Identity theft (IDT) related to tax returns has become a growing problem for many of our clients—and we quite often get to break the news to the client when a client’s electronically filed return gets rejected because a return has already been filed. The IRS brought together a group of interested parties in the tax arena to form a group to work on dealing with the problem. The parties included state revenue departments and most of the major tax software vendors (including Intuit, CCH and Thompson Reuters).
The group has issued a 2015 Security Summit Report that outlines recommendations for the taxing agencies and tax professionals to attempt to control the identity theft problem.
The group established three working groups to deal with various aspects of the problem. The report describes the groups as follows:
First, the “Authentication” working group was tasked with identifying opportunities for strengthening authentication practices, including identifying new ways to validate taxpayers and tax return information, and new techniques for detecting and preventing IDT refund fraud.
Second, the “Information Sharing” working group agreed to work on identifying opportunities for sharing information that would improve our collective capabilities for detecting and preventing IDT refund fraud.
Third, the “Strategic Threat Assessment and Response” (STAR) working group was tasked with looking ahead, to enable the development of proactive, rather than reactive, initiatives and solutions to combat this crime. Specifically, the STAR team’s objective was to take a holistic look at the entire tax ecosystem, identify points of vulnerability (threats/risks) related to the detection and prevention of IDT refund fraud, develop a strategy to mitigate or prevent these risks and threats, and review best practices and frameworks used in other industries.
The groups came up with recommendations that the agencies hope to have implemented for the 2016 filing season as well as ones that will take longer to implement.
In the area of “pre-refund authentication and identity theft refund fraud detection” the group identified over 20 data elements that could provide improved capabilities for detecting refund frauds prior to issuing the check. The report notes that details on the elements will not be given extensive public discussion since criminals could use the details of what is being checked to design ways to evade the system. However the report noted that “[g]enerally speaking, however, one or more of these new data points will, for example, flag and detect improper and repetitive use of Internet Protocol numbers and computer mechanized fraud.”
As well, the report notes that techniques will need to be continuously modified. Those committing the fraud are quick to adapt their techniques as they discover prior techniques no longer work—so stopping methods currently in use will likely mean the criminals will shift their techniques.
This system will require the additional “data points” to be provided to the IRS and state taxing agencies along with the electronic filing data. The report notes that “[n]o single element will be determinative of whether the return is that of a legitimate taxpayer or of a criminal posing as the taxpayer, but these elements will be used in conjunction with the IRS and the States’ IDT filters and algorithms to allow for stronger pre-refund authentication and for new and innovative IDT refund fraud detection.”
One practical aspect of this is that preparers should be aware that various actions might lead to “false positives” that could slow processing of a return. Although the details of how the testing will be done is being intentionally kept secret, the system very well could react to returns transmitted under a preparer’s EFIN suddenly coming from an IP address that seems unconnected to addresses used before.
If a preparer’s EFIN and/or access to their transmitter was compromised, it’s likely a criminal would end up transmitting from a new IP address. However a preparer who might be temporarily working “on the road” might end up creating a similarly suspicious submission (especially if “on the road” was outside the United States or appeared to be). Similarly changing internet service providers could create a sudden change in submissions. While, as the IRS notes, a single data point won’t be determinative, it’s possible that such a change might “tip the scales” on a particular submission or set of submissions.
The report also discusses the issue of post-filing analytics in the area. The report discusses the IRS collaboration with financial institutions, prepaid card companies and other third parties about emerging identity theft trends and fraudulent returns after they have been transmitted to the IRS and States. Analyzing this information can lead to identify new methods being used for identity theft and designing programs to stop such frauds.
One recommendation that advisers should note is found in the “Standardized Industry Leads” requirements section. That provision notes:
Because of the effectiveness of the voluntary external leads program, the Summit Industry participants recommended that the IRS require, as a condition of participating in e-file, that all return transmitters perform these analytics post-filing and provide, on a recurring and timely basis, anonymized and aggregated data to the IRS on IDT refund fraud patterns and indices. The IRS will provide this information to the States, who will also use it to bolster their fraud detection and prevention efforts.
