As Tax Identity Theft Awareness Week in the US gets underway, ESET’s Stephen Cobb offers expert advice on how to protect yourself from fraudsters.

Tax Identity Theft Awareness Week in the US begins January 25. This national awareness campaign encourages Americans to take action to prevent criminals defrauding the government and delaying legitimate tax refunds to honest taxpayers. The big shift towards electronic filing of income tax returns in America over the last 10 years has enabled tax identity theft to thrive, a relatively easy way for criminals to steal money from the government.

The most common type of tax identity fraud is possible because income tax is deducted from employee paychecks at an estimated rate. Although the percentage that is withheld can be adjusted by the wage earner, many Americans use a default rate which results in overpayment of taxes. Thus there is a need to claim a refund from the Internal Revenue Service (IRS) at the end of the tax year (for most workers this the calendar year, with the filing of returns and refund requests beginning at some point in the following year, January 19 for 2016).

As soon as employers issue a form called W-2 to employees, showing the income earned and amount of taxes withheld, the employee can file a return and claim a refund if they overpaid. Unfortunately, employers have until January 31 to give employees these forms, giving scammers a window of up to 12 days to file a bogus return using the identity of a person who has not yet had a chance to file. But the window for fraud is actually much longer than that because employers don’t have to file W-2 information with the IRS until the end of March. In essence, the IRS just takes the taxpayer’s word for the W-2 numbers. Refunds for over-payment of taxes are sent out before the W-2 data is verified.

Crooks can thus submit fake reports of taxes paid above and beyond taxes owed, resulting in a refund due (and sent to the address or account the crook specified). If a scammer files using your identity (basically your Social Security number) you may not find out until you file your return, only to have the IRS reject it. This rejection can be fairly quick if you are filing electronically. If you file by mail and there is already a fraudulent return on file, any refund you were expecting to receive will fail to appear. Eventually you will get a letter from the IRS telling you about the situation. Later in this article I discuss how to deal with these situations and hopefully prevent them, but first let’s look at the size and scope of the monster we’re dealing with here.

The nature of tax identity fraud

To say that tax identity fraud is rampant in America would be an understatement. In 2013, crooks took $5.3 billion from the US Treasury through tax ID fraud. The IRS publishes a dossier of tax ID fraud cases it prosecuted in 2015, listing details of the fraud committed. It makes for pretty depressing reading despite the fact that, on the bright side, many criminals were convicted. Sadly, convictions are not a strong enough deterrent for some people. While the main target has been the federal income tax refund, last year saw an increase in this type of crime targeting state tax authorities (many US states have their own income tax, in addition to the federal tax).

“To say that tax identity fraud is rampant in America would be an understatement.”

You can get a good sense of the scale and nature of tax identity fraud from this 60 Minutes segment, available as a transcript (plus video in some regions of the planet). To get the perpetrator’s perspective, consider this statement from Corey Williams, who was a legitimate tax preparer until his boss turned him on to the scam (before he was arrested and sentenced to 40 months in prison, Mr. Williams had raked in millions of dollars in fraudulent refund payments):

“Anybody who knew about it, you’d be a fool to not try to get involved with making some money. I could wake up in the comfort of my own home, and just get on a laptop, do about 15 returns a day. Fifteen times $3,000 a return, that’s $45,000 a day.”

So it’s no surprise that tax identity fraud is a flourishing industry. The perpetrators even have online support groups (as described by Brian Krebs last year) in which to share tactics. On the plus side, the IRS is getting better at spotting the most flagrant abuses. A report on last year’s filing season found the IRS identified 163,087 tax returns with more than $908.3 million claimed in fraudulent refunds, blocking approximately $787 million (86.6 percent) in fraudulent refund payments.

Unfortunately, these anti-fraud efforts have led some scammers to adopt more aggressive tax-based cons, including threatening phone calls. Fortunately, America’s consumer watchdog, the Federal Trade Commission has taken a leading role in educating the public about tax identity theft and other IRS-related scams. The FTC website has lots of resources for Tax Identity Theft Awareness Week.

Tax ID theft: what could go wrong?

