Search results for: tax identity theft

It’s tax season. The dreaded April 15 federal tax filing deadline is looming. You try to be diligent, and you file your tax return early, hoping to get an early refund. But when you try to e-file your return, it gets rejected because you have already submitted your tax return and your refund has already been processed. But you didn’t file and you for sure never got your refund. What happened? You have become another one of the 700,000 Americans who have become the victim of tax fraud.

According to the IRS, “tax related identity theft is when someone uses your Social Security number to file a false tax return claiming a fraudulent refund.” Your tax account is most at risk if your wages and Social Security number were affected by a data breach.

With all of the phishing schemes, data breaches and cyber intrusions happening, tax fraud is only expected to rise.

What do you do?

Here are some tips:

  1. File a complaint with the FTC advising that you have become a victim of identity theft.
  1. Got to IRS.gov and review the materials posted on what to do and follow the instructions.
  1. Complete IRS Form 14039, which is an Affidavit that certifies that you are a victim of identity theft.
  1. Yes, you still have to file your real tax return, but you can do so in paper, and include the Affidavit when you send in your paper tax return to the IRS.
  1. Respond to any written correspondence from the IRS. Please note that the IRS never calls or contacts taxpayers over the telephone, so if you get a call purporting to be from the IRS, do not respond or give any information to the caller—it is just another fraudster with another scam.
  1. For special assistance, call 1-800-908-4490.

Happy tax season. May you e-file without any issues. And if you are getting one, enjoy that refund.

In a report of an audit of 13 IRS approved tax filing firms, Online Trust Alliance found that six of the 13 firms do not provide adequate security against cyberintrusions.

The firms, all members of the IRS’s Free File Alliance, provide free tax preparation and e-filing of approximately 100 million federal tax returns. According to Online Trust Alliance, six of the firms are failing to protect consumers’ privacy and security when providing the services.

On top of that, the IRS confirmed this week that the initial estimate of those affected by the filing of fraudulent tax returns in 2014 and 2015 as a result of the Get Transcript function—originally estimated at approximately 330,000—is now estimated at 724,000—more than double the original number.

And not to be outdone, Krebsonsecurity wrote this week that the IRS’s idea of protecting last year’s tax refund victims from fraud against them this year was to provide the victims with an Identity Protection Pin. According to Krebs, the IRS has mailed 2.7 million of these six digit PINS to prior tax identity theft victims.

But adding insult to the injury, the IRS allows individuals to retrieve their PIN from the IRS website, through the exact same authentication procedures that were used by the identity thieves to file the fraudulent tax returns in the first place. Apparently, the thieves are able to use the same method to retrieve the PIN and file a false tax return and get the refund from the taxpayer for a second year in a row. The old adage of “death and taxes” should be changed to “death, identity theft and taxes.”

This tax season, the Internal Revenue Service (IRS) has been working closely with big tax preparation vendors and chains to improve the security this year and safeguard against widespread identity theft. The IRS is now requiring stricter password standards, a new timed lockout feature and limited unsuccessful log-in attempts, along with three security questions. The IRS is also requiring that vendors and chains use “out-of-band verification” for email addresses which include sending an email or a text to the customer with a PIN that they have to enter to process their taxes.

These additional precautions come after a disastrous tax year in 2014 not only for the IRS, but for private tax vendors and chains. Now, this week, around 9,000 accounts were frozen by TaxAct, a Illinois tax information software vendor, when they discovered that its accounts were accessed by hackers. TaxAct said, “The attacker did not gain access to income tax returns for the vast majority of suspended accounts.” However, TaxAct did sent 450 breach notification letters to its customers informing them of the breach that occurred between November 10, 2015, and December 4, 2015, allowing unauthorized access to their names and Social Security numbers. TaxAct is also offering credit-monitoring services. While this is certainly not a breach affecting a large number of people, it serves as a warning to taxpayers (and vendors alike) that we need to use top-shelf security safeguards to protect our Social Security numbers.

The IRS announced last week that the value of identity theft protection services are not taxable and do not have to be included in gross income calculations for tax purposes.

