1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTC: Tax Fraud Behind 47% Spike in ID Theft

Discussion in 'KrebsonSecurity' started by RSS, Jan 29, 2016.

  1. RSS

    RSS New Member Member

    The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft.

    In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47 percent increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks.

    Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

    Those numbers roughly coincide with data released by the Internal Revenue Service (IRS), which also shows a major increase in tax-related identity theft in 2015.

    Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

    Ramirez was speaking to reporters to get the word out about the agency’s new and improved online resource, identitytheft.gov, which aims to streamline the process of reporting various forms of identity theft to the FTC, the IRS, the credit bureaus and to state and local officials.

    “The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others,” Ramirez said. “Identity theft victims can now go online and get a free, personalized identity theft recovery plan.”

    Ramirez added that the agency’s site does not collect sensitive data — such as drivers license or Social Security numbers. The areas where that information is required are left blank in the forms that get produced when consumers finish stepping through the process of filing an ID theft complaint (consumers are instructed to “fill these items in by hand, after you print it out”).

    The FTC chief also said the agency is working with the credit bureaus to further streamline the process of reporting fraud. She declined to be specific about what that might entail, but the new and improved identitytheft.gov site is still far from automated. For example, the “recovery plan” produced when consumers file a report merely lists the phone numbers and includes Web site links for the major credit bureaus that consumers can use to place fraud alerts or file a security freeze.

    The “My Recovery Plan” produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC kindly requests that consumers not file false reports (I had their PR person remove this entry after filing it).

    Nevertheless, I was encouraged to see the FTC urging consumers to request a security freeze on their credit file, even if this was the last option listed on the recovery plan that I was issued and the agency’s site appears to do little to help consumers actually file security freezes.

    I’m also glad to see the Commission’s site employ multi-factor authentication for consumers who wish to receive a recovery plan in addition to filing an ID theft report with the FTC. Those who request a plan are asked to provide an email address, pick a complex password, and input a one-time code that is sent via text message or automated phone call.


    Many people do not understand the difference in protection between a fraud alert and a credit freeze. A fraud alert is free, lasts for 90 days, and is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. Applicants merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

    There is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

    Although fraud alerts only last 90 days, you may renew them as often as you like (a recurring calendar entry can help with this task). Consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term, “extended fraud alert” that lasts up to 7 years (a police report and other documentation may be required).

    The problem with fraud alerts is that creditors are encouraged but not required to check for them. The only step that will stop fraudsters from being granted new lines of credit in your name is the security freeze. For more information on what’s involved in obtaining a security freeze and why it beats a fraud alert and/or credit monitoring services, see How I Learned to Stop Worrying and Embrace the Security Freeze. Parents or guardians who are interested in freezing the credit files of their kids or dependents should check out last week’s story, The Lowdown on Freezing Your Kid’s Credit.


    Tax refund fraud occurs when criminals use your personal information and file a tax refund request with the IRS in your name. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. As I wrote in my recent column, Don’t Be a Victim of Tax Refund Fraud in 2016, even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

    Your best defense against tax refund fraud? File your taxes as soon as possible. Unfortunately, many companies are only now starting the process of mailing out W2 forms that taxpayers need to complete their filings, while fraudsters are already at work. Also, if you use online tax preparation services, please pick a strong password and do not use a password that you also use at another site or service.

    If you go to file your taxes this year and receive a rejection notice stating that your return has already been filed, have a look at my primer, What Tax Fraud Victims Can Do. Oh, and consider filing an identity theft report at IdentityTheft.gov.

    It’s important to note that as much as I advocate everyone freeze their credit files, a freeze will not prevent thieves from committing tax refund fraud in your name. Also, freezes may do nothing to stop thieves from perpetrating a variety of other crimes in your name, including providing your identity information to the police in the event of their arrest, or using your information to obtain medical services.

    That said, a credit freeze may actually help tax refund fraud victims avoid being victimized two years in a row. First, a little background: The IRS has responded to the problem of tax ID theft partly by mailing some 2.7 million tax ID theft victims Identity Protection PINs (IP PINs) that must be supplied on the following year’s tax application before the IRS will accept the return.

    The only problem with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to so-called knowledge-based authentication (KBA) questions supplied by the credit bureaus.

    These KBA questions — which involve four multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

    If any readers here doubt how easy it is to buy personal data (SSNs, dates of birth, etc.) on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.

    So, how does a security freeze help tax fraud victims avoid becoming victims two years running? A freeze prevents the IRS from being able to ask those KBA questions that are key to obtaining Last year, the IRS briefly removed the ability for tax fraud victims to retrieve their IP PINs via the site, but it has since reinstated the feature, apparently ignoring its auditor’s advice to re-enable it only after implementing some type of two-factor authentication.

    Helpfully, though, the IRS does now allow taxpayers to lock their online account, effectively requiring all future correspondence to be conducted via snail mail. You do have an account at irs.gov, don’t you? If not, it might be a good idea to create one, even if you don’t think you’ll ever use it. That goes ditto for the Social Security Administration, by the way.

    Continue reading...

Share This Page