Your return is rejected: If you find that another a tax return has been filed with your Social Security number, you should use IRS Form 14039 to alert the IRS. Do this right away. You will need to provide information about the tax year affected and a copy of the last return you filed prior to the identity theft. After you have filed this form, keep calling the IRS for updates on a regular basis to prevent your case from slipping through the cracks. In some situations, the IRS will issue a taxpayer-specific PIN if you have had issues with identity theft. This PIN is then required on any tax return you file. Go to this page on the IRS website to learn more about the process of applying for a tax return PIN from the IRS. You are asked to return a refund: This can occur if you are the victim of a different type of scam, as reported in the Wall Street Journal, in which a more skilled criminal uses routing information from a victim’s personal check. The criminal will “trick the electronic tax-payment system into transferring funds from a victim’s bank account as an estimated-tax payment to another stolen name and Social Security number, then file a refund claim transferring the stolen funds to his own account”. (See “ACH debit block” below as a means of defeating this scam.) You are accused of under-reporting income: You could potentially be contacted by the IRS for not reporting income when in fact you did not earn that income. This happens when someone else gives your Social Security Number to an employer; that person’s wages are reported to the IRS in your name; when the IRS notices you did not include them on your return, you get flagged. If this happens, do not panic, simply explain what happened. Remember, you are not the only person to which this has happened, and the IRS agent will have encountered this problem before. (In my experience, IRS agents are very reasonable, they simply want to get the facts straight.) You are turned down for a loan: You could find yourself turned down for a loan because of discrepancies between your tax record and those that the IRS maintains. For example, even if you earn a six figure annual salary, someone can file a fake return in your name showing you make less than $40,000 and still get themselves a $3,000 refund (tax ID scammers tend to keep the claims under $4,000 and make the big money through volume).

How to protect yourself

Unfortunately, there is a limit to what consumers and small businesses can do right now to prevent tax identity fraud. One thing all Americans can all do is lobby congress to clean up this mess. After all, the IRS did not choose to issue refunds before employer W-2 data was processed – no responsible accountant would voluntarily do such a thing – the current situation exists because of various congressional edicts.

In addition, here are a few defensive measures one can take:

Protect your Social Security Number: Do not disclose your SSN unless absolutely necessary. For example, avoid using your Social as an account identifier when using medical services (you have the right to demand an account identifier number instead, one exception being Medicare and Medicaid patients). Your Social is the prime ingredient for tax identity fraud and you don’t want to make it easy for the bad guys by being careless with this information. Order your IRS Transcript: This allows you to see what the IRS has on record for you in terms of tax payments and refunds. Contrary to popular myth, the IRS does not play poker with your data, they are quite happy to share with you the data they are holding that relates to you. Just Google “IRS transcript” and you can find how to do this at irs.gov. If you use a reputable accounting service, they should be happy to get your transcript for you (the IRS will verify this request with you). File your returns early: This is not always feasible, but the thinking is that it limits the opportunity for fraud in the current filing period. However, this will not stop estimated tax fraud where a criminal uses your bank account number and bank routing number to make an estimated tax payment to the IRS on behalf of a stolen name and Social Security number, then claims a refund which the IRS pays to an account under the control of the scammer. Monitor your bank accounts: Always a good idea when there are so many people trying to get away with bogus charges these days. Try to review account transactions at least once a week and immediately alert your bank when you see something that you didn’t authorize. Many banks have alert services that will email or text you every time money is taken out of your account, a great way to stay on guard against fraud. Ask your bank about an ACH debit block: Putting an ACH debit block on your account prevents crooks taking money with this type of transfer, however, it could prevent you executing legitimate online or over-the-phone electronic payments. Lobby for change: Yes, I mentioned this before, but it is worth repeating. And it is not as hard as you might think, you can even get apps for this. Consider the “Congress” app from the nonpartisan Sunlight Foundation, which is free and comes in iOS and Android versions. It can find your representative and let you place a call to their office with just a few clicks.

Further tax ID theft notes

While the “file early” strategy is the main line of defense against basic W-2 income tax refund fraud, a risk management approach to the problem suggests an alternative strategy: don’t give the government more money than you need to. That way you won’t risk waiting for a large refund if you are a tax ID theft victim. Taxpayers can use form W-4 to adjust withholding. You will have filled out one of these when you started your job. However, a surprising number of taxpayers don’t adjust their withholding when life changes occur – such as marriage, new dependents, and so on – that may reduce their annual tax bill, resulting in a large refund. If you have come to rely on this pattern, consider changing it. Although tax ID scammers don’t actually steal any of the refund money to which you are legally entitled, they can delay you getting it, which can be painful.

If you would prefer a more balanced approach which puts more money in your hands sooner, consider increasing your withholding allowance number so that it better matches the amount of taxes due, thus reducing the refund. You have a right to do this, but it comes with responsibilities and some risks of its own (see this article and also IRS Topic 306). Note that I am not a chartered accountant. Although I once worked as a tax auditor, nothing said here should be taken as financial planning advice and you should only use this strategy if you are prepared to monitor your status throughout the year and pay any shortfall promptly.

As for the ongoing effort to stamp out tax identity theft, I would like to end on a positive note. For several years I have written tax season articles that encouraged people to lobby their representatives for better IRS funding. Now we read that Congress has finally increased the IRS’s budget, by $290 million over last year’s level. The extra funding must be spent on improving customer service, cracking down on identity theft, and increasing cybersecurity. While this amount is less than half of the $700 million the agency had requested for those three programs for fiscal year 2016, it is a lot better than a cut!