Posts Tagged ‘IdentityTheft’

Please Don’t Do This!

Tuesday, January 10th, 2017

Joe Kristan tweeted the following last weekend:

As I was going through my emails this morning, one of my clients (she shall remain nameless) sent me an email with her CP01A notice attached. The CP01A notice is the IRS notice giving a victim (or potential victim) of identity theft his or her Identity Theft PIN. I suspect Joe made that post on Twitter because one of his clients did the same thing as my client.

Meanwhile, another client of mine faxed me his CP01A notice. That’s a far, far safer method of sending the Identity Theft PIN to your tax professional. You can also hand it to your tax professional or upload it using their web portal (or file transfer system—the name isn’t as relevant as the method). Mail is considered a secure means of sending things, too.

Do not email anything containing personally identifiable information such as social security numbers or dates of birth. Of course, if you want to be a victim of identity theft, go right ahead and do so. But don’t say I didn’t warn you.

Third Party Transcript Requests Reportedly Will No Longer be Processed by the IRS

Wednesday, December 2nd, 2015

Form 4506-T allows a third-party to obtain a transcript with your signed permission. One use of the form has been to obtain a tax return transcript when obtaining a mortgage. There have been reports that some individuals who completed this form didn’t have the transcripts sent on. Well, it appears that the IRS is no longer honoring this form unless there’s a Tax Information Authorization (Form 8821) or a Power of Attorney (Form 2848) on file. (Of course, either a Form 8821 or a Form 2848 allows a transcript to be generated.)

This news came out today via individuals calling the IRS’s Practitioner Priority Service. This policy has not been officially published anywhere by the IRS, but based on IRS actions it appears that this policy was put in place because of identity theft concerns.

I do not know what mortgage companies will do in the future, but I would assume they will add a Form 8821 to their requests. I’m not sure how a mortgage company sending over two pieces of paper to the IRS rather than one lowers the risk of identity theft, but whatever.

In related news, the Oklahoma Tax Commission is no longer accepting Oklahoma Power of Attorney forms via fax; they must be mailed to the tax agency. It’s not clear what prompted this change but I’m guessing it’s also identity theft concerns.

Over 1,100 Returns Filed from Two Addresses Lead to Two Heading to ClubFed

Sunday, October 25th, 2015

Two separate cases out of Broward County, Florida highlight that if you submit lots of tax returns from the same address even the IRS will get suspicious. A former band director and another Floridian will be heading to ClubFed in separate identity theft cases.

In the first case, a former band director apparently used his position to steal 419 identities. From the DOJ press release:

According to court documents, IRS-CI investigators noticed that 419 suspicious tax returns claiming refunds totaling $754,470 were filed from Rogers’ residential address from January 25, 2014 to April 20, 2014. Based on this information, a search warrant was executed at Rogers’ residence and agents discovered and seized papers, notes, and documents containing thousands of PII (including names, dates of birth, and social security numbers) including PII contained in records of more than a dozen Broward County School District students, some dating back to the late 1990s and others into the late 2000s. Agents also seized numerous printed 2013 tax returns.

Delvis Rogers of Hollywood, Florida admitted when his apartment was searched (under a search warrant) that he had prepared and filed hundreds of phony tax returns from his apartment. Mr. Rogers pleaded guilty to two identity theft related charges. He received 61 months at ClubFed and agreed to make restitution to the IRS of $129,321.

In the second case, Keyiona Wright of Plantation, Florida pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. From the DOJ press release:

According to court documents, from March 25, 2014 to May 6, 2015, forty-six federal tax returns were filed with the IRS claiming refunds of $135,196 from an IP address in Plantation. From September 16, 2014 to May 5, 2015, at least 688 rejected federal tax returns, claiming refunds of $733,276, were electronically transmitted to the IRS from this same IP address. Agents confirmed that the IP address was assigned to an apartment rented by Wright.

A search warrant found notebooks, bags, documents, papers, and computers containing personal identification information. “A forensic analysis revealed that the documents, computers, and debit/credit cards seized from Wright’s residence contained identifying or account information for over 14,000 individuals.” And agents found another computer that had a video with Ms. Wright counting money. At least she didn’t post it on Facebook like the Queen of Tax Fraud.

In the end, Ms. Wright pled guilty. She’ll have plenty of time at ClubFed to think over her decisions; she was sentenced to 7 years.

IRS to Tax Professionals: Rules for Thee but Not for Us

Thursday, October 8th, 2015

Today I received an alert from the IRS that a new version of Publication 4557 is available. (At this point, only the web version of the publication is available.) Interestingly, the IRS notes the following:

To safeguard taxpayer information, you must determine the appropriate security controls for your environment based on the size, complexity, nature and scope of your activities. Security controls are the management, operational and technical safeguards you may use to protect the confidentiality, integrity and availability of your customers’ information. Examples of security controls are:

1. Locking doors to restrict access to paper or electronic files;
2. Requiring passwords to restrict access to computer files;
3. Encrypting electronically stored taxpayer data;
4 .Keeping a backup of electronic data for recovery purposes;
5. Shredding paper containing taxpayer information before throwing it in the trash.
6. Do not mail unencrypted sensitive personal information.

