January 28, 2016

The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft.

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47 percent increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks.

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Those numbers roughly coincide with data released by the Internal Revenue Service (IRS), which also shows a major increase in tax-related identity theft in 2015.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Ramirez was speaking to reporters to get the word out about the agency’s new and improved online resource, identitytheft.gov, which aims to streamline the process of reporting various forms of identity theft to the FTC, the IRS, the credit bureaus and to state and local officials.

“The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others,” Ramirez said. “Identity theft victims can now go online and get a free, personalized identity theft recovery plan.”

Ramirez added that the agency’s site does not collect sensitive data — such as drivers license or Social Security numbers. The areas where that information is required are left blank in the forms that get produced when consumers finish stepping through the process of filing an ID theft complaint (consumers are instructed to “fill these items in by hand, after you print it out”).

The FTC chief also said the agency is working with the credit bureaus to further streamline the process of reporting fraud. She declined to be specific about what that might entail, but the new and improved identitytheft.gov site is still far from automated. For example, the “recovery plan” produced when consumers file a report merely lists the phone numbers and includes Web site links for the major credit bureaus that consumers can use to place fraud alerts or file a security freeze.

The "My Recovery Plan" produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC requests that consumers not file false reports (I had their PR person remove this entry after filing it).

The “My Recovery Plan” produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC kindly requests that consumers not file false reports (I had their PR person remove this entry after filing it).

Nevertheless, I was encouraged to see the FTC urging consumers to request a security freeze on their credit file, even if this was the last option listed on the recovery plan that I was issued and the agency’s site appears to do little to help consumers actually file security freezes.

I’m also glad to see the Commission’s site employ multi-factor authentication for consumers who wish to receive a recovery plan in addition to filing an ID theft report with the FTC. Those who request a plan are asked to provide an email address, pick a complex password, and input a one-time code that is sent via text message or automated phone call.

ALERTS VS. FREEZES

Many people do not understand the difference in protection between a fraud alert and a credit freeze. A fraud alert is free, lasts for 90 days, and is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. Applicants merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

There is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Although fraud alerts only last 90 days, you may renew them as often as you like (a recurring calendar entry can help with this task). Consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term, “extended fraud alert” that lasts up to 7 years (a police report and other documentation may be required).

The problem with fraud alerts is that creditors are encouraged but not required to check for them. The only step that will stop fraudsters from being granted new lines of credit in your name is the security freeze. For more information on what’s involved in obtaining a security freeze and why it beats a fraud alert and/or credit monitoring services, see How I Learned to Stop Worrying and Embrace the Security Freeze. Parents or guardians who are interested in freezing the credit files of their kids or dependents should check out last week’s story, The Lowdown on Freezing Your Kid’s Credit.

TAX REFUND FRAUD

Tax refund fraud occurs when criminals use your personal information and file a tax refund request with the IRS in your name. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. As I wrote in my recent column, Don’t Be a Victim of Tax Refund Fraud in 2016, even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Your best defense against tax refund fraud? File your taxes as soon as possible. Unfortunately, many companies are only now starting the process of mailing out W2 forms that taxpayers need to complete their filings, while fraudsters are already at work. Also, if you use online tax preparation services, please pick a strong password and do not use a password that you also use at another site or service.

If you go to file your taxes this year and receive a rejection notice stating that your return has already been filed, have a look at my primer, What Tax Fraud Victims Can Do. Oh, and consider filing an identity theft report at IdentityTheft.gov.

It’s important to note that as much as I advocate everyone freeze their credit files, a freeze will not prevent thieves from committing tax refund fraud in your name. Also, freezes may do nothing to stop thieves from perpetrating a variety of other crimes in your name, including providing your identity information to the police in the event of their arrest, or using your information to obtain medical services.

That said, a credit freeze may actually help tax refund fraud victims avoid being victimized two years in a row. First, a little background: The IRS has responded to the problem of tax ID theft partly by mailing some 2.7 million tax ID theft victims Identity Protection PINs (IP PINs) that must be supplied on the following year’s tax application before the IRS will accept the return.

