it

    I’ve been reading a lot about how shady doctors defraud Medicaid/Medicare , this is a totally different aspect of fraud. You would think that doctors because of their higher then normal income would pay out taxes year after year instead of getting refunds , therefore these types of fraud would be caught rather fast.

    1. James Beatty

      Income levels don’t determine tax refund amounts, nor does the relative level of taxation. Many folks with “higher than normal incomes” prefer to risk overpaying their estimated taxes instead of incurring the penalties for underpayment.

    2. Eric W

      People committing fraud are not concerned with tax legality, but generating a tax benefit. Because doctors incomes are high, there is more opportunity for fraudulent claims and large returns. When it’s fraud, it’s easy to go blind and adopt children in one year.

  2. JR Fezziwig

    One other place to look would be a health insurance company. I think its databases would contain sufficient information to carry off a fraud like this.

    1. Dave

      It wouldn’t, few doctors are in private practice these days. Most are part of a group practice or a hospital practice. So payments are not going to individual doctors. They are going to a practice/Business entity.

      1. SeymourB

        Depends on the hospital they’re affiliated with. Some hospitals prefer to have doctors working directly for them, while others prefer to have them run their own practices. If the hospital has the doctor working directly for them, then the hospital has to pay to outfit and maintain their practice, including lease, equipment, support, etc. – it gets expensive very, very fast and sometimes the hospital has little input on where the practice is physically located (making for some very high lease payments). If the doctor is running their own practice, many times they’ll do a far better job of making sure they’re not getting overcharged for the fundamentals. But it really depends on the hospital group and how they like to handle things.

  3. Rich in DC

    Doesn’t the IRS verify return details when they’re received? Do they just go “Oh Ok, if you say so, here is a refund check for 50K” sounds like the IRS needs much better verification protocols in place.

    1. Moike

      >sounds like the IRS needs much better verification protocols in place.

      Indeed – for $4 Billion, I’ll bet they could develop a system to issue PINs to each taxpayer each year that would need to match in order to process a refund. And all for a fraction of the $4 billion.

      1. SeymourB

        They already have a PIN system.

        The problem is the miscreants can just as easily gain access to the target’s PIN with all their targets personal information.

        1. Moike

          >The problem is the miscreants can just as easily gain access to the target’s PIN with all their targets personal information.

          I’m assuming that the method you’re referring to is where they have control over the victim’s electronic devices. That doesn’t seem to be the case in this story, where they apparently got fullz on physicians from a single source.

          If the IRS re-issued a PIN each year, the attackers would need access to the IRS database to attack a large group. Even if they got a PIN, they couldn’t use it the following year.

          1. SeymourB

            Uh, no.

            I go to file my taxes. I don’t know my PIN, so I access an IRS website to find my PIN. I need to provide personal details to verify my identity before they’ll provide the PIN to me. Now with identity and PIN in hand, I can file my taxes.

            If your identity has been, in effect, stolen then they have access to all your personal details. As a result they can get access to the PIN the same way you can get access to the PIN. If you don’t want people to be able to access their PIN, then sure, I suppose the thieves won’t have access to it either, but I can assure you this will raise all kinds of wailing and gnashing of teeth from the luddite & anti-government crowds.

  4. BC

    To TheOreganoRouter.onion.it:

    I’m not sure you completely understand how “paying taxes” actually works. When someone gets a “tax refund” it doesn’t mean they didn’t actually pay any taxes, the only thing that can be inferred is that whatever amounts were either taken out by the government (aka–“withheld”) over the course of the year or were paid in the form of estimated quarterly taxes were in excess of what that person OWES in taxes.

  5. Liabilities

    Who holds the liability in this case? If the source of the leaked information was found, do the physicians have a legal claim (lawsuit) for reimbursement of their lost refund?

  6. GuitarBob

    You would think that the IRS could spot at least some fraudalent tax returns by comparing information already in its database with information on the tax return, but perhaps they aren’t able to do data analysis: tax return address, last year’s address, tax return exemptions, last year’s exemptions, tax return dependents, last year’s dependents, etc., etc., etc. I will bet the fraudsters will probably not have access to last year’s tax return data.

