Posts

By Eva Velasquez, president and CEO, Identity Theft Resource Center 

  • The Identity Theft Resource Center (ITRC) expects to see the number of victims of COVID-19 identity crimes continue to rise in 2021. The ITRC’s new data shows an increase in identity crime victims being targeted multiple times (28 percent in 2019 versus 21 percent in 2018) before pandemic-related identity crimes. The ITRC expects to see victims targeted multiple times continue to rise. 
  • Right now, victim resources are not top of mind for many people. Since 2018, U.S. Department of Justice funds allocated for all crime victim services has fallen from a high of $3.7 billion to $1.9 billion. 
  • Focusing on just the dollar losses of identity fraud paints an incomplete picture because it does not consider long-term impacts or each victim’s unique situation. 
  • Additional pandemic-related benefits and stimulus payments due in early 2021 will also result in more identity crime victims linked to new benefit fraud cases.  
  • Join experts from the ITRC and the Federal Trade Commission (FTC) on Monday, February 1, at 10 a.m. PST (1 p.m. EST) for a free webinar, Protecting Yourself Against Identity Theft in the Age of COVID-19. 

The last year has been a difficult one for many people. Some have lost their jobs, others have had to close their businesses and many people have gotten sick or lost loved ones from the coronavirus. Another segment of people affected has not gotten as much attention: victims of COVID-19 identity crimes.  

The Impacts of COVID-19 Identity Crimes in 2020 

Millions of state unemployment benefit-related identity theft cases have been detected across the country since March 2020. On average, the Identity Theft Resource Center (ITRC) receives less than 20 inquiries regarding unemployment benefits a year. In 2020, the ITRC had more than 700 unemployment benefits fraud victims reach out for help. 2020 also saw a sharp increase in scams. Criminals had countless opportunities to trick people with phishing scams, charity scams, healthcare scams, disaster scams and work-from-home scams.  

What to Expect in 2021 

The ITRC believes COVID-19 identity crimes will impact victims well into 2021. Many victims may not be aware that their identity credentials were misused until they receive an IRS Form 1099 for non-wage income. The ITRC’s research also shows a significant increase in identity crime victims being victimized a second time, even before the rise in fraud, scams and identity crimes in 2020. The post-pandemic analysis should show an even greater spike.  

The Ripple Effects of the Pandemic-Related Identity Crimes 

Resources for identity crimes are not keeping pace with the criminals. Trends identified by the ITRC and many private-sector researchers show that profit-motivated cybercriminals are using consumer’s and employee’s bad security habits, as well as the changing work environment, to attack businesses more often. Yet, resources for cybersecurity training and education along with identity-related crime victim assistants are moving in the opposite direction. 

Since 2018, U.S. Department of Justice (DOJ) funds allocated for all crime victim services has dropped from a high of $3.7 billion to $1.9 billion. Discretionary DOJ grants awarded to victim services organizations dropped from $311 million in 2019 to $144 million in 2020. Funds to programs that support victims of identity crimes and compromises, cybercrime, scams and fraud have been reduced to $0. 

Meanwhile, the average ransomware payment has grown from less than $10,000 per incident in late 2018 to $233,000 as of Q3 2020, with some large enterprises reportedly paying ransoms over $1 million, according to cybersecurity firm Coveware. The most common root cause (55 percent) of ransomware attacks is stolen credentials to access a business system or network remotely. 

Measuring just the dollar amount paints an incomplete picture. A dollar sign does not take into account the trauma, downstream effects and lost opportunity costs for each of the victims whose identity credentials were misused. New ITRC research that will be published in May 2021 reveals an increase in identity crime victims being targeted multiple times. Nearly 28 percent of victims reported a second identity crime in 2019 versus 21 percent in 2018. At the ITRC, we expect to see that number continue to go up, especially after the rise in COVID-19 identity crimes.  

What It Means Moving Forward 

The data shows that COVID-19 identity crimes will continue in 2021, and more victims will suffer from the trauma of a second and even third identity crime. Someone that does not trust an infrastructure that has failed them will continue to disengage. Some victims cannot meet their basic needs or find a job because they cannot pass a background check until they get the fraud resolved. How long does that take? How does someone explain that to an employer? They are simply the victim of a crime that is not acknowledged to have the devasting life impacts that it does.  

The statistics show we are not winning the battle to protect ourselves from cybercriminals. Winning will require us to devote more resources toward assisting victims and devote more time and attention to educating consumers and employees of their need to be cyber-aware and vigilant. 

