Click Picture to read Article:
IRS, Industry, States Take New Steps Together to Fight Identity Theft, Protect Taxpayers
IR-2015-87, June 11, 2015
WASHINGTON — The Internal Revenue Service joined today with representatives of tax preparation and software firms, payroll and tax financial product processors and state tax administrators to announce a sweeping new collaborative effort to combat identity theft refund fraud and protect the nation’s taxpayers.
The agreement — reached after the project was originally announced March 19 — includes identifying new steps to validate taxpayer and tax return information at the time of filing. The effort will increase information sharing between industry and governments. There will be standardized sharing of suspected identity fraud information and analytics from the tax industry to identify fraud schemes and locate indicators of fraud patterns. And there will be continued collaborative efforts going forward.
“This agreement represents a new era of cooperation and collaboration among the IRS, states and the electronic tax industry that will help combat identity theft and protect taxpayers against tax refund fraud,” IRS Commissioner John Koskinen said. “We’ve made tremendous progress, and we will continue these efforts. Taxpayers filing their tax returns next filing season should have a safer and more secure experience.”
Koskinen convened a Security Summit on March 19 with the chief executive officers and leaders of private sector firm and federal and state tax administrators to discuss emerging threats on identity theft and expand existing collaborative efforts to stop fraud.
Three specialized working groups were established as part of the Summit, with members from the IRS, states and industry co-chairing and serving on each team. During the past 12 weeks, the teams focused on developing ways to validate the authenticity of taxpayers and information included on tax return submissions, information sharing to improve detection and expand prevention of refund fraud, and threat assessment and strategy development to prevent risks and threats.
The groups agreed to several important new initiatives in this unprecedented effort, including:
Taxpayer authentication. The industry and government groups identified numerous new data elements that can be shared at the time of filing to help authenticate a taxpayer and detect identity theft refund fraud. The data will be submitted to the IRS and states with the tax return transmission for the 2016 filing season. Some of these issues include, but are not limited to:
- Reviewing the transmission of the tax return, including the improper and or repetitive use of Internet Protocol numbers, the Internet ‘address’ from which the return is originating.
- Reviewing computer device identification data tied to the return’s origin.
- Reviewing the time it takes to complete a tax return, so computer mechanized fraud can be detected.
- Capturing metadata in the computer transaction that will allow review for identity theft related fraud.
Fraud identification. The groups agreed to expand sharing of fraud leads. For the first time, the entire tax industry and other parts of the tax industry will share aggregated analytical information about their filings with the IRS to help identify fraud. This post-return filing process has produced valuable fraud information because trends are easier to identify with aggregated data. Currently, the IRS obtains this analytical information from some groups. The expanded effort will ensure a level playing field so everyone approaches fraud from the same perspective, making it more difficult for the perpetration of fraud schemes.
Information assessment. In addition to continuing cooperative efforts, the groups will look at establishing a formalized Refund Fraud Information Sharing and Assessment Center (ISAC) to more aggressively and efficiently share information between the public and private sector to help stop the proliferation of fraud schemes and reduce the risk to taxpayers. This would help in many ways, including providing better data to law enforcement to improve the investigations and prosecution of identity thieves.
Cybersecurity framework. Participants with the tax industry agreed to align with the IRS and states under the National Institute of Standards and Technology (NIST) cybersecurity framework to promote the protection of information technology (IT) infrastructure. The IRS and states currently operate under this standard, as do many in the tax industry.
Taxpayer awareness and communication. The IRS, industry and states agreed that more can be done to inform taxpayers and raise awareness about the protection of sensitive personal, tax and financial data to help prevent refund fraud and identity theft. These efforts have already started, and will increase through the year and expand in conjunction with the 2016 filing season.
“Industry, states and the IRS all have a role to play in this effort,” Koskinen said. “We share a common enemy in those stealing personal information and perpetrating refund fraud and we share a common goal of protecting taxpayers. We want to build these changes into the DNA of the entire tax system to make it safer.”
Many major system and process changes will be made this summer and fall by the participants in order to be ready for the 2016 filing season. The public-private partnership also will continue this cooperative, collaborative approach to address not just short-term issues but longer-term issues facing the tax community and taxpayers.