    Regards,

    1. Anura

      As far as I understand, the details are identical, and the only difference is the bank account in which there return is deposited into.

  7. loudcloud

    There was a major hack into an old AOL/Yahoo blog that was used by many Dr.’s a few years back after Yahoo took ownership of it. As a result many of the Dr’s email addresses were also hacked as most of the Dr’s used (and still do use) aol email accounts and there were many attempts on their bank accounts as a result of the hacks (most were successful). I’m sure their users names and password have been changed since this issue but the SS# of course hasn’t. Not much of a surprise here that many Dr’s are being targeted in this years round of tax fraud.

  8. Frank

    I’ll bet the breach is with a payroll processor. If you get the W2, then you know how much tax was withheld and (at least have a good guess at) their profession. Then you simply apply for a refund of the withholding.

    Along with getting one of those PINs, one countermeasure would be to file a return as soon as you get your W2. Then once you have all of your records, file an amended return. As long as it is submitted by the regular date (April 15 or first working day after) there is no penalty or fees just for filing an amended return.

    It really irks me that payroll processors make my W2 accessible over the web, but never asked my permission. Too hard to ask everyone? Then don’t do it. Keeping my finances secure is more important than making them convenient.

    As for the IRS, they put a lot of effort into ensuring I’m not defrauding them, such as cross-checking W2s, 1099s, etc. They should put just as much effort into ensuring that I’m not being defrauded. (Hint: the refund is going to a debit card with an address never associated with the filer.) Seriously, this is very doable, at least at a basic level.

  9. Mica

    When it comes to Tax Fraud, it ratchets everything to another level. A level that provides an tremendous opportunity for the powers that be.

    As the President of the United States very recently emphasized for all to see and hear; when cybercrimes take their toll on our businesses, our infrastructure and the government agencies upon which our common (bipartisan) interests rest — that presents a clear and urgent priority. He did make a point that when it’s the type of ‘spy vs. spy’ issues that need to remain classified, that calls for a uniquely different approach for agencies such as the NSA.

    The kind of interdictions that Obama’s recent cyber-call-to-arms mandate is exactly that which the IRS has the unique opportunity to provide and as posters here have commented it really should not be that difficult. Here’s your chance for some good press, Mr. President!

  10. Wendy Weinbaum

    The cause of this data breach is the TOTAL lack of security in the Obamacare website. The Physician’s practice data was uploaded into non-secure databases. Hundreds more cases will be uncovered within the week. As to liability, the IRS paid out the refund incorrectly, the IRS was fooled by the fraudsters, so if a refund is owed the doctor, he or she will EVENTUALLY get it, but our taxes will pay for it. The fraudster is sipping rum drinks on the beach in Rio by now.

    1. SeymourB

      Not disputing your statements one way or the other, but it certainly is interesting how everything now is the fault of Obamacare.

      Is your car insurance going up? Well it’s because of Obamacare! What about every year previously in which it also went up?

      I’d say its more likely they penetrated a smaller, softer target, but that’s purely a hunch.

    2. AlphaCentauri

      healthcare.gov is handling patient data, not physician data. Once patients qualify, they are handed off to individual insurers who have the physician information.

      Brian is seeing a situation where ONLY physicians are targeted. If you wanted access to data on a large number of physicians’ personal information, you would be more likely to find it on the website of the Republican National Committee.

  11. Emily Booth

    These must be physicians who get a W2. A fein number would also be needed. These W2s were either stolen at the employer or at the post office.

    1. Sasparilla

      Or its outsourced to a payroll processing company (such as ADP), alot of businesses do this these days…talk about honeypots.

  12. Phoenix

    I don’t know how the caregivers referred to are employed or paid, but most whom I know receive payment via insurance companies and get a batch of 1099s or equivalent about the following February which he gives to his account who prepares his tax return. How secure are tax preparers? The courts recently decreed that states can, IRS cannot regulate tax preparers, and only four states do.