The nature of such requirements are to be determined. However the IRS has already started rolling a program it is testing with enrolled agents who electronically filed at least 50 returns.
Such EAs will receive a letter from the IRS inviting them into the pilot program where they can log in and see how many returns were transmitted under their PTIN. Checking that number would, hopefully, allow a transmitter to spot unauthorized use of their PTIN by a third party. The IRS has announced they plan to eventually roll this out to every PTIN holder.
Presumably the IRS has found some cases of “hijacking” of a legitimate preparer’s PTIN to be used to file fraudulent returns.
The report also discusses forming “Information Sharing and Assessment Centers” (ISACs). Such “centers” are secured platforms for sharing data related to ID theft between public and private sector members of a particular ISAC. The Summit participants determined that establishing such an ISAC for tax related matters would allow for gains in detecting and preventing identity theft. However the report only notes that participants are “pursuing the concept” at this point.
The report also provides that the IRS will work with the National Institute of Standards and Technology (NIST) to deliver a presentation on NIST’s cybersecurity framework to members of the Summit. The NIST voluntary cybersecurity framework, published in early 2014, was meant to provide a means to protect critical infrastructure from cybersecurity threats.
The Summit members created a minimum baseline for authentication at account creation and access after creation. The program will need to involve a “multi-layered” approach which can include, for instance:
- Multi-factor authentication (additional information provided beyond merely the password, such as one time use number texted to a cellular phone number registered to the taxpayer),
- Customer account validation via “trusted computer,” (where additional confirmation of identity will be needed the first time a taxpayer uses a computer, phone, tablet, etc. that the taxpayer has not before used to log onto the system)
- Out-of-wallet questions, (information that should be known only to the legitimate user that’s not part of the information normally on file with the entity)
- Auto-email generation for confirmation of account changes (so users are made aware of changes made to their account)
Note that some of these are only useful after an identity has been initially confirmed, while others are used for the basic confirmation of such identity. The first two, in particular, are only useful for the second and later access of the account but aren’t terribly useful for initially establishing an account. However the two-factor authentication has generally proven very valuable in preventing authorized access once a valid account is established.
In the recent case of access to IRS transcripts by unauthorized parties it was discovered that third parties appear to be engineering “data mining” operation on purloined data from various sources to work around the “out of wallet” questions.
The report also notes that taxpayers have a responsibility here as well—protecting the taxpayer’s data will inevitably involve the taxpayer. Many recent breaches in various areas (tax and nontax) have involved things that often were no more complex than reuse of passwords on multiple sites. Similarly, criminals are getting good at using emails, websites and telephone calls to obtain information from future victims via “phishing” scams or other types of social engineering.
Virtually all practitioners have experienced receipt of unencrypted emails from clients containing various items of sensitive personal information. As criminals are getting better of building databases of “leaked” data and then using data analysis techniques to assemble data on a particular person, this “leakage” of data needs to be dealt with.
Finally, the IRS uses this report to push some items they want Congress to legislate in this area, including:
- Acceleration of information return filing due dates
- Allow the IRS to require truncated social security numbers on Form W-2
- Expand access to the Directory of New Hires
- Strengthen the criminal penalties for identify theft refund fraud
- Add authority to regulate tax return preparers
- Increase the IRS’s correctable error authority
Of course, some of those proposals clearly go outside the area of pure identity theft, but an agency generally doesn’t like to waste a good crisis to get various changes they’d like enacted put into law by linking them to the crisis at hand. Nevertheless, some of those changes would certainly be helpful in dealing with this problem.
But the report makes clear that there is no single “magic solution” to the problem of identity theft and cyberfraud, whether it is the specialized area of tax refund fraud or simply overall fraud.
What advisers need to be aware of, though, is that there will likely be changes required in preparer’s processes to integrate with these detection systems.