Identity theft is estimated to affect nearly 60 million people in the USA; or, considered another way, that is more than 1 in every 6 Americans. Cybercriminals will use any opportunity to monetize the effort they have taken to steal an identity, and at this time of year it’s probably tax identity theft for the purposes of tax refund fraud.

US residents and citizens are required to file taxes with the Internal Revenue Service (IRS); the filing is a summary of their earnings and possible deductions so that tax liabilities and credits can be reconciled. The USA works on a deduction system that reduces tax liability, for example if you own a home the property taxes can be deductible. The list of possible deductibles is extensive and if you are an employee, it normally results in a refund on taxes paid through normal payroll withholding.

Each individual filing taxes in the USA is identified by either a social security number or, in some cases, a unique Tax Identification Number (TIN). A Social Security Number (SSN) is a very common form of identifying an individual in the USA, used by banks, health care providers, government agencies and many other organizations to identify a person. As a result, consumers provide their SSNs to many companies and organizations, which can lead to them being victims if there is a data breach. An example of such a breach is the Equifax incident in 2017 when the personal details of 143 million Americans, including SSNs, were stolen by hackers.

Data breaches are only one mechanism used by the bad actors to glean the needed information. Impersonating either the IRS or another organization such as the Social Security Administration (SSA) promising quick or large refunds, or threatening the removal of benefits, fraudsters can dupe unsuspecting individuals into divulging their personal data through phishing scams by email, robocalls and text messages. This involves attempts to gain the trust of the receiver or even make them feel threatened enough to hand over personal information, giving the cybercriminal enough basic data to file a fraudulent tax return. This results in refunds being issued to the cybercriminal before the legitimate individuals even get the opportunity submit their own tax forms.

The cybercriminal’s target is not only the individual; tax professionals who prepare and file taxes for many clients potentially provide a single place for a cybercriminal to gain all the necessary data to file returns for many individuals. It’s important that good data security practices and technology are in place for both individuals and tax professionals and are reviewed for effectiveness on a frequent basis.

There is good news. The IRS and its partners have implemented numerous mechanisms to detect tax returns potentially involving identity theft; the 2019 tax season showed a 72% decrease in the number of fraudulent tax returns when compared to the previous year. The 193 identity theft filters that the IRS employed identified more than 3 million tax returns, with refunds totaling approximately $14.7 billion, for additional review, resulting in preventing $184.2 million in fraudulent tax refund requests from being issued. The full details can be found in a report drafted by the US Treasury.

The IRS provides advice on its Taxpayer guide to identity theft webpage on how to detect the signs of identity theft, how best to protect against it and what to do if you think you may be a victim. The advice does, of course, include the need for: using up-to-date security software, strong and unique passwords or passphrases, and encryption; avoiding phishing scams; and such like.

Reporting scams to the relevant authorities allows them to ascertain the scale of the issue and potentially track down the perpetrators and bring them to justice. If you think you have received an IRS-related phishing scam, forward it to phishing@irs.gov. SSA phishing scams, fraudulent robocalls or texts can be reported through the SSA impostor scam reporting form or the FTC’s complaint assistant.

I published a blogpost on identity theft a few months ago; in an attempt not to sound like a broken record and repeat the IRS, my previous advice is that I suggest considering an additional proactive approach. The next time a person or website requests personal information, ask some questions – do they really need it, how long will they store it, will it be protected, do I trust them to secure it? The collection of personal data is, for some, a business that provides great rewards – as consumers we need to engage in the protection of our identity by being less willing to hand over our data to just about anyone who requests it.

And lastly, the IRS never asks for personal information via email or over the phone, and the SSA never calls to threaten your benefits. Detailed information on how the IRS contacts people can be found at How the IRS contacts tax payers. Additional guidance on phone scams is available on this SSA page.