The partnership parties recognize the need to continuously improve our tax system defenses for combating this threat to taxpayers and our tax system, Koskinen added. Those defenses include a continually improving multi-level identity proofing and authentication capability that anticipates and stops threats.
“I applaud the industry and the states for stepping forward to take on this challenge and making the needed changes,” Koskinen. “This is good for taxpayers, good for tax administrators and good for the tax community.”
Koskinen emphasized that a continuing theme throughout this effort focuses on protecting taxpayer information and privacy. “Working together we can achieve results that none of us, working alone, could accomplish,” he said.
In addition to companies from the private sector, the summit team included several groups including the Electronic Tax Administration Advisory Committee (ETAAC), the Federation of Tax Administrators (FTA) representing the states, the Council for Electronic Revenue Communication Advancement (CERCA) and the American Coalition for Taxpayer Rights (ACTR).
The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.
As always, the IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.
The IRS announced today it will be notifying taxpayers after third parties gained unauthorized access to information on about 100,000 accounts through the “Get Transcript” online application.
The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100,000 accounts through the Get Transcript application.
In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.
The IRS temporarily shut down the Get Transcript application last week after an initial assessment identified questionable attempts were detected on the system in mid-May. The online application will remain disabled until the IRS makes modifications and further strengthens security for it.
The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation.
The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.
On the Get Transcript application, a further review by the IRS identified that these attempts were quite complex in nature and appear to have started in February and ran through mid-May. In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles. During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.
In addition, to disabling the Get Transcript application, the IRS has taken a number of immediate steps to protect taxpayers, including:
- Sending a letter to all of the approximately 200,000 taxpayers whose accounts had attempted unauthorized accesses, notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application. Although half of this group did not actually have their transcript account accessed because the third parties failed the authentication tests, the IRS is still taking an additional protective step to alert taxpayers. That’s because malicious actors acquired sensitive financial information from a source outside the IRS about these households that led to the attempts to access the transcript application.
- Offering free credit monitoring for the approximately 100,000 taxpayers whose Get Transcript accounts were accessed to ensure this information isn’t being used through other financial avenues. Taxpayers will receive specific instructions so they can sign up for the credit monitoring. The IRS emphasizes these outreach letters will not request any personal identification information from taxpayers. In addition, the IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward — both right now and in 2016.
These letters will be mailed out starting later this week and will include additional details for taxpayers about the credit monitoring and other steps. At this time, no action is needed by taxpayers outside these affected groups.
The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season.
The IRS emphasizes this incident involves one application involving transcripts — it does not involve other IRS systems, such as our core taxpayer accounts or other applications, such as Where’s My Refund.
The IRS will be working aggressively to protect affected taxpayers and strengthen our protocols even further going forward.
- Written Testimony of Commissioner Koskinen on Unauthorized Attempts to Access Taxpayer Data before Senate Finance Committee
- Get Transcript Application: Questions and Answers
Taxpayers should keep a duplicate set of records including bank statements, tax returns, identifications and insurance policies in a safe place such as a waterproof container, and away from the original set.
Keeping an additional set of records is easier now that many financial institutions provide statements and documents electronically, and much financial information is available on the Internet. Even if the original records are only provided on paper, these can be scanned into an electronic format. This way, taxpayers can save them to the cloud, download them to a storage device such as an external hard drive or USB flash drive, or burn them to a CD or DVD.
Another step a taxpayer can take to prepare for a disaster is to photograph or videotape the contents of his or her home, especially items of higher value. The IRS has a disaster loss workbook, Publication 584, which can help taxpayers compile a room-by-room list of belongings.
A photographic record can help an individual prove the fair market value of items for insurance and casualty loss claims. Ideally, photos should be stored with a friend or family member who lives outside the area.
Emergency plans should be reviewed annually. Personal and business situations change over time as do preparedness needs. When employers hire new employees or when a company or organization changes functions, plans should be updated accordingly and employees should be informed of the changes. Make your plans ahead of time and practice them.
Back copies of previously-filed tax returns and all attachments, including Forms W-2, can be requested by filing Form 4506, Request for Copy of Tax Return. Alternatively, transcripts showing most line items on these returns can be ordered by calling 1-800-908-9946 or by using Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript or Form 4506-T, Request for Transcript of Tax Return.