Further, Authorized IRS e-file Providers that participate in the role as an Online Provider must follow the six security, privacy and business standards to better serve taxpayers and protect their individual income tax information collected, processed and stored. See “Safeguarding IRS e-file” in Publication 1345 for more information. [emphasis added]

There’s nothing wrong with these recommendations; in fact, they’re excellent. But note that the IRS says that authorized e-file providers that participate in the role as an Online Provider must follow these rules.

I highlighted the last rule (#6, above) regarding mailing unencrypted sensitive personal information. Why? Because the IRS is one of the biggest offenders in this area. Indeed, just yesterday TIGTA (the Treasury Inspector General for Tax Administration) issued a report stating this. From the TIGTA press release:

In Fiscal Year 2014, the IRS mailed more than 141 million notices and 37 million letters to taxpayers for various reasons, to help them understand and meet their tax obligations. In a prior review, TIGTA reported that the IRS had not made significant progress in redacting or masking taxpayers’ SSNs from systems, notices, and forms. This audit was initiated to assess the IRS’s progress in eliminating taxpayer SSNs from correspondence.

TIGTA found that as of January 2015, the IRS estimates that it has removed SSNs from 58 (2 percent) of the 2,749 types of letters and 93 (48 percent) of the 195 types of notices it issues.

“A person’s Social Security Number is the most valuable piece of personal data identity thieves can obtain.” said J. Russell George, Treasury Inspector General for Tax Administration. “The fact that the IRS does not have processes and procedures to accurately identify all correspondence that contain Social Security Numbers remains a concern.”

There’s not much to add to this. The IRS needs to act on this as they are a far larger source of identity theft than tax professionals. I state that as I open up an IRS letter and an IRS notice to clients that both contain their social security numbers. And there was the IRS notice which didn’t have the full social security number but put the number within a bar code instead….

IRS Removes Social Security Number from Some Notices But…

Sunday, September 6th, 2015

The IRS has begun removing social security numbers from some IRS notices in the header (leaving just the last four digits, such as xxx-xx-1234). The reason for this is the problem of identity theft. And I give kudos to the IRS for this. Unfortunately, the IRS hasn’t executed this that well.

Today I opened an IRS notice that was sent to a client. The good: The social security number in the header had only the last four digits. The bad: Right below the header the IRS put in a bar code–presumably to make processing of the return mail easier. Below the bar code in relatively small print (but easily readable by me, and I wear glasses) was the deciphering of the code. Of course, it contained the social security number.

My helpful hint to the IRS: It does no good to remove the social security number from the header and then add it right below the bar code. Identity thieves can read it there, too.

When Even IRS Employees Are Tempted to Commit Identity Theft…

Sunday, August 30th, 2015

…you know there’s a huge problem. Especially given that the employee should realize that the Treasury Inspector General for Tax Administration (TIGTA) does look at alleged criminal activities by IRS employees. Yet it happens.

Take Kenneth Goheen of Austin. Mr. Goheen worked in the IRS Austin Service Center. He apparently looked at applications for an Individual Taxpayer Identification Numbers (ITINs) and used those applications to file more than 50 fraudulent returns. He pocketed over $120,000 while committing his crimes. Luckily, TIGTA and IRS Criminal Investigation found out about his malfeasance.

As noted in the Department of Justice press release,

“Goheen’s conduct is doubly offensive. He not only stole money from the government, but he used his unique position in the government—a position of trust—to wrongfully enrich himself,” stated U.S. Attorney Richard L. Durbin, Jr.

Mr. Goheen was sentenced to two years plus one day at ClubFed, must forfeit $15,442 seized from his bank account, and must make restitution of $104,292.

While it’s well and good that TIGTA and IRS Criminal Investigation caught Mr. Goheen, consider the question why did Mr. Goheen commit his crimes? Obviously he thought he’d get away with it–and that’s disturbing. No, I suspect that most criminals think they’ll get away with their crimes. Here, though, Mr. Goheen should be aware of the IRS efforts (or lack thereof) in fighting identity theft. Clearly, he felt that that the IRS efforts weren’t particularly meaningful. And that’s what bothers me here.

How to Commit Tax Fraud 101

Sunday, August 23rd, 2015

The Florida Center for Investigative Reporting (FCIR) has an article spotlighting tax return fraud. That in itself isn’t surprising given that Florida is the hotbed for this crime. What is depressing is how easy it is to commit the crime. While the Social Security Death List is no longer available for the fraudsters, FCIR reports that they turned to a commercial service called The site is designed for finding your ancestors, but enterprising crooks discovered it could be used to commit tax fraud.

My guess is that old records contain social security numbers–the numbers weren’t as big a deal in the pre-Internet era–and they just find people in that manner. Sure, they are undoubtedly violating the Terms & Conditions of the website but if you’re going to commit a felony (or several), what’s the big deal about violating some T&C’s?