  13. Rick

    The only thing that would make me less sympathetic would be if it were lawyers being fleeced.

    1. Alex C

      Technically, you are being fleeced. The IRS is not going to recoup that money from the victim, it will absorb the loss (what it can’t recover) and ultimately deduct it from the government’s revenues.

      YOU will either get less service or need to pay more tax or both.

  14. Bob

    When an electronic return is received, it is checked for math errors and other simple errors. It is also checked for other “red flags” that vary from year to year. One red flag, for example might be someone who claims 12 or more dependent children.

    The returns are not checked against W-2s or 1099s at that point. The reason is that the W-2s and 1099s are not processed until later. Crosschecking may not occur until a year or two later. Of course, then it’s too late to find the thief.

    As far as how the fraud occurs, imagine that the doctor really makes $200,000 per year and had $40,000 withheld. In reality, what the doctor earns and has withheld is totally irrelevant to what the identity thief does.

    The thief simply files electronically by using the doctor’s real name and SSN, and the EIN of a real company. The thief reports a large income, say $500,000, and large withholding, say $100,000. The thief then does a fake Schedule A, reporting large mortgage interest and property tax, etc., amounts, and viola! IRS issues a $50,000 refund to the bank account listed on the return.

    And the real Doc gets a surprise when he files his legit return.

    Career IRS employees would love to stop this kind of fraud, but the agency policy makers have buckled to intense pressure from Congress to issue refunds faster and faster (it’s for the children). And who is willing to wait a six months to a year to get their refund?

    Not to mention the cottage industry of EITC (Earned Income Tax Credit) fraud in certain neighborhoods that is dinging the Treasury for $2k to $3K each ( totaling billions per year) that is too politically sensitive to support a serious enforcement push.

    The agency is understaffed and using outdated computers, all because it is underfunded.

    And the criminal investigators (Special Agents) are overwhelmed with other cases to work this type of fraud. Maybe one or two agents are working these cases in an entire state district. And the average agent can only work 2 or 3 cases at a time (and the cases take many months each).

    1. Joe Dirt

      “The returns are not checked against W-2s or 1099s at that point.”

      Because it is so hard to compare numbers quickly in computer systems?
      I’m sorry, but this sounds like a horribly outdated system.

      1. d

        Yes, much like using SSNs for just about everything.

      2. Bob

        It is horribly outdated, and will remain so without the infusion of billions of dollars in new funding for a massive overhaul (which is unlikely to happen any time soon.)

  15. AlphaCentauri

    LOTS of organizations have physicians’ social security numbers. There are usually a lot of layers of verification when a physician is hired, gets admitting privileges at a hospital, gets listed as a participating provider for an HMO, etc. Organizations that work with doctors bear a lot of liability if they get taken in by a fraudster with a fake diploma. With multiple states and countries having medical colleges , doctors frequently crossing borders during training, and many women marrying and changing their names in the middle of their training, the social security number is one of the few bits of data that follow them through their careers.

    Also, even if a physician is an employee, an insurer wants to know who really provided a service when they pay an invoice. It’s even common for IRS forms with payment summaries to be sent under the physician’s personal SSN, although his employer got the money.

    Unlike credit card numbers, social security numbers are rarely changed, even if there has been a known breach. The Blue Cross/Blue Shield Association lost a lap top with a ton of physician social security numbers on it a few years ago, and I’m sure there have been many other unreported breaches. Even obscure health insurers are likely to subscribe to the common database provided by CAQH.org, which does contain physician social security numbers, and which permits companies to pull physicians’ data without additional authorization unless the physician has opted out. (The default choice authorizes release of information “… to any healthcare organization that in the future represents to CAQH either that I am a participating provider or that I am in the process of being credentialed as a participating provider. “)

    The companies that lose data just provide a year of credit monitoring and call it even. A thief with two neurons to rub together would have sense enough to sit on the data for a few years until people have become more complacent.

    http://content.usatoday.com/communities/technologylive/post/2009/10/68501007/1

  16. Joe

    @Rick
    Clearly you don’t understand the scheme here. The doctor is not being fleeced.

