Stolen identity refund fraud may be down, but it’s not out
States are getting creative in the fight against SIRF
Editor’s note: This article has been reviewed for changes following the passage of the 2017 Tax Cuts and Jobs Act. The information provided in this article was not affected by the 2017 TCJA.
Imagine a diligent taxpayer fulfilling his income tax obligations, filing one tax return with the IRS and another with his state revenue agency. The returns are complete, accurate, timely, and best of all, the IRS accepted the federal return. That means he can rest assured that no one has stolen his identity and filed a fraudulent tax return.
Or so he thinks. Even though the IRS accepted the federal return, the state revenue agency rejects his state return. Someone else had already filed a state tax return with his Social Security Number (SSN).
How did this happen?
We’re winning the battle against stolen identity refund fraud, but the war is not over
Stolen identity refund fraud, or SIRF, happens when someone uses a taxpayer’s SSN to file a return and get the refund. When the real taxpayer files, he or she is left with a rejected return and a problem to fix.
In 2016, the IRS reported that the number of Americans filing SIRF complaints decreased by more than 50 percent compared to 2015. However, the number of data breaches in 2016 for businesses and educational, government, medical, and financial institutions increased by 40 percent compared to 2015, according to a report from the Identity Theft Resource Center and CyberScout.
The decrease in SIRF complaints is due in large part to the Security Summit, an unprecedented collaboration among the IRS, state revenue agencies, and the tax industry, including H&R Block, to combat SIRF. The Security Summit has made progress on efforts to detect and prevent wholesale SIRF using tactics such as filters and scoring models. Fraudsters accomplish wholesale SIRF by inputting generic, high-refund tax schemes into tax return software through large-scale automation or copying and pasting information. Despite the progress in fighting wholesale fraud, there’s more work to do to combat the rising threat of sophisticated, smaller-scale SIRF.
What is small-scale SIRF? Insidious, tailor-made tax fraud fueled by data breaches, phishing attempts, and hacking of small practitioner firms’ computer systems are accomplished on a micro level. These breaches provide legitimate taxpayer data for the fraudulent returns, so the returns look “clean”—that is, they’re convincing, consistent with the prior-year return, and difficult to identify through data analytics.
State returns are not exempt from the war on SIRF. While the IRS can gather and analyze data from all 50 states, state revenue agencies see returns filed only with their agency, limiting the effectiveness of their data-driven analytics. As a result, states have gotten creative with their tactics to prevent SIRF and keep fraudulent refunds from going out the door.
What states are doing to protect taxpayers from SIRF
In the past several years, states have increasingly provided rich testing ground for new tools to detect and prevent tax identity theft. Here’s an update on some of the efforts happening in 2017:
Identity theft indicators
More than 18 states use indicators to flag the accounts of identity theft victims, and every return filed under a flagged account gets extra scrutiny. Depending on the state, a revenue agent may review the return or the agency may trigger an identity verification quiz for taxpayers to complete before getting their refunds.
Some states have strict rules for accounts with identity theft indicators. States may hold these refunds for weeks or require taxpayers to file paper returns. Also, some states allow taxpayers to proactively request an identity theft indicator before any theft has occurred, but taxpayers should understand the consequences in the state before requesting an indicator.
Some states, such as Alabama, allow taxpayers to opt in to receive a notification when a return is filed using their SSN. This is a simple solution to alert taxpayers about a potential fraudulent filing. If taxpayers receive a notification about a return they didn’t file, they can respond through the notification to quickly alert the revenue agency.
Alabama, North Carolina, and Georgia are exploring a pilot for a new fraud-prevention technique for the 2017 tax season in partnership with MorphoTrust. The pilot would allow taxpayers to opt in to verify their tax return filing with their electronic ID (eID). Taxpayers create an eID with a special app that scans the taxpayer’s driver’s license and takes selfie videos. The app uses biometrics to verify that the eID belongs to the true individual by matching the taxpayer’s face in the selfie to photographs on file with the state Department of Motor Vehicles. Once the taxpayer files a tax return, he or she uses a selfie again to confirm his or her identity. At that point, the agency will process the return.
As a bonus to participants, agencies will process eID-verified returns more quickly. If the taxpayer declines a fraudulent filing or a fraudster can’t confirm the return, the agency won’t process it. In some cases, taxpayers may be able to electronically file their returns after a fraudulent attempt, but the process will vary.
If prevention doesn’t work, resolution is key
For the unlucky taxpayers who fall victim to SIRF on their federal tax returns, an abundance of helpful resources detailing what to do and how to get help may be a small consolation. But getting help on the state level isn’t always so straightforward. That’s because each state’s process is different, and taxpayers may become a victim in a state where they don’t even have to file a return.
How taxpayers find out someone has stolen their identity
There are two giveaways that someone has stolen a taxpayer’s identity:
- The IRS or state rejects the taxpayer’s return because someone has already filed a return under his or her SSN.
- The taxpayer finds out about wages from an unknown employer that are classified under his or her SSN. The taxpayer finds out about this kind of theft (called employment tax identity theft) when:
- He or she receives a notice about unpaid taxes.
- The revenue agency takes part of the taxpayer’s refund.
- A state where the taxpayer doesn’t have to file a return contacts the taxpayer about a tax balance or tries to collect unpaid taxes.
What taxpayers should do next
To get started reporting and fixing state tax identity theft, taxpayers may have to do a little more homework or get help from a practitioner. Some states require taxpayers to use the IRS Form 14039, Identity Theft Affidavit. Others have their own forms. Some states provide a general phone line, and others direct taxpayers to a specific revenue agency employee.
No matter the state, there’s always one first step to resolving SIRF at the state level: Visit the state revenue agency’s website. A quick search for identity theft should yield next steps. If that doesn’t work, call the general taxpayer service number.
States will continue to innovate
The ever-increasing amount of data breaches, phishing schemes, and tax practitioner hacks have resulted in a society vulnerable to SIRF. However, collaboration and partnership among the IRS, state revenue agencies, and the tax industry has led to better detection and prevention, and innovative state efforts may represent the future of technology-driven prevention efforts.