Recipients of IRS Identity Verification Letters (Letter 5071C) Given Information on Steps to Take

In News Release IR-2015-54 the IRS has outlined steps taxpayers who receive an identity verification letter (Letter 5071C) should use to help resolve the question about the validity of a return that has been filed, as well as the basic nature of the process.

The release notes that the IRS will send such a letter out if the IRS has identified a return filed in the taxpayer’s name as “suspicious” for various reasons that suggest the return may be involved in identity theft.

The release describes the issuance of the letter as follows:

Letter 5071C is mailed through the U.S. Postal Service to the address on the return. It asks taxpayers to verify their identities in order for the IRS to complete processing of the returns if the taxpayers did file it or reject the returns if the taxpayers did not file it. The IRS does not request such information via email, nor will the IRS call a taxpayer directly to ask this information without you receiving a letter first. The letter number can be found in the upper corner of the page.

Note the warning about what the IRS will not do.  Unfortunately the IRS is likely right in assuming that crooks will begin to attempt to pose as the IRS and contact individuals in an attempt to obtain sensitive information.

The IRS describes the options a taxpayer has when receiving the letter as follows:

The letter gives taxpayers two options to contact the IRS and confirm whether or not they filed the return. Taxpayers may use the idverify.irs.gov site or call a toll-free number on the letter. Because of the high-volume on the toll-free numbers, the IRS-sponsored website, idverify.irs.gov, is the safest, fastest option for taxpayers with web access.

The release notes that taxpayers need to pull some information together before calling or logging into the website.  Information the taxpayers will need include:

  • Current year’s return (if one has been filed)
  • Prior year’s return (if one was filed)
  • Supporting documents for their returns including:
    • Forms W2
    • Forms 1099
    • Schedule A
    • Schedule C

The release concludes with an important piece of advice that advisers may want to communicate to all of their clients about recognizing the “real” IRS website:

IRS.gov is the official IRS website. Always look for a URL ending with “.gov” – not “.com,” “.org,” “.net,” or other nongovernmental URLs.

Unfortunately the IRS does not mandate the use of secure connections on their website generally, so the assurance you are “on the right site” can’t be as sure as we’d generally like. 

The IRS does require secure connections for services that ask for personal information (such as “Where is My Refund?” or the Identity Verification Service), though taxpayers should check to be sure that their browser does indicate a secure connection (the address bar shows “https:” and not “http:”).

One additional complication-due to a recent issue involving software preinstalled on certain Lenovo consumer computers (not the business grade Thinkpads), taxpayers should probably confirm they have taken the steps to remove the Superfish software, if it exists on their computer, by following the steps given at the following page on Lenovo's site.   Information on the problem and how it occurred can be found in this interview with Lenovo's Chief Technology Officer.

The software would make it possible for a "man in the middle" to easily trick a computer with such software into showing a secure connection to the IRS (or any other website) that wasn't really secure and, potentially, not really going to the IRS at all.

And, as well, it would probably be best in any event not to do this verification while connected to a public hotspot or network such as at a coffee shop or hotel.  Doing the verification on a private network would greatly reduce the risk of any man the middle attack needed to impersonate a secured connection to the IRS.  This step makes sense regardless of whether or not a taxpayer might have a "Superfish" issue.

Similarly, most PC security software now treats Superfish as a program to be removed during scans, so users also should insure they are running up to date malware removal tools on their PCs and that they have run a recent scan of the system.