    The fraudster is not filing the doctor’s actual tax return and pocketing the refund that is owed to the doctor. The fraudster is fabricating a tax return which indicates a substantial refund is owed. The IRS sends the “refund” to the fraudster.

    The people who are being fleeced are the American public who rely on the services that the taxes pay for. This affects the lower socioeconomic groups far more than the rich. These fraudsters are not Robin Hoods stealing from the rich to give to the poor.

    1. Sasparilla

      Right, its the U.S. citizen that ends up holding the bill for the money paid out incorrectly here.

      This is like the issue with Cable/ISDN companies wanting to start charging companies like Netflix so they don’t slow down/disable their streams to users computers – in the end the additional costs Netflix pays will flow back to consumers and just amount to another raise of rates on the consumer by the Cable/ISDN companies (with some sleight of hand so the public doesn’t “get it”) – its a good thing the new chairman of the FCC is lobbyist for the Cable & Wireless industries…okay, okay, I’ll go take my medication…

  17. subarjo

    executive vice president of the New Hampshire Medical Society, said he started hearing from physicians in his state about a week ago, when doctors who were just filing their tax returns began receiving notices from the Internal Revenue Service that someone had already filed their taxes and claimed a large refund.

  18. Otto

    One of the possible source for the fraud is the IRS W9 form, that is required for medical professionals, or anyone in business for that matter, to get paid for their services:

    http://www.irs.gov/pub/irs-pdf/fw9.pdf

    The form has all of the information necessary for filing fraudulent tax returns, since most small businesses, including medical professionals, have the SS# as the TIN#. The completed W9 forms are on file at health insurance companies and possible made its way to the national EHR database as well. Just couple of sources from where the medical professionals’ data could have come from. The W9 form is not considered to contain PHI, PII yes, but not PHI.

    It’s not too far fetched to say that the list of Medicare released payment for doctors had assisted the hackers to narrow their target list. Especially, if a quick call to doctor’s office confirmed that the office only takes medicare patients…

  19. Sasparilla

    Well, again, a simple way to fix this would be delaying all payouts until April 30th etc. – and holding back payouts on duplicate returns until they can determine which return is actually valid.

    Now such a process would require a good amount of folks to be working on resolving the duplicate returns the first year, but after the bad guys realize this angle isn’t there anymore they’ll stop trying it, for the most part – and go back to snatching credit card numbers or something.

    1. Bob

      “Good amount of folks” being the key phrase, especially when the number of fraudulent returns is in the millions each year. Good luck getting Congress to fund additional IRS personnel in today’s political climate.

  20. Phil Cooper

    Hmmm, tax fraud against medical professionals increases to an alarming degree the very year the “Affordable” Healthcare Act exchanges went live. ..

    I’m sure it’s just a coincidence.

    I’m also sure that the Administration has all the records properly secured, since the Exchanges are basically a treasure-trove of PII for fraudulent use.

    Riiiight.

  21. AnotherIssue

    another doctor related issue is that so many doctors’ offices are still on Windows XP. so many doctors don’t know anything about maintaining security on their computers, may think their antivirus is good enough, or not even know how to fix relatively simple things on their computers, or have their IT budget as a low priority where they think they’ll upgrade windows whenever they get around to budgeting for new computers for each of their exam waiting rooms, and may just ignore the automated popup warnings in winxp. this is an area that patients (to protect themselves and all other patients) have to alert their doctors of the need to upgrade their computers to a more current version of windows because this is a problem area that is becoming more ripe for hacks and leaks for targeted attacks on doctors offices and other medical facilities.

    1. whatever

      This is too wide-spread to be the doctor’s fault…..

      1. PatientXP

        hate going to the doctor.
        hate it even more when see my doctor is so behind by still being on xp.

