Identity thieves filing fake returns using data on real taxpayers

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.baltimoresun.com/business/money/bs-bz-ambrose-scams-refunds-20120520,0,515219.story

Victims can spend more than a year trying to clear up the mess

Here's another reason to file your tax returns as early as possible:
an identity thief might beat you to the money.

Identity thieves are filing fake federal returns using taxpayers'
Social Security numbers and claiming tax refunds worth billions of
dollars. The taxpayers only find out about it when their returns are
rejected by the IRS because someone already received a refund using
their identity.

It's a big problem — and one that's rapidly growing, according to a
report this month from the Treasury Inspector General for Tax
Administration.

That report says 641,052 taxpayers were affected by identity theft
last year, more than double the year before. IRS resources haven't
kept pace with the growing fraud, and cases sometimes take more than a
year to resolve, the report says. Meanwhile, victims receive confusing
information from the IRS and sometimes are asked repeatedly to prove
their identity.

Inspector General J. Russell George testified before Congress this
month that the IRS detected 940,000 fake returns for 2010 in which
identity thieves attempted to gain $6.5 billion in refunds. And while
the IRS catches a lot of fraud, he said, much goes undetected.

An audit of 2010 returns by the inspector general found about an
additional 1.5 million returns with potentially fraudulent refunds
worth more than $5.2 billion. If the problem isn't addressed, he said,
the IRS could dish out about $26 billion in refunds to thieves over
the next five years.

The IRS disputes that five-year projection, saying the inspector
general doesn't take into account all the steps the agency is taking
to fight fraud. But both sides agree that fraudulent returns filed by
identity thieves is a serious problem.

Tax experts say thieves basically need just a name and legitimate
Social Security number, which is far too easy to get these days.

Hospitals, doctor's offices, credit card issuers, cellphone companies,
schools and all sorts of businesses collect Social Security numbers —
even if they don't need them. All it takes is lax security — and
there's plenty of that — or one unscrupulous employee, and thousands
of Social Security numbers can wind up in the hands of criminals.

Once thieves have the numbers, they can make up W-2 information or use
stolen data from employers to create fake returns, tax experts say.
Fraudulent returns — filed early in the tax season — claim low incomes
and high tax withholdings to inflate refunds. The money is deposited
directly into a thief's bank account or onto a debit card.

The IRS is "just getting the refunds out right away," says Max Neil
Highstein, a Lutherville accountant.

It's not until after the April tax deadline that the IRS begins to
match returns with 1099 forms, W-2s and other information provided by
third parties, which can expose the fraud, he says.

Highstein has had two tax clients with stolen identities this year.

One is Bill Niermann, 59, a retired insurance agent in Timonium.
Niermann says he didn't know that someone from another state had
stolen his Social Security number until Highstein told him that his
electronically filed return had been rejected.

"I went into panic mode," he says.

Niermann filed an affidavit with the IRS attesting to the theft and
sent in information to verify his identity. He also put a fraud alert
on his credit reports, changed passwords on "everything that had a
password," canceled his credit cards and opened new ones.

He says he's spent nearly his entire life in Maryland and wonders why
that didn't trigger suspicions at the IRS when it received a return
from another state with his Social Security number.

Niermann says the IRS will be sending him an Identity Protection
Personal Identification Number to use when filing his return next
year. In the meantime, he's still waiting for his 2011 refund.

"I'm due a $9,000 refund," he says. "God knows when I'll see it."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.