January 29, 2021

The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year.

One state’s experience offers a window into the potential scope of the problem. Hackers, identity thieves and overseas criminal rings stole over $11 billion in unemployment benefits from California last year, or roughly 10 percent of all such claims the state paid out in 2020, the state’s labor secretary told reporters this week. Another 17 percent of claims — nearly $20 billion more – are suspected fraud.

California’s experience is tracked at a somewhat smaller scale in dozens of other states, where chronically underfunded and technologically outdated unemployment insurance systems were caught flat-footed by an avalanche of fraudulent claims. The scammers typically use stolen identity data to claim benefits, and then have the funds credited to an online account that they control.

States are required to send out 1099-G forms reporting taxable income by Jan. 31, and under federal law unemployment benefits are considered taxable income. Unfortunately, many states have not reconciled their forms with confirmed incidences of fraudulent unemployment insurance claims, meaning many people are being told they owe a great deal more in taxes than they actually do.

In a notice posted Jan. 28, the U.S. Internal Revenue Service urged taxpayers who receive forms 1099-G for unemployment benefits they didn’t actually get because of ID theft to contact their appropriate state agency and request a corrected form.

But the IRS’s advice ignores two rather inconvenient realities. The first is that the same 1099-G forms which states are sending to their citizens also are reported to the IRS — typically at the same time the notices are mailed to residents. The other is that many state agencies are completely overwhelmed right now.

Karl Fava, a certified public accountant in Michigan, told KrebsOnSecurity two of his clients have received 1099-G forms from Michigan regarding thousands of dollars in unemployment payments that they had neither requested nor received.

Fava said Michigan recently stood up a website where victims of unemployment insurance fraud who’ve received incorrect 1099-Gs can report it, but said he’s not confident the state will issue corrected notices before the April 15 tax filing deadline.

“In both cases, the recipients contacted the state but couldn’t get any help,” Fava said. “We’re not getting a lot of traction in resolving this issue. But the fact that they’ve now created a web page where people can input information about receiving these tells you they have to know how prevalent this is.”

Fava said for now he’s advising his clients who are dealing with this problem to acknowledge the amount of fraudulent income on their federal tax returns, but also to subtract an equal amount on the return and note that the income reported by the state was due to fraud.

“That way, things can be consistent with what the IRS already knows,” Fava said. “Not to acknowledge an issue like this on a federal return is just asking for a notice from the IRS.”

The Taxpayer Advocate Service, an independent office of the U.S. Internal Revenue Service (IRS) that champions taxpayer advocacy issues, said it recently became aware that some taxpayers are receiving 1099-Gs that include reported income due to unemployment insurance identity theft. The office said it is hearing about a lot of such issues in Ohio particularly, but that the problem is happening nationally.

Another perennial (albeit not directly related) identity theft scourge involving taxes each year is refund fraud. Tax refund fraud involves the use of identity information and often stolen or misdirected W-2 forms to electronically file an unauthorized tax return for the purposes of claiming a refund in the name of a taxpayer.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.  

The best way to avoid tax refund fraud is to file your taxes as early possible. This year, that date is Feb. 12. One way the IRS has sought to stem the flow of bogus tax refund applications is to issue the IP PIN, which is a six-digit number assigned to taxpayers that helps prevent the use of their Social Security number on a fraudulent income tax return. Each PIN is good only for the tax year for which it was issued.

Until recently the IRS restricted who could apply for an IP PIN, but the program has since been opened to all taxpayers. To create one, if you haven’t already done so you will need to plant your flag at the IRS by stepping through the agency’s “secure access authentication” process.

Creating an account requires supplying a great deal of personal data; the information that will be requested is listed here.

The signup process requires one to validate ownership of a mobile phone number in one’s name, and it will reject any voice-over-IP-based numbers such as those tied to Skype or Google Voice. If the process fails at this point, the site should offer to send an activation code via postal mail to your address on file.

