insight magazine

Breaching Tax Season

Taxpayers and tax preparers alike may soon face whether their identifying information has been stolen—and used to steal a lot more. By Jeff Stimpson | Winter 2017

Breaching Tax-800

Major hacks such as that of Equifax—in which data thieves swiped sensitive information of more than 145 million people— should make both taxpayers and tax and accounting professionals worry. Authorities now fear that Equifax’s stolen information may ravage the coming tax season as crooks race to use the stolen data to falsify returns.

One tax-related red flag of a stolen ID: More than one tax return being filed for a consumer, says the IRS. Although, we’d be remiss to not point out that the IRS itself was an Equifax client, awarding the company a multi-million-dollar, short-term, no-bid contract for ID verification.


“Most fraudulent tax returns are filed within the first few weeks of the year since the only way criminals can potentially scam the IRS is if they file the return before the taxpayer does,” says Louis Sands, CPA, tax director at Sikich in Naperville, Ill. “So, by the time the CPA starts working on a client’s tax return, the damage is usually already done. It’s also difficult for CPA firms to directly help their clients who have been victims of ID theft. The IRS is typically unwilling to deal with anyone other than the taxpayer, especially when ID theft is suspected.”

A taxpayer who wants to find out if another return has been filed in their name should contact the IRS or the state taxation agency by phone. Confirmed victimized taxpayers will receive a letter from the IRS or state tax authority with a case number and specific instructions as to what to do and where to send a response or additional documentation.

“Electronic filing will speed up that process since a taxpayer cannot submit a return electronically if one has already been filed,” Sands says. “Paper filing will also uncover ID theft, though the matching process takes longer.”

For federal returns, victims are asked to complete Form 14039, “Identity Theft Affidavit.” Once it’s determined that a phony return has been filed, the victim can request a copy of the return by filing a Form 4506-F, “Request for a Copy of a Fraudulent Tax Return.” The IRS will investigate and may issue an identity-protection number (IP PIN)—which in itself requires submission of large amounts of personal information.

“Children are especially vulnerable,” Sands warns, “so taxpayers should closely monitor their children’s credit reports and can even request a transcript of their children’s accounts from the IRS to see which returns, if any, have been filed.

“CPAs also should know the process a client needs to go through as a victim of ID theft,” Sands says. “Practitioners should set expectations about the lengthiness of the process. It can take months to correct.”

Michelle Erickson, financial services risk consultant, and Michael Lucas, risk consulting senior manager, both of Crowe Horwath in Chicago warn that additional signs of ID theft include tax return amounts that seem incorrect; owing money that you weren’t expecting; notifications of data breaches from companies that have your information; and records of new accounts being opened in your name.


In the age of data theft, both firms and clients must diligently ask how sensitive information is accessed, says Dr. Sean Stein Smith, CPA, assistant professor in the Department of Economics and Business at Lehman College in New York and member of the American Institute of CPAs’ Financial Literacy Commission. “Is the information stored in the cloud or a proprietary server? How often is the information accessed by individuals from public places? Are there any procedures in place at the firm that could potentially expose client information?”

Keeping sensitive client data safe has been a tax and accounting industry priority for decades, but as digital data thefts become more common, firms must respond by increasing investments in IT security hardware, software, and staff training.

Tax specialist Jessica Grant and Help Desk specialist Mike Wills at Smith & Gesteland in Madison, Wis. say some simple, smart practices can help firms:

• Disallow use of portable digital media storage, like USB and portable hard drives. Instead, pass digital files and emails between firm and client through encrypted email and filesharing software.

• Communicate to clients the latest IRS information on hacker strategies, especially warnings about phony tax notices and phishing schemes, and discuss current firm information security policies with clients.

• Consult with internal audit and IT departments to review recent data breaches, and follow up with an action plan that includes possible areas of weaknesses and steps to address within the firm. Compare current hardware, software, and training with best practices established by professional organizations.

• Change passwords every 60 to 120 days.

Speaking of passwords, complex passwords have long been the requirement, but Grant and Wills note that complexity can also cause problems. If password rules are too complex, users may not remember them—and may write them down or keep them in an unprotected document on their desktop. Password management software and apps, on the other hand, allow users to securely access all their login credentials with only one access key.

Further increasing security, enabling Multi-Factor Authentication when available allows a secondary requirement, usually an instantly generated code, to accompany the traditional password login. That code can be presented through an email, text message, or on something like a key fob, phone app, or even a specific USB device that must be plugged in by the user to work.


The Equifax breach may be in focus now, but there are many data breaches throughout the year Grant and Wills warn—and all data breaches are serious, whether small or large.

Action plans should be in place for not if, but when, a data breach or loss occurs. Tax and accounting professionals experiencing a data breach should contact their local IRS stakeholder liaison who will relay information to the necessary parties within the IRS, including the agency’s Return Integrity and Compliance Services and Criminal Investigation divisions. The liaisons will need a list of the affected taxpayers, including their names and Social Security numbers.

Other post-breach steps for firms include contacting law enforcement and state taxing authorities where the tax returns were filed. Tax professionals can email the Federation of Tax Administrators at [email protected] to get more information on how to report victim information to various states. You may also need to notify a given state’s attorney general.

“Send an individual letter to all [client] victims to inform them of the breach,” the IRS adds, “but work with law enforcement on timing.”

In response to the latest breaches, many state taxation departments are requiring special validation codes on W-2s and driver’s license numbers to electronically file returns. In 2018, a new verification code box will appear on all W-2 forms. The IRS will also ask tax professionals to collect more information on their business clients to help authenticate the tax return being submitted. Those filing returns for businesses, estates, and trusts may need to provide payment history, the name and Social Security number of the individual authorized to sign the business return, and parent company information.

And for a closing note of caution, “The IRS will never start a proceeding with a taxpayer via email or telephone,” Stein Smith says. “Even with the extra attention and interest on potential tax fraud this year, this will not change.”

Leave a comment