Identity theft continues to be the number one consumer complaint to the Federal Trade Commission each year, and with the increases in data breaches, this complaint will not dissipate. It is common for companies who suffer a data breach to offer credit monitoring or fraud resolution services to mitigate the potential for individuals to become victims of identity theft.

This ruling is consumer friendly and gives guidance to millions of Americans (and their tax planners) who have been offered these services in the wake of massive data breaches.

Intuit, Inc., the maker of the software used by TurboTax customers to file electronic tax returns stopped its e-filing return program in February after receiving notices from multiple states that thousands of fraudulent tax filings had been filed through the software, resulting in the theft of billions of dollars in fraudulent tax refunds.

TurboTax customers filed a class action lawsuit in California alleging that Intuit failed to safeguard their personal information, including Social Security numbers, which caused them to become victims of identity theft.

The complaint is based on Intuit’s alleged violation of the California Unfair Competition Law and Customer Records Act.

The Department of Justice, Federal Trade Commission and Congress are investigating the matter.

A professional accounting firm in Illinois received an unwanted holiday “gift” in the form of a class action complaint stemming from its alleged failure to secure personally identifiable information (PII) and to timely notify affected parties of a data breach.

On December 17, 2021, a lawsuit was filed against Bansley & Kierner, LLP, which offers payroll and benefit services to businesses, by an employee of one of its clients, seeking damages on behalf of himself and others. According to the allegations of the complaint, Bansley failed to properly secure and safeguard a wide range of payroll and benefit plan participants’ PII, including names, dates of birth, Social Security numbers, drivers’ license and passport numbers, financial account numbers, and personal health information. Bansley apparently discovered in mid-December 2020 that its network had fallen victim to a ransomware attack by an “unauthorized person.” The complaint asserts that Bansley elected not to notify participants and clients of the incident at that time, instead choosing to address the incident on its own by making upgrades to some aspects of its computer security, restoring the impacted systems from backups, and then resuming normal business operations.

In May 2021, Bansley allegedly learned that PII had been exfiltrated from its network, and only then retained a cybersecurity company to investigate. Within three months, the investigators determined that individuals’ PII (including full names and SSNs) was present on the system and potentially stolen at the time of the 2020 incident. Over 274,000 individuals were affected. According to the complaint, however, Bansley did not notify state Attorneys General and participants about the data breach until late November or early December 2021, nearly a year after Bansley first became aware of the incident. The complaint further alleges that Bansley failed to explain the delay and did not properly disclose to plan participants the time period during which their PII had been exposed, though the firm did offer free credit monitoring services for a one-year period. Plaintiff claims that he and the potential class members were, and continue to be, at significant risk for identity theft and various other forms of personal, social, and financial harm due to Bansley’s negligence, including out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, or unauthorized use of PII and fees associated with fraudulent charges on their accounts.

These are as yet unproven allegations and it is unclear from the complaint whether, to date, any participants have actually experienced identity theft or fraud as a result of the breach. Nevertheless, the accounting firm will incur legal fees in defense of the lawsuit (in addition to what it has spent on remediation efforts), and the case underscores the importance of prompt investigation, reporting, and notification of data breach incidents.

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. Cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information. Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021. Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

How many times can we say that the Internal Revenue Service (IRS) will NOT email or telephone you? We will say it again. If you receive a telephone call, email or text from someone saying they are from the IRS, it is A SCAM. It’s that simple. If you don’t believe me, check out the IRS website which will this fact.

Imposters, fraudsters, and scammers have been launching scams scaring people into believing that they owe money or back taxes to the IRS for years, including threatening victims with arrest and jail.

Instead of relying on that old trick, the fraudsters are now targeting students and faculty with .edu emails with tag lines like “Tax Refund Payment” or “Recalculation of your tax refund payment.”

Students and faculty with .edu emails in higher education should know better, but unfortunately, the Federal Trade Commission has had to issue a warning to students and faculty that they are being targeted because some victims have been scammed.

If a victim clicks on the link to submit a form to receive the tax refund from the “IRS,” the form requests highly sensitive and useful information to the scammers to perpetrate identity theft, including name, address, Social Security number, driver’s license number, electronic filing PIN, and last year’s income. This is all information that can be easily used to file a fraudulent tax return in your name.