What to Do If You’re a Victim of Identity Theft 

If anyone believes their information may have been compromised, we suggest contacting us toll-free. Consumers can call (888.400.5530) or live-chat with an identity theft advisor to start their remediation process. Our experts will help advise victims on the best next steps for them to take.  

Learn more  

People can learn more about identity theft and COVID-19. Join experts from the ITRC and the FTC on Monday, February 1, at 10 a.m. PST (1 p.m. EST) for a free webinar, Protecting Yourself Against Identity Theft in the Age of COVID-19. We’ll explore topics including identity theft involving unemployment benefits, federal stimulus payments, Small Business Administration loans and more. Register here

The webinar is being held as part of the FTC’s Identity Theft Awareness Week, February 1-5, 2021. To find out more about the week’s events and the FTC’s free identity theft resources, please visit the FTC’s website

  • One of the first changes in 2020 due to COVID-19 was the delay in the regular income tax filing date. Soon after that, millions of out-of-work Americans began to receive enhanced unemployment benefits and special small business loans.
  • Soon after that, cybercriminals began to steal those benefits. The Department of Labor estimates that unemployment fraud could total as much as $26 billion. California alone has seen nearly $2 billion in unemployment benefits fraud.
  • With the 2021 tax filing season quickly approaching, many people will receive a 1099 form alerting them that they must claim income they never received from the benefits they never sought.
  • To learn more, listen to this week’s episode of the Fraudian Slip.
  • People can learn about taking advantage of the Internal Revenue Service (IRS) identity protection programs or reporting identity-related issues to the IRS at IRS.gov and clicking on the Identity Theft Protection link at the bottom of the home page.
  • If anyone believes they are a victim of tax identity theft or unemployment benefits fraud, they should contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

The below is a transcript of our podcast episode with special guest, IRS

Welcome to the Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud, including the impact identity issues have on people and businesses.

In a typical episode, we would focus on something that has happened or is happening that impacts consumers and businesses. Not today. We are going to talk about what’s about to happen, specifically the 2021 tax filing season.

It’s been nearly a year since the COVID-19 pandemic disrupted virtually every aspect of everyday life. One of the first changes in 2020 was the delay in the traditional income tax filing date. Soon thereafter, millions of out-of-work Americans began to receive enhanced unemployment benefits and special small business loans. Shortly after that, cybercriminals began to steal those benefits. The Department of Labor estimates that unemployment fraud could total as much as $26 billion. California alone has seen nearly $2 billion in unemployment fraud.

Fast forward to today, and the spike in benefits fraud is subsiding. However, a second round of victims may soon emerge. Benefits like unemployment payments are considered income and are taxable. Thousands of the unemployment payments made in 2020 were made in the names of people whose identities were misused – and they didn’t know it. With the 2021 tax filing season quickly approaching, many people will receive a 1099 form alerting them that they must claim income they never received from the benefits they never sought. That is on top of the usual identity-related income tax fraud the IRS sees each year.

We talked with Jim Robnett, the Deputy Chief of the IRS – Criminal Investigation Division, about the following:

Overview

  • Before 2020, the number of false income tax returns linked to identity compromises was already falling. What had the IRS done that was working so well to reduce tax-related identity theft?

Pandemic-Related Tax Issues

  • The most obvious change in terms of taxes in 2020 was moving the filing date. From the IRS perspective, what was 2020 like for you?
  • Anytime there is a mass injection of money into the economy, there is fraud. The IRS played a crucial role in delivering the stimulus checks approved by Congress. What kind of response did you expect from criminals, and what did you see? 
  • We know there has been a massive amount of unemployment fraud, and that has had tax implications for victims. Explain why that is and what taxpayers should do if they suspect or know they are the victim of benefit fraud?
  • What should taxpayers do who get a 1099 form they were not expecting?
  • What about small businesses or entrepreneurs who may discover someone took out an SBA loan or other pandemic benefit in their name?

2021 Tax Issues

  • What should taxpayers do to prepare for 2021?
  • The IRS recently announced the expansion of Identity Protection PINs. That’s going to be a great tool for preventing fraud. Explain how that works and what taxpayers need to do to take advantage of the IP PIN program?

For answers to all of these questions, listen to this week’s episode of The Fraudian Slip Podcast.

Learn More From the IRS

You can learn more about taking advantage of the IRS identity protection programs or reporting identity-related issues to the IRS at IRS.gov and clicking on the Identity Theft Protection link at the bottom of the home page.

