Every tax filing season we become more aware of the dangers of identity theft, phishing, phone scams and various other schemes that target taxpayers.
If we are fortunate enough not to become victims, our interest fades after we ﬁle our taxes, only to be renewed the next year when we read about elaborate tax fraud schemes and look for ways to protect our personal information. The cycle begins again. For the federal and state tax authorities, however, fraud remains a challenge of utmost importance throughout the year. To tackle this challenge, the IRS initiated an effort to work with partners across the tax ecosystem to establish controls and safeguards to detect and prevent tax refund fraud resulting from identity theft – a model that can be utilized across the government beyond the area of tax.
Identity theft refund fraud
Every year, the IRS publishes its “Dirty Dozen” list, which highlights the common scams that taxpayers may encounter throughout the year, particularly during the tax ﬁling season. The 2017 Dirty Dozen includes schemes such as phishing (a staggering 400% increase in phishing and malware incidents in 2016), phone scams and offshore tax avoidance. Identity theft refund fraud makes its appearance in the Dirty Dozen for the seventh year in a row, leading the list in four of those years.
Identity theft refund fraud is committed when a criminal uses a stolen Social Security Number (SSN) or an Individual Taxpayer Identiﬁcation Number (ITIN) to ﬁle a tax return and claim a fraudulent refund. When the person who actually owns the identity attempts to e-ﬁle his or her tax return, the IRS system gives a notiﬁcation that a tax return has already been ﬁled with that SSN or ITIN. In many cases, this is the ﬁrst time that the person becomes aware of the identity theft. What follows is a long and arduous process of ﬁnding out the extent of the criminals’ activities and working on remediation of the damages. This is frustrating for the taxpayer, induces signiﬁcant burden on the economy and erodes public trust in the tax system.
Recent investigations show the variety in size and scope of the schemes criminals devise to defraud the tax system using stolen identities:
- In November 2016, a Tampa, Florida man was sentenced to 102 months in prison for involvement in a stolen identity refund fraud He and his coconspirators had ﬁled fraudulent tax returns, requesting almost $6 million and receiving approximately $1.9 million from the IRS.
- In August 2016, ﬁve people in Austin, Texas were sentenced to between 33 and 121 months in prison after they were found guilty of collecting Mexican identiﬁcation documents and using them to obtain ITINs. They ﬁled over 3,200 fraudulent tax returns and claimed more than $9 million in refunds from the IRS.
- In July 2016, a Virginia man was sentenced to 47 months in prison for involvement in a stolen identity tax refund scheme. This individual was part of a 130-person operation, which ﬁled at least 12,000 fraudulent federal income tax returns using stolen identities and claimed at least $42 million in refunds.
“Identity theft has shifted from small-time thieves to multinational criminal enterprises that mine the internet for personal information that is stolen, collected and sold to other criminals,” said Richard Weber, Chief, IRS Criminal Investigation.
IRS Security Summit and public-private collaboration
On March 19, 2015, IRS Commissioner John Koskinen convened the ﬁrst Security Summit in Washington, D.C. and brought together IRS ofﬁcials, state tax administrators and the CEOs of the nation’s leading tax preparation ﬁrms, tax software providers, and payroll and tax ﬁnancial product processors. Approximately 25 leaders, including Jon Baron, managing director of the Tax & Accounting Professional Segment at Thomson Reuters, attended the summit and formed a public-private partnership to combat tax refund fraud and protect taxpayers.
The Security Summit established three working groups – Authentication, Information Sharing, and Strategic Threat Assessment and Response – which worked closely for the next two months and agreed on a set of new protections to enact before the 2016 tax ﬁling season. Among other points, the Security Summit members agreed to:
- Share 20 data elements from federal and state tax returns to improve authentication of taxpayer and tax return information to detect and prevent fraud.
- Enhance identity requirements and authentication in tax software through mechanisms such as multi-factor authentication, trusted computer account validation and automatic email generation to notify users of account changes.
- Align under the National Institute of Standards and Technology Cybersecurity Framework to reduce risks in the cyber infrastructure.
- Launch a campaign called “Taxes. Together.” to increase public awareness about computer security and identity theft, and provide tips for taxpayers to protect themselves.
The Security Summit was held again in 2016 to build upon the successes of the previous year and add additional safeguards to protect taxpayers from evolving threats. With increased participation from the industry, including ﬁnancial institutions, refund product providers and payroll service providers, the Security Summit was able to expand the public-private collaboration and provide more protections for taxpayers.
The IRS reports that this partnership has produced signiﬁcant impact in the short time that it has been in place. From January to September 2016:
- 237,750 identity theft afﬁdavits were ﬁled with the IRS. This shows a 50-percent drop in reported identity theft refund fraud victims compared to the same period in 2015.
- The IRS saved over $4 billion by stopping 787,000 conﬁrmed identity theft returns. This is almost a percent drop from the same period in 2015, indicating that more fraudulent returns were detected and stopped before they reached processing.
- The new data elements shared on tax returns helped the IRS stop over 74,000 suspicious returns, saving over $372 million in refunds that might have been paid to criminals.
- Information sharing from industry and state partners provided information that helped the IRS stop an additional 57,000 fraudulent tax returns.
“We’ve come a long way in a short time following the creation of the Security Summit,” Commissioner Koskinen said. “But much more work remains to be done, and the partnership has agreed to take even more steps to protect taxpayers in 2017.” These steps include adding 37 new data elements to tax returns to strengthen authentication, sharing 32 data elements from business tax returns, expanding the Form W-2 Veriﬁcation Code initiative, improving password requirements in tax software, expanding the public awareness campaign and establishing a new Identity Theft Tax Refund Fraud Information Sharing and Analysis Center.
Looking beyond tax fraud
The public-private partnership established by the IRS, states and tax industry as part of the Security Summit shows success in the particular case of tax fraud, but the underlying drivers of that success – sharing information, developing standards, increasing public awareness, taking advantage of advanced analytic capabilities developed in the private sector, working collaboratively towards a common cause and measuring progress – are transferable to other domains.
Jon Baron emphasizes this point and underlines this partnership’s potential as a model going forward. “I applaud Commissioner Koskinen for bringing together a cross-section of the public sector and private industry to combat a very real issue impacting not only individuals, but the very core of the tax system itself,” says Baron. “This highly successful effort can be held up as a stellar example of having a vision, communicating effectively how that vision can be accomplished, driving it through to execution and seeing to it that it continues to evolve to stay ahead of a rapidly changing landscape.”
For more information, visit: tax.thomsonreuters.com
Thomson Reuters Government Solutions
Where government challenges meet trusted answers on:
- Global security
- Financial and regulatory insights
- Transparency, efficiency and effectiveness
Learn more at tr.com/government.