Once you have an account at the IRS and are logged in, you can request an IP PIN by visiting this link and following the prompts. The site will then display a six digit PIN that needs to be included on your federal return before it can be accepted. Be sure to print out a copy and save it in a secure place.

43 thoughts on “The Taxman Cometh for ID Theft Victims

  1. Dave

    If an applicant attempting to create an account does not have a financial account in their name, e.g.:

    Credit card – last 8 digits (no American Express, debit or corporate cards)
    Student loan – (Enter the student loan account number provided on your statement. The account number may contain both numbers and letters. Do not include any symbols.) Additionally, we can’t verify student loans issued by Nelnet. or
    Mortgage or home equity loan
    Home equity line of credit (HELOC)
    Auto loan

    This will have the effect of excluding large numbers of people, including my adult daughter. She resides with us, her car is paid for, her student loan is long paid, she doesn’t have a mortgage, home equity loan or a HELOC.

    1. security vet

      …some people think not having a credit card is a good thing…

      …in at least this one case it’s not…

      1. Karen E. Hannum

        And so what is such a person to do instead? Not get a refund or will it be mailed to them via Postal service?

        1. security vet

          …get a credit card, use it, keep the payments up to date, open a credit karma account (it’s free), check your credit record often, pray…

    2. Joe

      If the applicant doesn’t have these things they can still establish an account, but it won’t be instantaneous. They will have to receive a passcode via the mail and enter that to complete their registration.

      1. Ben

        How? The requirements are for you to have some sort of debt. It’s listed right there in the instructions.

    3. Ronnie doodangke

      Yesterday I attempted to file taxes using irs.gov freefile links, tax slayer and taxact, created A bluebird.com account for direct deposit due to idtheft, police refusing to file 3 times, daughter kidnapped, attempted murder from 2017 with tennessee not even wanting to investigate due to so many politicians involvement as well as big data betting on deaths by brutality, anywho, I was denied functionality on both websites with tax credits being removed with my refund dropped to 12 dollars, this morning tn lotto cash 4 sum was 12, turns out my bb account just created were the gpu touches to indicate via my web requests , the cash 4 numbers , using surface flinger service, zygote32,, and an abundantly retarded number of named services that give anyone and mother access. So howdidddlydooo I just want to be sure it’s not part of this terrorist network , goggity

  2. Ron

    31 billion in fraud $ sent out from the government of California, but still they want more taxes, because that wasn’t enough and they want to mis-manage more. Awake yet Californians?

    1. John Gtar Davis

      Trump gave MIILIONS S$$$$ to these Sociatal LEECHES who laugh at our stupidity. “Who’s Lives Matter?

    2. Mikey Doesn't Like It

      @Ron, get your facts straight.

      While CA did indeed send out a lot of $$ to fraudsters (as did every other state), it’s only about a third of what you think. (see link below)

      Too much? Of course — but that’s probably proportionate to their population. So let’s not let politics get in the way of addressing the issue affecting ALL 50 STATES.

      Let’s become part of the solution, not the problem.


  3. Mr, Ed

    Thank you for the heads up. I created an account with the IRS back in March but I did not know they now will issue an IP PIN to any registered users.

  4. Cr00zng

    So, you get your IP PIN # to protect your tax returns, that’s a great idea. Maybe not…

    What happens if the IP PIN # is stolen from your computer? That’s right, you cannot even dispute the falsified tax return of yours, filed on your behalf by the hacker…

  5. Illinois IDES Fraud Victim

    Thanks for shining light on this issue. The IRS PIN number may just save me this year. On a dormant unemployment account, a thief changed my IDES direct deposit bank information (shouldn’t this make it fairly easy to identify the culprit?), changed my answers to security questions so I cannot get into the account even with the correct answers, received payment from a fraudulent claim, changed my mailing address, and the latest is exactly as you described, I received an email from IDES thanking me for opting to receive a 1099-G tax form online (which of course I never did).