The only problem with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to so-called knowledge-based authentication (KBA) questions supplied by the credit bureaus.

These KBA questions — which involve four multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

If any readers here doubt how easy it is to buy personal data (SSNs, dates of birth, etc.) on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.

So, how does a security freeze help tax fraud victims avoid becoming victims two years running? A freeze prevents the IRS from being able to ask those KBA questions that are key to retrieving one’s IP PIN via the agency’s Web site. Last year, the IRS briefly removed the ability for tax fraud victims to retrieve their IP PINs via the site, but it has since reinstated the feature, apparently ignoring its auditor’s advice to re-enable it only after implementing some type of two-factor authentication.

Helpfully, though, the IRS does now allow taxpayers to lock their online account, effectively requiring all future correspondence to be conducted via snail mail. You do have an account at irs.gov, don’t you? If not, it might be a good idea to create one, even if you don’t think you’ll ever use it. That goes ditto for the Social Security Administration, by the way.


48 thoughts on “FTC: Tax Fraud Behind 47% Spike in ID Theft

  1. -stephen

    Re “Your best defense against tax refund fraud? File your taxes as soon as possible”.

    Filing my Federal return online requires a 5-digit “filing pin”, which I have from last year and which is different from the IP pin. I would like to believe this “filing pin” protects me against fraudulent filings and I don’t have to rush. Am I wrong?

      1. Mike

        Here is a more complete explanation from the IRS site:

        “To e-file your 2015 tax return or other electronic forms, you must verify your identity with your Self-Select PIN or your Adjusted Gross Income from your 2014 tax return. If you don’t have either, you can get an Electronic Filing PIN.”

        Which basically just requires your SSN and DOB to get it.

    1. Gnecht

      The electronic filing PIN’s purpose is to hold the taxpayer responsible for the filing, not to prevent an unauthorized person from filing on their behalf.

      If someone hires a tax preparer instead of filing online, most likely they end up signing Form 8879 IRS e-file Signature Authorization. Then it doesn’t matter what 5 digits are used for the PIN. Whoever does the efile needs to keep a copy of the signed form, in case the IRS ever wants proof that the taxpayer authorized the e-filed return.

    2. Michelle

      Having an it’s pin does NOTHING. We were just victims AGAIN of tax fraud two years in a row. I called IRS and their attitude was IT HAPPENS SO SORRY MOVE ON. Again we are going to have to wait 180 days to see ANY REFUND and this is after I will spend HOURS UPON HOURS filling out forms etc and MAILING them in to the IRS. This is a nightmare

  2. nov

    My attempt to lock account says, “A technical problem has occurred. Please try your request again later. ”

    Maybe try back in a few months, again 😕 when it’s perhaps figured out on their end.

      1. Antonio

        I got the same error when I clicked the Innovis link. It looks like the redirect was broken or something. I navigated the site and got to a working link at:

        https://www.innovis.com/fraudActiveDutyAlerts/index

        If that still doesn’t work, navigate to the Innovis homepage then hover over Personal Solutions click on Fraud and Active Duty Alerts and there is a link from there.

    1. Mary S

      I just got the same thing and I”m really concerned because our tax returns were taken during the IRS breach last year. I cannot believe the IRS continues to do this and then just walks away from it’s responsibilities to us. I’m so fried with dealing with all this.

    2. Kyle

      I received the same error trying to place a freeze with Equifax. Ridiculous.

      Maybe try early in the morning or something when they are under less load.

  3. Heidi

    I wonder what the average value of a fraudulent return is.

    1. Mike

      http://abcnews.go.com/Business/58-billion-government-lost-tax-id-theft/story?id=29255838

      According to the GAO about $5.8 billion was lost in 2013 in about 1 million separate incidents of stolen ID refund fraud which averages out to around $6,000 per incident and actually matches the average haul from a bank robbery according to the latest FBI statistics.

      https://www.fbi.gov/about-us/investigate/vc_majorthefts/bankrobbery

      “In 2011 alone, more than $30 million was stolen and just over 100 people killed or injured in some 5,000 robberies of financial institutions reported to us from across the nation.”