Meanwhile, two press releases from the East Bay (near San Francisco) highlight the magnitude of this problem. Ebony Standifer conspired to obtain false identities and used them to obtain $193,602 in false refunds. She pleaded guilty this week to one count of conspiracy to file false claims and one count of aggravated identity theft. Three other East Bay residents pleaded guilty to conspiracy to file false claims in what appears to be a separate tax fraud scheme. These individuals received $287,498 in false refunds.

Until the IRS makes it far more difficult for the fraudsters, this epidemic will continue. As I’ve said, why rob banks?

IRS: Free Identity Protection Services After a Data Breach Isn’t Includable in Income

Thursday, August 13th, 2015

The IRS noted Announcement 2015-22 today, that states:

[T]he IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.

Generally, any accession to wealth is includable in income, and there’s a value for the data protection services. Of course, one of the largest data breaches this year was at the hands of…the IRS. While this is a clearly common sense approach, still one must wonder if the IRS would have released this announcement if one of the biggest entities to cause a data breach wasn’t the IRS.

Why Rob Banks, Redux

Tuesday, August 11th, 2015

Back in 2012 I noted that gangs were looking at identity theft as the successor to bank robbery. From Los Angeles comes the news that the California Attorney General’s Office, along with the Long Beach Police and the US Postal Inspection Service did a “takedown” of the “Insane Crip” street gang; 22 members are in custody on charges that include 283 counts of conspiracy, 299 counts of identity theft, and 226 counts of grand theft.

The arrest is the culmination of a three-year investigation into the Insane Crip street gang that began after a Long Beach crime spree tied to the gang. A Long Beach Police Department detective discovered evidence containing the personal identifying information of hundreds of California residents at an address associated with the gang. The defendants had used the stolen personal identifying information to commit financial crimes, including identity theft and tax return fraud.

The defendants exchanged the stolen information via text messages to the leaders of the scheme, who would then file fraudulent tax returns, obtain the refunds and load them onto prepaid debit cards in the name of other victims. The debit cards were then used to fund the gang’s illicit activities, lavish lifestyle and to recruit members.

Kudos to all involved, but I will point out, again, that while the IRS has done more to make identity theft difficult, they’ve done nowhere near enough. Even today most of what the IRS does on this front is reactionary. While electronic returns filed now note the computer they’ve been filed from–which is a help–there is much more the IRS could do. The modest proposal I made nearly three years ago would still stop much of today’s identity theft. Yet the IRS spends money on the Annual Filing Season Program. Oh well, venting doesn’t do any good….

IRS “Get Transcript” Application Hacked; 104,000 Tax Returns Illegally Accessed

Tuesday, May 26th, 2015

This afternoon IRS Commissioner John Koskinen announced that criminals were able to use the IRS “Get Transcript” application to access approximately 104,000 tax returns. (An additional 100,000 or so attempts were unsuccessful.) From the Wall Street Journal:

Thieves used the information from prior years’ returns to help them file for fraudulent refunds, the IRS said.

The IRS said the matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’s Criminal Investigation unit. In addition, the agency said its “Get Transcript” application—which the identity thieves successfully penetrated—has been shut down temporarily.

The IRS said it would provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. The IRS said it identified 200,000 attempts to access data and will notify all of these taxpayers about the incident.

The Hill has the number of returns accessed at 104,000.

That the Get Transcript application is insecure isn’t a surprise. Over one year ago I wrote:

Meanwhile, the Get a Transcript has its own problems. My partner attempted to use the service, but it could not verify either him or his wife as living where he’s lived for years. Second, the verification information relies on publicly available information for many. (It did for my partner, myself, and one other individual.) This is anything but a secure system. (I have sent a request to TIGTA noting the weakness of the system and requesting that they audit it. If TIGTA audits this, it’s unlikely we will hear anything for many months–probably not until 2015.) [emphasis in original]

Last year TIGTA responded to my request and stated that there were no issues with “Get Transcript.” I suspect they’ve changed their mind on that.

Meanwhile, I continue to have issues with IRS notices. Today I spoke with the Practitioner Priority Service (after being on hold for 1.5 hours) regarding a client where I have both a Tax Information Authorization (Form 8821) and a Power of Attorney (Form 2848), either of which should have had me copied on the notices. PPS confirmed that the POA and Tax Information Authorization were on file for the year in question. They could not explain to me why I didn’t receive any of the notices sent to my client.

One solution to the identity theft fiasco is the modest proposal on identity theft I made back in 2012. Instead, identity theft continues to balloon, while the IRS limits the tools available to tax professionals. Is it any wonder the IRS is so loved?

UPDATE: The IRS released a statement on the breach. Here are excerpts:

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident…

The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100,000 accounts through the Get Transcript application.

In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.

I question that the answers to these questions are only known by the taxpayer. The questions I was asked could be discovered through a search of public records. It would be time consuming but entirely possible for a stranger who had my social security number and date of birth to answer all the other verification questions.