    Illinois IDES is absolutely no help in resolving this. They are on a call back system and I’ve been lucky to be home with access to my records for some of these calls. The folks on the phone have conflicting information and no one knows what should be done. IDES Fraud said I’d receive a letter to show the police, and that someone would help me get back into my account – neither of which has happened. I’ve filed a police report, fraud alert with credit agencies , filed with the FTC and the IL Attorney Generals office (who indicated the 1099 email isn’t really a problem), and now must resolve this with the IRS. Please keep reporting on unemployment fraud and the tax implications.

    1. Begoo

      Your country is full of fraud.
      In goverment and everywhere criminals living better in your country called USA .
      But you people d ont do nothing about you seems to be happy victims

  6. vb

    Off topic, but taxing unemployment income is heartless. It’s a kick in the teeth to those most down-on-their luck.

    1. security vet

      …tax reform act of 1986 – Tip O’Neil was the speaker of the house and the dems were in the majority 267-167, and the senate was 55-45 republican with Bob Dole as majority leader – Reagan’s tax cuts…

    2. sergi tolstoy

      Taxing is not heartless.
      Unemployment is paid by employee / employer
      Currently $$$ paid is more than $$$ put in.

      Supplying a portion of one’s income to help in the process of gaining employment is good.
      Placing systems in place to support the acquirement of employment and the re-training for employment is good.

      Taxing to help the maintenance of systems is the GOAL.

      {Unless you can provide:
      security of self from others
      protection of home/property from fire
      properly dispose of waste
      educate properly the citizenery
      heal the sick
      provide clean water
      create/maintain transport networks

      We need to be taxed}

      1. security vet

        …well yes, and no. unemployment varies widely by state here (Alaska, where I live, does require the employee to contribute) some states do, others don’t…

        …so it’s not correct to say $ in is less then $ out because it’s not directly comparable…

  7. Africano

    I wish just wish 2 be that G in da hood in usa
    Thugs in the usa are lucky
    The tax jobs making good money in west side east side
    Crips rules 2pac forever

  8. vb

    The IRS “secure access authentication” process is fed with information from Equifax. In my case, Equifax has messed up my information, so that I can’t answer the Knowledge Based Authentication (KBA). My only solace is that nobody else could possibly answer my KBA either. So no IRS PIN for me or anyone else trying to get one as me

  9. J

    Based on your advice years ago, I’d already created my IRS account so no one else could.

    But today I couldn’t get back in even after correctly entering my user id and password. It said I needed to re-verify my account, which I agreed to.

    I breezed through the steps until it asked for my mobile number in my name. I’ve had one mobile number for probably over 15 years.

    BUT my phone number is part of a family plan that’s under my wife’s name because she gets a special discount rate from her employer.

    So the IRS site rejects my mobile number almost certainly because the account is under my wife’s name, even though within my account the number is tied to my name.

    This is almost certainly a big problem considering so many users are part of a family plan.

    Brian, can you point this out to the IRS?

    The alternative method on the site is to select a paper mailing of the info to me. I initiated that thinking it’s an option for resetting an existing account in lieu of the mobile phone, but instead I was asked to create a new user ID and password, thereby abandoning, I guess, my account I set up about 4 years ago.

    1. Mikey Doesn't Like It

      I’ve had same Verizon phone number for 15+ years. No family plan, just solo. Yet IRS still rejected it.

      So now I have to wait for USPS to manually deliver my confirmation code — so I can THEN finish off applying for (and hopefully finally receiving) my PIN.

      Which gives the bad guys plenty of time to file a fraudulent return in my name.


    2. iMac77

      I was in a similar situation. But when asked to create a new account I simply re-entered the name/password for my old account and it was accepted. Got my access code in the mail and am back into my account. Rather than use a phone number for SMS verification I opted for their “IRS2GO.app” app, which issues you a code to enter when signing into the account.

      It is odd that the PIN option is not available directly in the account. They seem to treat all of their services as separate links outside of the user’s account.
      You can see them listed at irs.gov/onlineservices

  10. J

    It’s impossible to use your mobile number to verify your IRS account if your mobile number is part of a family plan not in your name.

