Identity Theft and Taxes: What to Expect
By Doug Pollack - Article on January 15, 2018
- Cyber Security
- Identity Theft and Fraud
- Legal and Regulatory
Tax season can fill many of us with fears and anxieties. Thanks to large data breaches in 2017, individuals can now add a new worry to their tax process: hoping that someone hasn’t already filed on their behalf. Tax identity theft has become so prevalent and persistent that the Federal Trade Commission (FTC) declared January 29 to February 2 Tax Identity Theft Awareness Week.
You may wonder why the Internal Revenue Service (IRS) and other tax authorities can’t make it more difficult for hackers and other criminals to commit this type of identity fraud. It’s estimated that in 2016, the IRS paid out nearly $239 million in “suspect” refunds. However, with over 780,000 fraudulent returns filed, that payout could have totaled over $4 billion. This indicates that the IRS’ efforts to detect fraudulent returns is working. Tax identity theft remains on the “dirty dozen” list of top tax scams by the IRS and many anticipate 2018 to be a banner year for tax identity fraud in light of last year’s massive Equifax data breach.
The Equifax breach exposed the personal information of over 145 million Americans, including names, social security numbers, birthdays, addresses, and driver license numbers – essentially all the information a criminal needs to commit any type of identity fraud including filing false tax returns.
The IRS has provided a solution to reduce the potential of a successfully filed fraudulent return. Individuals can obtain an Identity Protection PIN, which then needs to be filed with a legitimate return in order for it to be accepted and processed.
Unfortunately the Identity Protection PIN won’t be available to all. The IRS requires individuals to file a CP01A form, something only available to identity theft victims, or residents in Georgia, Florida or Washington DC can opt-in to get a PIN. As a result, the likelihood is that most Americans will forgo the effort to get a PIN.
Maybe it’s finally time for the government and legislators to address the unintended, but defacto, use of Social Security numbers as a personal identifier for U.S. citizens. Immediately following the Equifax data breach, there was a flurry of talk about this. White House cybersecurity czar Rob Joyce was quoted in The Hill saying “I believe the Social Security number has outlived its usefulness”.
While this is an encouraging start to a dialog, I’m not hopeful that we’ll see any real efforts toward legislation or regulation that would lead to a change. Many countries outside the U.S. issue national identity cards for their citizens with a unique ID number, and some pair the cards and numbers with biometric identifiers. However, this can lead to greater concerns of creating a “Big Brother” where individual privacy could easily be sacrificed … something that is certainly a consideration for the U.S. in these discussions.
As a result, I suspect the U.S. will continue using Social Security numbers as a defacto personal identifier for filing taxes, setting up bank accounts, and working with insurance companies, for a very long time. In this, I hope that I’m wrong. The Equifax breach should teach us, among other things, that this is a bad situation and bad policy. It would appear that the White House agrees that now is the time to end the use of the Social Security number. Time will tell if that sentiment finds its way into policy.
The Equifax breach brings new urgency to the question of how we establish and protect our personal identities. By exposing the Social Security numbers (SSNs) of over 145 million Americans, the breach set millions up for what one expert called "a lifetime game of Whack-a-Mole," with identity theft cropping up over and over in unexpected places.
“Nothing is certain except death and taxes.” Or so Ben Franklin is credited with saying. I would add hacking to that list. Today’s cybercriminals possess the skills, sophistication, and technology to hack their way into nearly any system in a way that is virtually undetectable.