    2. Phillip Cooper

      I wouldn’t say Doctors offices are using XP to a large degree- I support several locally, all are on Win 7 at least.

      But yes, their security methods leave much to be desired- which makes an awfully good selling point for my services.

    3. ComplianceTime

      being on xp could probably take doctors offices and other medical facilities out of compilance with HIPAA regulations and you would think could subject them to fines (as well as nasty lawsuits if patient information is hacked/leaked). you would hope that any doctors still on xp are stragglers who missed the deadline and will be kicked in the ass to get into compliance by the powers that be whoever regulates them and also by their insurance carriers.

  22. mbi

    In my mind this is clearly the responsibility of the IRS to know who they are dealing with for refunds. There are many additional fraud procedures they could be put in place, just look at the banking industry for ideas. When any of my data changes like email address or password the bank sends an alert to the old email address to tell me its been changed. When my bank issues funds via Internet instructions I get an email telling me what was done a day ahead along with a phone number to call if I didn’t make the request. I’m sure there are still other measures and safeguards that can be added. Is this so hard to implement? The IRS has fallen down on the job and the epidemic is due to their lax vigilance.

  23. Gottaluvit

    This happened to us too. Husband in a surgical private practice in California. Not employed by a hospital. Gets paid directly by the insurance companies. Also uses ADP to process his employee’s payroll, but they were not affected. We not only were prevented from e-filing our return (red flag #1) but we received a letter from the IRS requesting more information on a return filed with my husband’s name jointly with some other dude’s name we don’t know, at an address in another state. The address was not deliverable so someone the letter made it to us in CA. (red flag #2). By the way, we pay enough taxes to put a kid through college, never a refund….so the IRS should have flagged this right away. We have filled out all the paperwork with IRS, FTC, put a fraud lock on our credit and filed a police report. Not sure what database was breached, but this is a huge PIA!!!!!!

  24. Dissent

    At least dozens of the North Carolina cases can be accounted for by the hack of e-Dreamz, a web host, last year. Their clients include healthcare facilities and at least one of them has now reported dozens of cases of tax refund fraud. See my coverage here: http://www.databreaches.net/healthcare-professionals-in-north-carolina-victims-of-tax-refund-fraud/

    For other cases/reports on this problem, see my earlier coverage here: http://www.databreaches.net/tax-refund-fraud-scheme-affecting-health-care-professionals-reported-in-multiple-states/

    Significantly, a number of cases not only misuse the health care professional’s SSN, but also include a patient’s name as the spouse. That would seem to rule out some possible points of compromise.

  25. Ralph

    Brian,

    Do you think it’s a good idea for everyone to ask the IRS for a pin to protect their tax return? Is it necessary to become a victim of identify theft before you can get a pin from the IRS?

    1. timeless

      I can’t speak for Brian, but I certainly think it’s a good idea to do it.

      Unfortunately, the short answer is that you need to be either:
      a) a victim
      b) in Florida/Georgia/DC (see bottom)

      You might want to stick the PIN into a safety deposit box at a bank (don’t leave it on a computer).

      In general, if there’s anything remotely valuable associated with an account, either from your perspective, or from the other party’s perspective, having something like 2FA set up is a good thing (and a PIN is better than nothing).

      http://evanhahn.com/2fa/ has a nice list of places which support it.

      Unfortunately, the IRS doesn’t seem to have 2FA for normal Americans.

      http://www.irs.gov/uac/Encryption-Requirements-of-IRS-Publication-1075
      Applicability of Encryption Requirements: Remote Access
      Additionally, two-factor authentication i.e., something you know (e.g., password, PIN), and something you have (e.g., cryptographic identification device, token), is recommended whenever FTI is being accessed from an alternate work location.

      It’s sad that the IRS does have regulations encouraging/requiring real 2FA for its own use but doesn’t have any provisions for 2FA for everyone else.