    1. J

      I just tried it and it rejected my mobile number I’ve had for at least 15 years. My cell number is part of our family plan, which is in my wife’s name because her employer gives her a mobile plan discount. Of the 4 phones on the mobile plan, only one, my wife’s, would be accepted by the IRS’s query as belonging to the account holder. Within the mobile plan, each phone number corresponds to a user, and that’s where mine shows up. But only one user is the account holder. This means for family plans only one number will correspond to the IRS’s query sufficiently. It makes this woefully useless.

    2. Gnecht

      Correct. The IRS will postal-mail a letter with a confirmation code in that case. Slower and all, but they really need to get the authentication right before they grant full access to someone’s tax records.

  11. BBlanco

    The sad part is that leaders within the California agency responsible for unemployment were warned by the Feds and others the scams would likely happen. They failed to do anything because they were more focused on paying benefits. In a kneejerk reaction they froze all debit cards after the fact which hurt those that needed the benefits.

    During the 2008/9 crisis the same agency had similar problems (at a much smaller scale) but the pollical leaders did little to fix them thinking a crisis wouldn’t happen again.

    Unfortunately the state will likely be able to recover less than 20% meaning taxpayers are on the hook for the rest.

  12. JessieJames

    I had already created an account. I just tried to log in and said it needed to recertify. I rejected my cell phone number. Then it prompted me to obtain a pin by mail. When I agreed, it then asked me to create a new profile/account! It is all screwed up.

  13. Tommy Garrett

    I filled up the job application form online that asked me for my Tax File Number. I didn’t realized that I am now the victim of identity theft. This thing happened last year that I had to reapply for a Tax return.

  14. Aussie

    I just don’t understand why it is so easy to commit this type of fraud in the states?

    Oh and wow, the new points of ID required just add another hurdle that will possibly reduce the number of fraudulent cases but definitely won’t stop it.

  15. Sergi Tolstoy

    >$$$ in $$$ out = programming solution

    Taxpayers send $$$ thru payroll systems, third-party services and govt systems:

    >These systems match $$$ to taxpayer , when a request for refund is issued, funds should be tracked back to the issuing payroll systems, third-party services and govt systems.
    Payments are then made at these levels, establishing a Contained System of trust.

    You switch jobs, close biz, death, all $$$ revert to Unclaimed $$$ stored by State Govts. in specialized category of Federal Tax

    >This can be expanded to UI benefits systems- $$$ sent from job employer goes back to employers processing system, then disseminated by tracer systems.

  16. Dan

    The one consistent thread whether personal losses due to ID theft, IRS fraudulent returns or tens of billions of dollars in PPP money is that no one is ever responsible. Not the US Congress, not the employees of the SBA, not the NSA, not the White House, not local government…..nobody. Total corruption and incompetence at every level by the masters of stupidity….the DNC and RNC….as Ralph Nader said in 2000….one snake with two heads

  17. Povl H. Pedersen

    The US clearly needs a secure digital ID soon. They can look to more advanced countries.
    Denmark used to have paper cards with One-Time-Passwords (about 120 on a card) combined with a self-selected userID and password. Thieves tried to get the OTP card from mailboxes, but it is worthless without access to username/password.

    This “EasyID” has not mostly been replaced by an App with push messages. But I guess large parts of the USA is still int he last century, and you can not expect everybody to have a smartphone, but the paper card would work.

    The paper-version of EasyID was “hacked” in just a few cases. People used it in public library, low security computers. Had not changed their username away from SSN. So simple USB kyeboard sniffers allowed hacker to identify SSN and passwords, and they could lookup the SSN to find the address.
    The implementation was bad, in that it listed how many codes where left after username/password but before OTP, so the hackers then kept checking every day when it was near the threshold of automatic mailing of new cards. Then they could visit the address (found from SSN) and wait for postman to drop it.

    But a simple solution to get validated identity.

Comments are closed.