      Of course no one was killed by stolen refund fraud unless you count victims who have lost their homes then subsequently died homeless out on the streets, but stolen refund fraud is equivalent to if every bank that is robbed in the US was robbed again 200 times.

  4. Donkyu

    Wtf???? If I work and paying taxes then why I need to worry about fraud? Government who gets my tax money should protect me ! It’s like I have to play racing game with criminals who’s first on the line to get money? This is insane

  5. Jane Carpenter

    Interesting program by the FTC to address the volume of id theft. I looked thru the website quickly and found some questions which will hopefully be resolved as folks use it:

    – The way the process works, the victim doesn’t notify the IRS that they have become a victim of income tax fraud (SIRF.) The IRS informs the victim about the fraud.

    The IRS provides its identity theft affidavit (Form 14039) and other paperwork. It then provides the resources –either IRS investigators or DoJ/Treasury – to investigate the crime.

    The FTC does not provide individual assistance or investigation. So what does the notification to the FTC accomplish in cases of stolen identity income tax fraud?

    – Under the federal credit laws in the sections that deal with identity theft, credit issuers are given their choice of accepting either a police report, FTC affidavit or other document (“id theft passport”) from a victim to dispute the financial liability.

    In assisting hundreds of victims over more than a decade, I have never seen a creditor accept either the FTC id theft affidavit or the passport – they all insist on a police report because there are penalties for filing a false police report and that provides them with an initial validation of the identity theft claim.

    – What does a victim do if they don’t have access to a computer? What assistance is provided?

  6. Sasparilla

    Great article Brian, thank you.

    IMHO, the IRS should only mailout returns until a good bit after the deadlines for returns are filed and electronic ones logged (then just hold back the ones with double / triple etc filings and figure out the problem). Very soon (1 year) the bad guys would find something else to go after and this would become a non issue.

    I wouldn’t like the delay, but I would rather have that than the wild west atmosphere we have where the bad guys see all upside and very little to get in their way to doing this.

    1. timeless

      Complain to your congressional representatives in the House and Senate.

      They mandated the very fast and early turnaround through law. Only they can undo it.

  7. Anon

    Does anybody know how this affects those who use a tax-preparer to e-file their taxes?

    I created an IRS account after filing 2014 taxes. I am wondering if it makes sense to tell my preparer to use snail mail to file 2015 taxes vs e-filing (which is what the preparer usually does).

    1. Mike

      It does not matter how you file or who helps you, if the criminals beat you to it you are at the mercy of the IRS to resolve the case when they get around to resolving it.

  8. Alex

    There’s one more thing you can do to lock down tax returns fraud. You can request Identity Protection PIN from IRS. In some states where tax fraud rates are high (like Florida), it can be done online on IRS website; in others you have to file a Form 14039 Identity Theft Affidavit [1]. Once accepted, each year IRS will issue additional Identity Protection PIN.

    [1] https://www.irs.gov/pub/irs-pdf/f14039.pdf

  9. null

    I mail in my returns, mainly because state efiling costs extra, but also because I just cannot see giving my identity to a few more websites.

  10. null

    They should delay refunds for new addresses and new bank accounts. It is pretty easy for people to adjust their withholdings, if they need the money that bad they could have done that.

    1. timeless

      The IRS is prohibited by law from delaying returns beyond a fairly short turnaround. (Well, technically, the IRS just takes a financial penalty if it delays them, but, it doesn’t want to do that…)

      This mess is an invention of the US Congress, and only it can fix the mess.

      Write your congressional representatives and complain.
      Then call them and complain.
      Then schedule an appointment and complain in person.

      Bring friends.

    2. Bob

      In general, you are correct. However, there are a lot of people who are eligible for the EITC, which varies with income. A lot of the people who are eligible have an income that can vary greatly from year to year, and may have multiple employers, making it next to impossible to accurately predict what the appropriate withholding should be.

