Breaching Tax Season
Taxpayers and tax preparers alike may soon face whether their identifying information has been stolen—and used to steal a lot more.
By Jeff Stimpson | Winter 2017
Major hacks such as that of Equifax—in which data thieves
swiped sensitive information of more than 145 million people—
should make both taxpayers and tax and accounting professionals
worry. Authorities now fear that Equifax’s stolen information may
ravage the coming tax season as crooks race to use the stolen data
to falsify returns.
One tax-related red flag of a stolen ID: More than one tax return
being filed for a consumer, says the IRS. Although, we’d be remiss
to not point out that the IRS itself was an Equifax client, awarding
the company a multi-million-dollar, short-term, no-bid contract for
ID verification.
‘ESPECIALLY VULNERABLE’
“Most fraudulent tax returns are filed within the first few weeks of
the year since the only way criminals can potentially scam the IRS
is if they file the return before the taxpayer does,” says Louis Sands,
CPA, tax director at Sikich in Naperville, Ill. “So, by the time the
CPA starts working on a client’s tax return, the damage is usually
already done. It’s also difficult for CPA firms to directly help their
clients who have been victims of ID theft. The IRS is typically
unwilling to deal with anyone other than the taxpayer, especially
when ID theft is suspected.”
A taxpayer who wants to find out if another return has been filed
in their name should contact the IRS or the state taxation agency
by phone. Confirmed victimized taxpayers will receive a letter from
the IRS or state tax authority with a case number and specific
instructions as to what to do and where to send a response or
additional documentation.
“Electronic filing will speed up that process since a taxpayer cannot
submit a return electronically if one has already been filed,” Sands
says. “Paper filing will also uncover ID theft, though the matching
process takes longer.”
For federal returns, victims are asked to complete Form 14039,
“Identity Theft Affidavit.” Once it’s determined that a phony return
has been filed, the victim can request a copy of the return by filing
a Form 4506-F, “Request for a Copy of a Fraudulent Tax Return.”
The IRS will investigate and may issue an identity-protection
number (IP PIN)—which in itself requires submission of large
amounts of personal information.
“Children are especially vulnerable,” Sands warns, “so taxpayers
should closely monitor their children’s credit reports and can even
request a transcript of their children’s accounts from the IRS to see
which returns, if any, have been filed.
“CPAs also should know the process a client needs to go through
as a victim of ID theft,” Sands says. “Practitioners should set
expectations about the lengthiness of the process. It can take
months to correct.”
Michelle Erickson, financial services risk consultant, and Michael
Lucas, risk consulting senior manager, both of Crowe Horwath
in Chicago warn that additional signs of ID theft include tax
return amounts that seem incorrect; owing money that you
weren’t expecting; notifications of data breaches from companies
that have your information; and records of new accounts being
opened in your name.
ACCOUNTING FOR FRAUD
In the age of data theft, both firms and clients must diligently ask
how sensitive information is accessed, says Dr. Sean Stein Smith,
CPA, assistant professor in the Department of Economics and
Business at Lehman College in New York and member of the
American Institute of CPAs’ Financial Literacy Commission. “Is the
information stored in the cloud or a proprietary server? How often
is the information accessed by individuals from public places? Are
there any procedures in place at the firm that could potentially
expose client information?”
Keeping sensitive client data safe has been a tax and accounting
industry priority for decades, but as digital data thefts become more
common, firms must respond by increasing investments in IT
security hardware, software, and staff training.
Tax specialist Jessica Grant and Help Desk specialist Mike Wills at
Smith & Gesteland in Madison, Wis. say some simple, smart
practices can help firms:
• Disallow use of portable digital media storage, like USB and
portable hard drives. Instead, pass digital files and emails
between firm and client through encrypted email and filesharing
software.
• Communicate to clients the latest IRS information on hacker
strategies, especially warnings about phony tax notices and
phishing schemes, and discuss current firm information
security policies with clients.
• Consult with internal audit and IT departments to review recent
data breaches, and follow up with an action plan that includes
possible areas of weaknesses and steps to address within the
firm. Compare current hardware, software, and training with
best practices established by professional organizations.
• Change passwords every 60 to 120 days.
Speaking of passwords, complex passwords have long been the
requirement, but Grant and Wills note that complexity can also
cause problems. If password rules are too complex, users may not
remember them—and may write them down or keep them in an
unprotected document on their desktop. Password management
software and apps, on the other hand, allow users to securely
access all their login credentials with only one access key.
Further increasing security, enabling Multi-Factor Authentication
when available allows a secondary requirement, usually an
instantly generated code, to accompany the traditional password
login. That code can be presented through an email, text message,
or on something like a key fob, phone app, or even a specific USB
device that must be plugged in by the user to work.
COUNTERING CRIME
The Equifax breach may be in focus now, but there are many data
breaches throughout the year Grant and Wills warn—and all data
breaches are serious, whether small or large.
Action plans should be in place for not if, but when, a data breach
or loss occurs. Tax and accounting professionals experiencing a data
breach should contact their local IRS stakeholder liaison who will
relay information to the necessary parties within the IRS, including
the agency’s Return Integrity and Compliance Services and Criminal
Investigation divisions. The liaisons will need a list of the affected
taxpayers, including their names and Social Security numbers.
Other post-breach steps for firms include contacting law
enforcement and state taxing authorities where the tax returns were
filed. Tax professionals can email the Federation of Tax
Administrators at
[email protected] to get more information
on how to report victim information to various states. You may also
need to notify a given state’s attorney general.
“Send an individual letter to all [client] victims to inform them of the
breach,” the IRS adds, “but work with law enforcement on timing.”
In response to the latest breaches, many state taxation departments
are requiring special validation codes on W-2s and driver’s license
numbers to electronically file returns. In 2018, a new verification
code box will appear on all W-2 forms. The IRS will also ask tax
professionals to collect more information on their business clients
to help authenticate the tax return being submitted. Those filing
returns for businesses, estates, and trusts may need to provide
payment history, the name and Social Security number of the
individual authorized to sign the business return, and parent
company information.
And for a closing note of caution, “The IRS will never start a
proceeding with a taxpayer via email or telephone,” Stein Smith
says. “Even with the extra attention and interest on potential tax
fraud this year, this will not change.”