Don’t fall for any emails, telephone calls, or texts that say they are from the IRS. Delete, delete, delete! The IRS DOES NOT email, call, or text.  It is prime season for tax return and refund fraud, so be cautious and vigilant to protect yourself.

My phone was ringing this week with inquiries from clients, friends and acquaintances who received a Form 1099 in the mail for an unemployment claim that they did not file, asking what should they do.

The statistics on the successful filing of fraudulent unemployment claims throughout the country in 2020 are staggering. The pandemic created higher unemployment than the country has seen in years, and fraudsters took advantage of federal and state legislation making the filing of an unemployment claim as easy as possible in order to get funds to those in need.

Unfortunately, no good deed goes unpunished, and states were hammered with fraudulent unemployment claims. The State of Washington alone estimates that it lost up to $600 million in fraudulent unemployment claims in 2020.

Some individuals received notice at the time of the filing of a fraudulent unemployment claim made in their name and were able to stop it. If you didn’t receive notice at the time of the filing, and the perpetrator was actually successful in using your personal information to obtain unemployment benefits in your name, you will find out when you get a Form 1099 in the mail for your taxes. What a nightmare.

If this happened to you, here are some ideas and resources that may help.

  • Contact the state agency that issued the 1099 and report the fraud. Usually there is a toll-free number or website at the bottom of the 1099 that you can contact.
  • Keep records of all telephone calls, emails or any other conversations you have with the State agency when reporting the fraud so you can document your report of fraud in the event you need it later.
  • If you are asked by the State agency to provide a copy of the 1099 to them to evidence the fraud, redact your Social Security number and write “fraudulent claim” on it when you send it back to them.
  • Give all documentation that you have of the fraud and your report of the fraud to your tax preparer.
  • For more information, here are two resources that may be helpful to you.

In the past week, the United States government started issuing Economic Impact Payments (EIP) of up to $1,200 per qualified individual and $500 per child. The amount of the EIP received depends on one’s adjusted gross income from the 2019 (or 2018) federal tax filing. If a taxpayer who is qualified to receive the check has set up a direct deposit with the Internal Revenue Service (IRS), that taxpayer’s EIP check will be (or already has been) directly deposited by the IRS into that taxpayer’s bank account.

This is where the scammers come in. Scammers know that not everyone is eligible for the EIP, or if they are, they might not know whether or not they have set up a direct deposit with the IRS, or if they haven’t done so, how they will receive their check. In desperate times, people do desperate things, like give their personal information to strangers over the telephone.

Scammers know that people are scared and desperate because of this pandemic, that many have lost their jobs or are working reduced hours and working from home. They are taking advantage of the situation by calling vulnerable people on the telephone, presenting themselves as an IRS official, promising things that aren’t true, and asking for personal information, such as Social Security numbers, so they can use the information to perpetrate fraud.

This is not a new scam. What is new is the fact that people are more vulnerable than ever before because of the coronavirus pandemic, including new working situations or no work at all, and most of the country is stuck at home. Although the circumstances are different, the scam is the same and the IRS is not changing its usual procedures. The IRS is not going to call you over the telephone about your check. The IRS is not going to send you an email with a link or an attachment about your check. The IRS is not going to ask for any of your personal information either over the telephone or via email. The IRS is direct depositing your check into your bank account. If you have not set up direct deposit, then the IRS gives instructions on its website about how you will receive your check. The IRS will not do anything over the telephone, so if someone calls pretending to be from the IRS, know that it is a scam. According to the IRS Criminal Investigation unit, it “is actively working to combat scam artists trying to exploit Economic Impact Payments. So far, the scams CI has already seen look to prey on vulnerable taxpayers who are unaware of how the payments will reach them. IRS CI is prioritizing these types of investigations to help protect taxpayers and the tax system.”

Never give your personal information to anyone over the telephone. The Federal Trade Commission recently reported that it has received 18,235 reports from consumers who have lost more than $13.44 million in COVID-19 scams since January 1, 2020. For more information about ways to protect yourself from identity theft, go to https://www.consumer.ftc.gov/.