A recent report from the Government Accountability Office reported that while the IRS estimates it prevented $24.2 billion in fraudulent refunds in 2013, it actually paid out $5.8 billion in fraudulent refunds that it realized were fraudulent only after refunds were paid out. Evidence indicates that number may grow larger in coming years. The Federal Trade Commission reported tax or wage-related fraud was the number one consumer complaint for 2014.
As more taxpayers are affected by fraudulent returns filed using their names and social security numbers, the natural next question is: what other information might the identity thief have? Bank account details? Kid’s social security numbers? Many taxpayers have contacted the IRS trying to determine the extent of information stolen or trying to obtain a copy of the fraudulently filed return, only to be told by IRS representatives that they cannot provide the requested information for “privacy reasons.” While consumer protection rules are supposed to make it easier for victims to find out what information thieves have stolen, IRS rules prevent its employees from giving out personal information, often even that of identity thieves.
The security news and investigation website, Krebs on Security, recently told the story of Michael Kasper, an identity theft victim who was notified by Turbo Tax that the IRS had rejected his e-filed return because his return had already been filed. Kasper called the IRS and was told that the fraudulent refund was being deposited into the perpetrator’s bank account that very same day. When Kasper requested the routing number and account number being used for the deposit, the IRS employee refused to provide the information. In addition, Kasper was informed that the matter would not be investigated until a fraud affidavit and accompanying documentation were processed by mail. Kasper then tried to get a transcript of the fraudulent return using the Get Transcript function on IRS.gov, but discovered that someone had already registered through the IRS’s site. In another call to the IRS, Kasper was told they could not give him the email address associated with this account due to privacy regulations. They also would not change the email address so Kasper could access his own account. All they would do was ban access to eServices for his account. Kasper was later able to obtain a copy of the fraudulent return by completing Form 4506 and paying a $50 processing fee. The fraudulent return showed the thieves had copied all of the data from Kasper’s 2013 return, increasing the previous year’s amounts slightly. Kasper suspected the thief had obtained that W-2 information directly from the IRS by creating an IRS portal account in his name. The IRS Get Transcript portal has been temporarily shut down since the IRS discovered that criminals had used taxpayer-specific data, much of which is readily available online, to access information on approximately 100,000 tax accounts.
Section 6103 of the tax-code threatens IRS workers with criminal penalties, including up to five years in prison and a $250,000 fine, for unauthorized disclosure of personal information. Officially, the IRS will work with law enforcement agencies (with victim’s consent), and released copies of nearly 7,000 returns to law enforcement agencies last year.
The IRS’s Taxpayer Advocate Service and Sen. Kelly Ayotte, R-NH, have called for changes in the way IRS employees handle taxpayers’ attempts to gather information on fraudulent returns. The IRS recently announced a change to their policy and is putting together a procedure that will enable victims to receive, upon request, redacted copies of fraudulent returns filed under their name and SSN. It will be interesting to see how much information on the fraudulent returns will be redacted … and whether the information released will be useful for tracking down the perpetrators at all.
By Janet Berry-Johnson, CPA