U.S. tax identity theft: dodging the $5 billion crime spree

In America, tax identity theft is a relatively easy way for criminals to make money at the expense of taxpayers. Using stolen data, crooks steal billions of dollars through fraudulent tax refund claims every year. How “popular” is tax identity theft with criminals? It now has its own week! That’s right, January 26th-30th is Tax Identity Theft Awareness Week in America, a week that encompasses Data Privacy Day (hashtag #DPD2015) which occurs on January 28 every year (in many countries, not just in America).

The timing of America’s Tax Identity Theft Awareness Week is not just about your data privacy, which may be violated by tax identity thieves; this awareness campaign is also about encouraging Americans to file their Form 1040, the Individual Income Tax Return, as soon as possible. Why? Because early filing is one of the few things that average taxpayers can do to protect themselves against tax identity theft (also called tax ID theft). The aim of early filing is to avoid this nightmare scenario:

You submit your income tax return only to find that someone other than you has already filed on “your” behalf, claiming a refund in your name, effectively postponing payment to you of any refund to which you are legally entitled, for up to a year.

If you’re a victim, you may find out by filing electronically only to have your legitimate return rejected. If you file by mail and there is already a fraudulent return on file, any refund you were expecting to get will fail to appear; eventually you will get a letter from the IRS telling you about the situation. Later in this article I discuss how to deal with these situations and hopefully prevent them, but first let’s look at the size and scope of the monster we’re dealing with here.

Note: If it sounds like you’ve heard all of this before, that’s because you probably have. And that’s because nothing has really changed since last year’s warnings about tax id theft, and the warnings in 2013, and the warnings in 2012, and so on. Why has nothing changed? See my note at the end of this article (hint: Congress could be to blame).

The nature of tax identity fraud

To say that tax identity fraud is rampant in America would be an understatement. The perpetrators have used this scam to steal billions, and the number of innocent victims over the last three years is in the millions. In 2013, crooks took $5.3 billion from U.S. taxpayers through tax ID fraud. The IRS publishes a dossier of tax ID fraud cases it has prosecuted, listing details of the fraud committed. It makes for pretty depressing reading, apart from the fact that all of these people were convicted. Sadly, convictions are not a strong enough deterrent for some people.

Consider case of Rashia Wilson of Tampa Bay, Florida, the self-proclaimed “Queen of IRS Tax Fraud.” She raked in millions by filing bogus returns (although she was convicted of stealing $3.1 million, the actual proceeds from her activities range from $7 to $20 million by some estimates). And Ms. Wilson did this despite a lack of education—she never made it past sixth grade—and a lack of common sense, as demonstrated by her taunting of the authorities on her Facebook page. Yes, she bragged about her crimes on her actual Facebook page, with her real name and photos of herself waving huge wads of cash. Thanks to such lapses in judgment, Ms. Wilson is now serving a 21-year prison sentence, but she also serves as living proof that ripping off the IRS is way too easy.

You can get a good sense of the scale and nature of tax identity fraud, from this 60 Minutes segment, available as a transcript (plus video in some regions of the planet). Here’s one telling quote from Wilfredo Ferrer, the United States Attorney for the Southern Florida:

For this fraud all you need is a laptop, someone’s social security number, date of birth, not even their name. They can do it from their kitchen table. They can do it at a fast-food chain restaurant. Or they can do it on the beach, as long as they have Wi-Fi access.

To get the perpetrator’s perspective, consider this statement from Corey Williams, who was a legitimate tax preparer until his boss turned him on to the scam (before he was arrested and sentenced to 40 months in prison, Williams had raked in millions of dollars in fraudulent refund payments):

Anybody who knew about it, you’d be a fool to not try to get involved with making some money. I could wake up in the comfort of my own home, and just get on a laptop, do about 15 returns a day. Fifteen times $3,000 a return, that’s $45,000 a day.

So it’s no surprise that tax identity fraud is a growth industry, impacting a disturbing 1.2 million taxpayers in calendar year 2012, but a staggering 1.6 million in the first six months of 2013. Those numbers are direct from the TIGTA, the Treasury Inspector General for Tax Administration, whose tax identity fraud report of September, 2013, also documented the pain that taxpayers face if they fall victim to this crime. In a random sample of 100 cases reviewed, “case resolution averaged 312 days.” In other words, making things right can take 10 months, if you’re lucky.

The most common type of tax identity fraud — phoney refund claims based on bogus W-2 data — is possible because the IRS does not immediately cross-check a taxpayer’s report of income earned and taxes paid against employer reports of income paid and taxes withheld. (When you file electronically the IRS just takes your word for the W-2 numbers.) Refunds for over-payment of taxes are thus sent out before the W-2 and 1099 data is verified, allowing crooks to submit fake reports of taxes paid above and beyond taxes owed, resulting in a refund due.

This type of fraud is further facilitated by the option to file electronically and get your refund directly deposited to an anonymous card (for example, the “Green Dot” Visa or Mastercard you can buy at many drugstores has “routing and account numbers suitable for direct deposit”). The IRS does have a program in place to combat tax identity fraud: “IRS Criminal Investigation (CI) detects and investigates tax fraud and other financial fraud, including fraud related to identity theft. Identity theft is most likely to occur in our Questionable Refund Program (QRP) area where individual identities are stolen with the intent to file false returns claiming tax refunds.”

There is one positive change in January 2015: the IRS now limits to three the number of refunds electronically deposited into a single financial account or pre-paid debit card. The fourth and subsequent refunds will automatically convert to a paper refund check which is mailed to the taxpayer. That may slow the cash flow for some fraudsters but it will hardly stem the time of taxpayer identity theft.

Tax ID theft: what could go wrong?