      1. null

        Take care of easiest ones first, then work on the more difficult ones. Usually 80% are pretty easy and if one takes care of them, there will be 80% happy customers. Don’t risk the 80% just because 20% are difficult.

        Exceptions are exceptions, develop special procedures for them.

  11. anon

    I tried to create my SSA account, and got stopped after the first screen. I called their helpdesk, and they said they couldn’t verify my identity further because I had a credit report freeze.

    So, if you already have a credit report freeze, be aware that you (or anyone else) might have a few more hoops to jump through before creating your SSA account.

    1. Mike

      Good news is if you can’t create it, criminals can’t either.

  12. Blanche Dubois

    Re. “The problem with fraud alerts is that creditors are encouraged but not required to check for them.”

    Brian, I appreciate your allusion to the very thin tenuousness of the CRAs’ [(FA) and Extended Fraud Alerts, 7 yr. (EFA)] programs. But from my personal experience with both FA/EFA, you can be stronger in your future condemnation of both. Why?

    What needs to be emphasized is that with both, the full Credit Report is always downloaded to the Lender first, but with a “yellow sticky” attached, advising in the softest terms that essentially, “this Consumer has a FA/EFA in effect; handle that as you will; your option. Payment received, thanks.”

    For the CRAs, the beauty of this is that they get paid for the CR by their true “customer”, the lender. For many lenders, having a human actually call a telephone # that may be disconnected/OBE/not home, is a cost/efficiency impediment to the Loan Center’s Profit Plan. I shed no tear for those lenders.

    My problem with the FA/EFA is that the Consumer who took the time to file & track the FA/EFA, may actually believe he’s got some kind of “free”, real, “new account” fraud protection, one of the most dangerous kinds.

    The Consumer is NEVER the CRAs’ customer; he/she is the “product” sold.

    Even worse, gaggles of “credit monitoring” services compound this false sense of security by claiming they will renew the FA every 90 days for the “client” as part of their mo. fee forever.

    Only with a Security Freeze is the CR blocked from the CRA’s swift download to the Lender, unless I released it via the PIN.

    Until that happens, the CRAs don’t get paid, which is why the CRAs opposed the Security Freeze tooth and claw, and created the very weak FA/EFA as a sop (“the free, easier alternate”) for the uninformed/gullible.

    I support the CRAs and the individual Credit Report, as an improvement over the prior sexist, racist “red-lining” loan underwriting process, that preceded (i.e., until banned by Congress after much tooth and claw opposition).

    Re. IRS refund fraud. Clear that the IRS security is not yet fully in place. Inconvenient/emotionally draining to consumer, but you will get your full refund. Ultimately the US & state treasuries are the victims.

    If anyone is filing tax returns without having a SecFrz in effect, good luck. PII breaches whether from the interior, exterior, of private cos. & gov’t are inevitable.
    Good article.

  13. Murphy

    Consumption tax = problem solved

    You’re welcome ‘merica

      1. Murphy

        More funding leading to bigger government… No thanks, as your article alluded, they need to be using current technology to identify and proactively stop these requests rather than have taxpayers subsidize their outdated methods.

      2. Chip Douglas

        The IRS is incompetent not to mention thieves and political operatives and you want to give them more money? How naive. They need their budget cut, the crooks in charge prosecuted, and a total revamp of the system.

  14. Ahmed

    Brian:
    The Innovis site says that I have to get a copy of a free report from them to open a new personal account. And to do that there are three options:
    Walk into their Pittsburg office,
    Mail in their form, or
    Call their 800 #
    The mail in form wants my Social, my DOB, address and confirmation of my name and address via copies of two Govt issues IDs or other documents. And they want me to mail all of this to a PO Box.
    See anything out of sorts with this picture ?
    And my bet is that if I call their 800 # the person answering will be putting all my information onto a paper form and shoving it into a pile of similar papers.
    I’m wondering why Innovis could not have an online https link for me to submit this information securely ?
    Is this outfit some underfunded new startup ?