      The credit bureaus support PIN access-control in the form of adding a security freeze to your records — they will send you a randomly generated token (most are at least 10 digits, however, Experian’s is only 6 digits for reasons beyond comprehension). Sadly, it seems that the IRS is going w/ Experian’s short PIN worst-practice instead of the industry best practice of 10+.

      *****
      http://www.irs.gov/uac/Newsroom/2014-Identity-Protection-PIN-(IP-PIN)-Pilot

      If you filed from Florida, Georgia and the District of Columbia last year and e-File with a PIN this year, you may have be offered a PIN!

  26. CA Engineer

    Not a doctor, but got hit exactly this same way. A T-Mobile Prepaid Visa debit card with $20 was fraudlently opened with my name and SSN in Atlanta last month (apparently the $20 was to cover monthly maintenance fees), and then 4 state returns were filed in MI, IN, CO and CT for direct deposit into it, with random joint co-filer. Indiana even mailed me a check, because they don’t honor direct deposit for first time e-filing. Refunds claimed were in the $1k-$2k range. Other 3 states red flagged the return. I always file my federal early, so don’t know if they tried that; didn’t get any mail about it.

    Thought it was strange that they used a valid (but old) mailing address for me for the debit card and returns, allowing me to find out what was going on. No idea how my SSN got stolen. ADP issues my paycheck. Anyway, I now have fraud alerts and ID theft affidavits filed everywhere.

    1. timeless

      I don’t suppose you’d be willing to share (part of) your list of everywhere?

      Normally people cover Equifax, Experian, and TransUnion.

      I suspect most people miss Innovis.

      But I’m not sure what other places people do/don’t file.

      I look forward to Brian writing up a helpful guide for “how to actually protect my id” (not to be confused w/ protectmyid.com which is probably not worth the domain registration, let alone the monthly/annual fee).

      1. CA Engineer

        Hi timeless,

        Thanks for the tip about Innovis. Here’s what I did:

        – Entered a fraud alert with Experian, entrusting them to notify Experian and TransUnion. Reviewed reports from these 3 bureaus and they were clean.
        – Also entered one with Innovis just now thanks to your reminder.
        – Contacted all 4 states and the debit card’s fraud and risk management units.
        – Filed an police report with my local department online.
        – Submitted an IRS form 14039.
        – Filled out the FTC ID theft report at http://www.ftc.gov/complaint.
        – Opened a USPIS report at ehome.uspis.gov/mailtheft/idtheft.aspx, in case they put in a fraudulent forwarding order, as I didn’t understand why they used a real address of mine. I wouldn’t have found out otherwise.

  27. AZ Doc

    I am a physician in Arizona and I got nailed by this scam as well. Got a letter from the IRS saying they were looking closer at my 2013 return. I thought “that’s interesting”, since I hadn’t filed it yet. They had another doctor from California as my spouse on the return. I sent them a letter saying the return was not legit. When I tried to file my real return the IRS would not take it, as they said I had already filed. Today I got a bill from TurboTax for $37.90. Apparently, the con artists file with TurboTax and deduct the fees from the refund. Since there was no refund, TurboTax is billing me now!
    I know that at least two insurance companies have notified me that they had sensitive files stolen in the last couple of years. I suspect this is where the thieves are getting our SS #’s. One of my business partners also was a victim this year. This is a major PITA!

    1. Phil Cooper

      DO NOT even get me started on Turbotax- they actually send out several reminders about your account come tax season- containing your username!

      Granted, it’s not username and password, but the username is right there in cleartext. It’s half the combination. Absolutely idiotic.

  28. Phillip Cooper

    Deleting comments now? I posted a comment to AZ Doc’s message- it posted, now it’s gone. What’s the deal there?

    1. BrianKrebs Post author

      Relax. Nobody is deleting comments. Your comment got flagged by my anti-spam system. It’s approved now.

  29. Chris

    How about the IRS shouldn’t send out any refunds until after April 15, then it could investigate multiple submissions and figure out which is correct before sending out any money? I know people would sqwak that they want their money immediately – maybe their CPA or turbotax could front them the money for a small interest fee or something.

Comments are closed.