1. Your return is rejected: If you find that another a tax return has been filed with your Social Security number, you should use IRS Form 14039 to alert the IRS. Do this right away. You will need to provide information about the tax year affected and a copy of the last return you filed prior to the identity theft. After you have filed this form, keep calling the IRS for updates on a regular basis to prevent your case from slipping through the cracks. Reading the TIGTA identity fraud report referred to earlier will give you a detailed picture of where cases like this bog down. The IRS has pledged to do a better job with such cases. Try to hold them to that pledge.

2. You are asked to return a refund: This can occur if you are the victim of a different type of scam, as reported in the Wall Street Journal, in which a more skilled criminal uses routing information from a victim’s personal check. The criminal will “trick the electronic tax-payment system into transferring funds from a victim’s bank account as an estimated-tax payment to another stolen name and Social Security number, then file a refund claim transferring the stolen funds to his own account.” (See “ACH debit block” below as a means of defeating this scam.)

3. You are accused of under-reporting income: You could potentially be contacted by the IRS for not reporting income when in fact you did not earn that income. This happens when someone else gives your Social Security Number to an employer; that employee’s earnings are reported to the IRS in your name and the IRS notices you did not include them on your return. If this happens, do not panic, simply explain what happened. Remember, you are not the only person to which this has happened, and the IRS agent will have encountered this problem before. (In my experience, IRS agents are quite reasonable and simply want to get the facts straight.)

4. You are turned down for a loan: You could find yourself turned down for a loan because of discrepancies between your tax record and those that the IRS maintains (because the IRS was tricked into accepting a return that is way different from your real situation).

How to protect yourself

Unfortunately, there is a limit to what consumers and small businesses can do right now to prevent tax identity fraud. One thing we can all do is lobby congress to clean up this mess. In addition, here are a few defensive measures one can take:

  1. Protect your Social Security Number: Do not disclose your SSN unless absolutely necessary. For example, avoid using your Social as an account identifier when using medical services (you have the right to demand an account identifier number instead, one exception being Medicare and Medicaid patients). Your Social is the prime ingredient for tax identity fraud and you don’t want to make it easy for the bad guys by being careless with this information.
  2. Order your IRS Transcript: This allows you to see what the IRS has on record for you in terms of tax payments and refunds. Contrary to popular myth, the IRS does not play poker with your data, they are quite happy to share with you the data they are holding that relates to you. Just Google “IRS transcript” and you can find how to do this at irs.gov. If you use a reputable accounting service, they should be happy to get your transcript for you (the IRS will verify this request with you).
  3. File your returns early: This is not always feasible, but the thinking is that it limits the opportunity for fraud in the current filing period. However, this will not stop estimated tax fraud where a criminal uses your bank account number and bank routing number to make an estimated tax payment to the IRS on behalf of a stolen name and Social Security number, then claims a refund which the IRS pays to an account under the control of the scammer.
  4. Monitor your bank accounts: Always a good idea when there are so many people trying to get away with bogus charges these days. Try to review account transactions at least once a week and immediately alert your bank when you see something that you didn’t authorize. Note that some banks have alert services that will email or text you every time money is taken out of your account, a great way to stay on guard against fraud.
  5. Ask your bank about an ACH debit block: Putting an ACH debit block on your account prevents crooks taking money with this type of transfer, however, it could prevent you executing legitimate online or over-the-phone electronic payments.
  6. Lobby for change: Yes, I mentioned this before, but it is worth repeating. And it is not as hard as you might think, you can even get apps for this. Consider the “Congress” app from the nonpartisan Sunlight Foundation, which is free and comes in iOS and Android versions. It can find your representative and let you place a call to their office with just a few clicks.

If you think you’re a tax identity theft victim

If you find that a tax return has been filed with your Social Security number, contact the IRS right away at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account. You will likely need to file IRS Form 14039 to document your situation to the IRS, so start prepping this while you make your call. You will need to provide proof of your identity and the IRS will probably want details of the tax year affected, including a copy of the last return you filed prior to the identity theft.

In some situations, the IRS issues a taxpayer-specific PIN if you have had issues with identity theft. This PIN is then required on any tax return you file. Go to this page on the IRS website to learn more about the process of applying for a tax return PIN from the IRS.

Finally, when it comes to interaction with the IRS, remember:

“The IRS does not initiate taxpayer communications through email. Unsolicited email claiming to be from the IRS, or from an IRS-related component such as EFTPS, should be reported to the IRS at phishing@irs.gov.”


1. I am not a certified accountant. Although I once worked as a tax auditor, nothing said here should be taken as financial planning advice, and I can’t promise answers to every tax fraud related question, but I am keen to help reduce tax identity fraud and would appreciate hearing from you if you have experienced this problem.

2. Before you blame the IRS. Bear in mind that Congress ordered the agency to do a bunch of different and arguably conflicting things, the combined effect of which has been to create this problem. Those things include: promote electronic filing; immediately pay refunds; give employers longer to file W-2 data; promote use of direct deposit and cash cards. (The point of cash cards was to assist people who don’t have bank accounts and therefore had to use check cashing services to get their refunds, thereby falling prey to check-cashing scams.)

Furthermore, while Congress places more and more demands on the IRS each year, it simultaneously cuts the agency’s budget. If you think that’s illogical, you’re right. In fact, tax administrators are one of the few categories of bureaucrat that can show concrete, positive return on investment for every dollar spent on additional computer controls and/or auditors (up to the point of diminishing returns). In other words, if the IRS was given the money to implement some simple cross-checking, like taxpayer supplied W-2 information against employer W-2 information, and alerting on multiple refund requests from a single address, the problem would be greatly reduced. Congress cut the IRS budget again last year, by 3%. So I know to whom I will be complaining if I get stung by this scam.

Author Stephen Cobb, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.