  15. Anne

    We inadvertently discovered a very simple way to get the IRS to acknowledge us as the rightful filers when scammers filed for a refund in my husband’s name last year. They filed for a refund, then we filed and sent payment, because we owed more than we paid in. If you don’t have a refund coming, it’s very easy for them. The filer sending in money rather than asking for it is the legitimate filer! Calculating your withholding and quarterly payments to be a bit lower than what you owe will cost you little or nothing in penalties and interest, and give you the added advantage of not letting the IRS give your refund to a crook.

  16. JCitizen

    Well, at least I never worry about losing any money back from the IRS, as I always end up paying them instead. This will always be true for me – so if someone gets money from the IRS in my name, it won’t be out of my pocket unless they somehow keep the information to do harm in other ways. So I hope the IRS will inform us when they realize someone has been paid a return in my name, then they get my real return and see this was a fraud.

    I’m sure they would – but it would still suck wind big time! 🙁

  17. David

    No Kidding! I was screaming about ID theft schemes for the past 10 years and nobody listened. Retirement is awesome. I think I will get a job at an auto parts store or hardware store.

  18. Donkey

    Can anyone explain to me why I have to play racing game with criminals ?? Why we pay tax in this country? For what reason we have this government ? This is insane only solution they will put microchips under the skin right ??

  19. Surfer100

    I was the subject of three major identity information losses last year. So I reported it to the IRS. Got their written invitation to get the identity protection pin (six digit) from the IRS web site. What a hassle, but a week and a dozen tries later, I had the account created and the pin issued. And I just now locked the account too. It’s a new world indeed.

  20. Surfer100

    Brian, thanks for your excellent reporting.

    I now have the IRS six digit identity protection PIN.

    Motivated to get it because I was the victim of at least three institutional releases of my personal info, including SSN, that I know about. And a neighbor couldn’t file her taxes last year because of this exact refund fraud. A huge headache for her.

    I also have “locked” my IRS account consistent with your warnings about their lack of two factor authorization on retrieving a forgotten IP Pin.

  21. Michael Iger

    Its outrageous that the IRS is allowing this theft to get to such a point. I hear about the IRS testing special identity codes on W-2’s to be put on tax returns. This is years late and we should have national wide years ago along with other security features. This is common sense and its the IRS’s fault leaving the barn door open when they started electronic filing.

  22. sunman42

    “Stop debt collectors from trying to collect debts you don’t owe.” How’d that work out for you? Didn’t work too well for me when Comcast recouping the (face) value of a set-top box I thought I’d lost by hiring a collection agency (after sending agents with a poor working knowledge of spoken English to my door two or three times, and my calling their hilariously misnamed customer service line repeatedly to request a bill I could pay). I finally got Comcast to admit, and after another dunning by the collection outfit, to transmit the information to the agency, that I had walked into one of their offices stood in line, and paid for the bloody thing…. about six months after I paid them. All in all, I believe I was dunned by the collection agency for about 18 months. I did not like their threatening my credit rating. And what, other than what I did, was I supposed to do to get them to stop bothering me for a debt that no longer existed?

    I particularly enjoyed asking to speak to a supervisor. After several minutes’ wait, I was told the supervisor was on vacation. Uh-huh. How about that person’s supervisor? “They’re on vacation, too.” Yeah.

  23. OPM_Victim

    I filed a report with the IRS and got a CP01F letter saying I should apply for a PIN. When I log in, I am stuck at “Technical difficulties – try again later.” Unbelievable.

  24. JerrBear

    I have seen identity theft up close and personal working security in retail. Since 2008 it has been out of control, and no end in sight. People are afraid of ISIS and other terrorists; they should be afraid of the organized crime groups and individuals who are sucking the financial life blood out of this country. But it’s not a violent crime… No one gets hurt??? What do you think they purchased with their profits??? Drugs, Guns, and other goodies.

Comments are closed.