Reflections on the General State of Tax-related Identity Theft

0 Flares 0 Flares ×

We have previously discussed the challenges of identity theft in Procedurally Taxing, most recently in a guest post from former prosecutor Justine Gelfand. Today we return to the issue and welcome back guest blogger, Rachael Rubenstein, who is a Senior Tax Fellow at St. Mary’s School of LawRachael served as the principal author of the Identity Theft chapter in the 6th Edition of Effectively Representing Your Client before the IRS.”  Because of all of the changes in this area since the time of publishing the 5th Edition, she essentially had to write the chapter from scratch. She reflects here on recent issues concerning identity theft.  Her closing paragraph comparing the amount the IRS spends on data security compared to a large bank should give us all pause.  Keith

Recent news of a large scale data breach involving the IRS website here  here and here, and the announcement that the IRS plans to establish formal guidelines to allow victims of refund-related identity theft to gain access to copies of the fraudulently filed returns here, has refocused attention to the widespread issue of tax-related identity theft. As have reports during the filing season of suspicious tax return filings through TurboTax Software, which launched an ongoing FBI investigation here and  here. Coverage of this issue has inspired increased frustration and anger towards the IRS, an agency we all know is suffering from some serious PR problems. Last month my dad contacted me panicked because he learned a fraudulent tax return was filed under his Social Security Number (SSN). I told him what I tell many of my clients, “It will be ok. The problem will be fixed as long as you file the correct paperwork. The IRS has a lot of experience with this type of activity, although it will take several months to correct.”  Luckily my parents, unlike most clients, were not waiting on a large tax refund to supplement their income for the year. Still, the psychological and financial effects of this type of victimization are felt regardless of one’s tax bracket.


In terms of tax administration, identity theft is a relatively new phenomenon—emerging in the early 2000s along with the rise in e-filing. There are two types of tax-related identity theft: refund-related and employment-related. The latter occurs when an individual uses the SSN of another in order to gain employment, which often causes IRS problems because of the wages earned and reported by employers under the wrong SSN.  Most attention and resources are focused on refund-related, which involves the use of stolen personal data to obtain improper refunds causing economic damage to individual taxpayers and the treasury. IRS figures estimate the cost of undetected refund-related identity theft at approximately $5 billion a year. Until tax year 2013, the numbers of taxpayers affected by (broadly defined) tax-related identity theft each year rose at an alarming rate. According to a 2013 TIGTA report here in calendar year 2010, there were roughly 440,581 IRS identity theft incidents compared to 1,901,105 in 2013.

From 2004 to 2013, the NTA identified tax-related identity theft as one of the “‘Most Serious Problems” faced by taxpayers in nearly every annual report submitted to Congress here. In addition to the various audits TIGTA conducts each year on the Service’s information security programs, TIGTA has aggressively audited IRS handling of identity theft and its ongoing efforts to stop it before a taxpayer is victimized. At the beginning of the decade refund-related identity theft overwhelmed the IRS. Victim taxpayers generally waited over a year to receive their refunds and, often, had to submit numerous copies of the same evidence to IRS in order to resolve their cases. A review of TIGTA and TAS reports shows that the peak of lost revenue and the length of case processing for victims occurred in 2010 through 2012. The volume of actual incidents (both employment and refund-related) was the highest in 2013 and, finally, declined by roughly 42% by the end of 2014 here. Since 2012, the IRS has made combating identity theft a top priority and steady progress has been made on both prevention and victim services. The IRS used a variety of methods to attack the problem, including: novel technology detection and prevention models,  increased criminal investigations/prosecutions, increased cooperation with the private sector, redevelopment of case processing procedures, expansion of programs to assist victims, and added personnel dedicated to handling identity theft cases. In April 2015, the most recent TIGTA audit on refund-related identity theft here reported $22–24 billion of fraudulent tax refunds were prevented during the 2013 filing season. Still, around $5.75 billion was lost as a result of this crime during the same period. These figures are based on IRS estimates, which generally capture higher figures than TIGTA audits. Most practitioners who regularly work these cases will tell you that processing times have improved (down to a not so impressive average of 6–8 months), and IRS employees are better equipped to handle identity theft claims. The darkest days of tax-related may have already passed, although vulnerabilities in IRS information technology programs could certainly turn the tide.