Contact the ITRC

You can learn how to protect yourself from identity fraud, crimes and compromises – including the tax-related issues we discussed today, by visiting idtheftcenter.org, where you can also read more about the latest data breach trends.

If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit the website to get started.

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Each year, about half of U.S. taxpayers rely on a tax preparer and a tax preparation service to help them file their required tax returns. These professionals offer a wide array of options, from a very simple franchise that plugs in the numbers on the consumer’s behalf to certified public accountants that know the ins and outs of the entire U.S. tax code. From accounting firms to walk-in services like H&R Block, TurboTax/Intuit, Credit Karma or Jackson Hewitt, these tax preparation services often have one major similarity: they are a hot target for hackers and identity thieves.

Trusting an outsider with highly-sensitive personal data is not something that people should take lightly. Having a professional take responsibility for the paperwork, helping to navigate the annual changes to tax laws and even assisting in the event of an IRS audit are all reason enough to pay someone to take care of the filing. However, the sheer volume of personally identifiable information (PII) that a tax preparer must collect and store means there are literal treasure troves of identities waiting to be compromised by a malicious actor.

There are plenty of ways that stolen PII from a tax preparation service can benefit a hacker. First, accessing a stolen return not only means the hacker can file the return for themselves and steal any refunds the consumer was expecting, it also means having the ability to file a fraudulent return every year. Hackers can cause even more harm with information gleaned from a tax preparer’s computer; credential stuffing is another major concern, as the complete information they might steal can be used to access the victim’s other accounts.

There are some important steps that consumers can take to protect themselves when using a tax preparation service. First, people should only choose a professional tax preparer who has a valid IRS Preparer Tax Identification Number (PTIN), but also understand that there are many different services, ability-levels and offerings that a professional can provide. It is also important for a consumer to find out what the preparer’s credentials are—such as having an accounting degree or being a member of a professional organization—before signing on to work with them. Consumers should not hesitate to ask what information the preparer will be able to access, how that information will be stored and for how long, who will be able to access that information and other related questions. There have been many situations where tax preparation services and professionals have been the target of malicious actors and understanding how they are going to safeguard information is just as important as their capabilities.

More guidelines from the IRS are available, but consumers are also cautioned to begin using a nine to ten character passphrase in place of the traditional eight-character password. A passphrase is longer and easier to remember, which makes it both harder for fraudsters to guess and more likely that consumers will deploy a different passphrase for each account.

If someone falls victim to identity theft from a data breach, they can live-chat with an Identity Theft Resource Center expert advisor through the organization’s website, as well as call toll-free at 888.400.5530 for an action plan that is customized to their needs. The free ID Theft Help App for iOS and Android also provides a number of resources for consumers to use in the event of a data breach or suspected identity theft.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Identity theft is not one single type of crime. There are many different ways a criminal can use your information, such as applying for government benefits, getting a job under your Social Security number, receiving medical care or prescription drugs in your name, and of course, the financial aspects. But stealing from your bank account or signing up for a new credit card in your name are just scraping the surface when it comes to the harm identity theft can cause.

Tax identity theft occurs when someone uses your compromised information to file a tax return in your name. They fudge the numbers, enter an unrelated refund dispersal option like a prepaid debit card, and make off with your money before you ever know that anything has gone wrong.

How do they get their hands on your data in the first place? There are many ways, including:

  • Imposter scams
  • Data breaches
  • Stolen mail or W-2s
  • CEO/HR phishing scams
  • Corrupt insiders/tax preparation services
  • Unsecured and public Wi-Fi hotspots
  • Social Security number that is lost, stolen or compromised

Of course, it’s just as easy for a criminal to purchase your previously stolen information online, then use it to file a fraudulent return.

How can you know if someone has filed a return with your stolen information? Again, you may find out in different ways, but one common way is for the IRS to inform you.

They don’t usually call you up and say, “Guess what? Someone stole your identity!” Instead, it’s a lot more likely that the IRS will reject your legitimate tax return because someone has already filed using your Social Security number. Another way is someone not necessarily filing the entire return in your name, but rather claiming your dependents on their return if they’ve stolen your kids’ identities; in that case, the IRS will still contact you about the duplicated dependents. Finally, the IRS might contact you if someone files a business return involving your identity as an employee and the agency wants you to answer for the unreported income you supposedly earned but didn’t list on your return.

The fact of tax identity theft is that hundreds of millions of consumers’ identities have been compromised in different data breaches over the years. That means no one is immune from the threat of having their tax refund stolen.

For more questions and answers about tax identity theft, read our tips here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Tidying Up For Your Identity, Mobile Device and More…