$5.8 billion… that’s how much the IRS believes it paid out in fraudulent refunds to identity thieves in 2013. Five-point-eight billion dollars. In one year. That figure has plagued the revenue service for some time, as it’s close to the estimated fraudulent payouts the IRS issues every year.
But following the recent announcement that the IRS suffered a data breach of sorts, the agency has partnered with other offices within the federal government to institute some new security protocols. The best news? Rather than adopt new standards over time, the new changes will go into effect for the 2015 tax year.
The recent breach wasn’t a traditional hacking event, at least not in the way the public might envision. Instead of teams of shady computer experts sitting in a dark basement and worming their way into a protected network, the individuals responsible used citizens’ personal data—likely stolen in a corporate data breach like the one that affected Anthem, or bought on a black market website from the people who caused a similar breach—to log into the IRS’ “Get Transcript” website. This is a site that allows the public to log in and check on the status of their tax returns. By logging into Get Transcript as those individuals, the thieves were able to divert the refunds of over 100,000 people and claim them for themselves.
Even though the IRS isn’t directly at fault for that instance, it is a telling sign of bigger security problems, problems that the agency plans to remedy with these new changes. One of the first steps will be a greater level of transparency and cooperation between the IRS and other agencies in the hope that information sharing will lead to better early detection of fraud. Another step will be to match the internet addresses of the users who filed online with the users who then log in to setup a refund payment or make a change; if the addresses don’t match, then it should send up a red flag.
One of the biggest changes the IRS is making is in the simple realization that they’re no longer dealing with a stereotypical petty crook out to commit fraud on his own tax return. Sources indicate Russian hackers were behind this latest breach that garnered over $50 million in fraudulent returns, and that’s in addition to the recent Chinese hacking of the federal government’s personnel office that accessed the sensitive personal data of four million government employees; the IRS is now aware that this is a global threat perpetrated by organized professionals and not some fly-by-night operation committed by a lone hacker.
“We have come to realize we are now dealing with a much more sophisticated enemy than in the past," IRS Commissioner John Koskinen said in a press conference. "We are dealing more and more with organized crime syndicates here and around the world."
Since the IRS has reason to believe that the taxpayer information on the fraudulent returns came as the result of a corporate data breach of some kind, there are important steps that individual citizens can take in order to help stem the tide of tax refund theft. If you’ve received notification that your information was accessed in any kind of data breach, it’s important to monitor your credit reports and employment documentation very carefully for a long time after the fact. And just like the alerts and freezes you can place on your credit report with the three reporting agencies, you can inform the IRS that your information was stolen. This step should trigger an alert within their system when you file your return, and set up a safety net that requires you to take a few more steps to process your return. It will slow down the payment of any refunds you’re expecting, but a slower refund is better than no refund when a thief steals it instead.