May’s data breach represented a shift in sophistication by identity thieves. Instead of using personal data stolen from external sources to steal refund money by e-filing fraudulent tax returns, hackers used a hybrid theft model. First, previously stolen information such as names, dates of birth, and addresses, were used to access the “Get a Transcript” feature on the IRS website. This tool was launched in January of 2014 to streamline taxpayer requests for prior year tax transcripts—reducing IRS call volume and providing instant data to the requestor. By accessing these transcripts, cyber-attackers obtained specific details about their victims filing histories. Such information was used (or planned to be used) to circumvent the Service’s return processing identity theft detection filters. It’s worth noting that the IRS has approximately 144 such filters. In his June 2nd testimony before the Senate Finance Committee on this incident here, Commissioner Koskinen stated the Service’s cyber security team detected suspicious activity on the “Get a Transcript” application in mid-May and shut down the feature on May 21st. IRS investigation revealed that roughly 100,000 taxpayer accounts were affected, resulting in around 13,000 suspect tax returns filed. About $39 million in fraudulent refunds were paid out. Another 23,500 returns from these compromised accounts were stopped by IRS fraud filters.

Shifting blame to the IRS for this cyber attack is easy. Much of the agency’s information technology systems are antiquated and known vulnerabilities continue to exist (detailed in TIGTA’s June 2nd written testimony here). Any time there is a high profile problem identified in tax administration, we hear a familiar parade of horribles launched at the agency. This massive disclosure violation merits a more thoughtful response. Indeed, last week IRS announced a formal agreement to work collaboratively with state tax administrators and leaders of the private electronic tax industry. Details of the agreement were developed after Koskinen convened a Security Summit with IRS representatives and these external stakeholders on March 19th, and include new initiatives in the areas of taxpayer authentication; fraud identification; information sharing/assessment; cybersecurity framework; and taxpayer awareness and communication here. These coordinated efforts sound promising but there is a missing player in this partnership to fight back against tax-related identity theft.

Since 2011, at least a dozen congressional hearings on this topic were held, yet no meaningful legislation has emerged to combat tax-related identity theft. The well-treaded path of investigation, condemnation, cost cutting, and added responsibilities will not suffice—legislative solutions are needed. Koskinen mentioned several in the June 2nd hearing: approval of the President’s FY 2016 Budget request (“with $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure”); passage of legislation to “accelerate information return filing deadlines” for improved detection of fraudulent filings during tax season; and criminal and civil penalty deterrence statutes. On June 4th, Senate Finance Committee Chairman, Orrin Hatch, and Ranking Member, Ron Wyden, released a statement outlining the Committee’s work on this issue here. Legislation introduced by Senator Marco Rubio in March of 2015 here aimed at curtailing tax-related identity theft may also merit consideration. Lawmakers should act to implement legislation and better safeguard the public fisc from this pervasive crime.

*In 2014, JP Morgan Chase spent $250 million on cyber security and still experienced a large scale data breach here. In comparison, the IRS spent around $141.5 million on cyber security in the same year here.


  1. Eric Rasmusen says

    You need to make more of a case that legislative action would make any difference. Money would help, of course, but there the question is whether the IRS needs more money or whether Congress needs to force the IRS to transfer spending to this area from other areas the IRS gives higher priority (e.g., for lawyers to engage in stalling tactics to avoid disclosing Lois Lerner emails and paying out tax whistleblower awards). Moving up information filing deadlines would help, maybe (we’d need to know more), but that has a huge cost for businesses. And exactly what new criminal penalties are needed? Isn’t identity theft already illegal? I myself might favor imposing the death penalty, but I don’t think the Administration will go for it.

Comment Policy: While we all have years of experience as practitioners and attorneys, and while Keith and Les have taught for many years, we think our work is better when we generate input from others. That is one of the reasons we solicit guest posts (and also because of the time it takes to write what we think are high quality posts). Involvement from others makes our site better. That is why we have kept our site open to comments.

If you want to make a public comment, you must identify yourself (using your first and last name) and register by including your email. If you do not, we will remove your comment. In a comment, if you disagree with or intend to criticize someone (such as the poster, another commenter, a party or counsel in a case), you must do so in a respectful manner. We reserve the right to delete comments. If your comment is obnoxious, mean-spirited or violates our sense of decency we will remove the comment. While you have the right to say what you want, you do not have the right to say what you want on our blog.

Speak Your Mind