Identity thieves are continuing to target taxpayers despite the Internal Revenue Service’s efforts to better authenticate taxpayers, according to a new report.
The Government Accountability Office reported Thursday on the IRS’s need to update the risk assessment for its Taxpayer Protection Program to account for the ever-changing methods of identity thieves. The TPP is a program that the IRS uses to authenticate the identities of suspicious tax filers to prevent identity theft and tax refund fraud. However, the IRS estimates that of the 1.6 million tax returns chosen for the program, the agency may have paid $30 million to fraudsters who filed approximately 7,200 tax returns that passed through the TPP authentication process during the 2015 filing season. The GAO believes the actual figure is probably even higher than the IRS’s estimates.
The IRS has been stepping up its efforts in recent years to combat the growing threat of identity theft-related tax refund fraud. This past tax season, it partnered with state tax authorities, the tax prep software industry and major tax prep chains on multifactor authentication efforts similar to those used by financial services companies and the banking industry. Popular consumer tax prep software packages now ask users more questions to authenticate themselves and require them to check their email inbox or mobile phone for a special code they need to input into the software before they can continue the tax prep process.
However, fraudsters are able to use the personally identifiable information, or PII, they have received about taxpayers from breaches of corporate and government databases to access IRS systems and defeat some of these authentication efforts. The GAO report noted that although the IRS conducted a risk assessment for its Taxpayer Protection Program back in 2012, the IRS has not done an updated risk assessment that reflects the current threat of identity theft tax refund fraud, specifically the threat from fraudsters who already have the personal information they need to answer the authentication questions.
An updated risk assessment would help the IRS find ways to strengthen the authentication program, reduce the loss of tax revenue, and decrease the number of taxpayers who become fraud victims. The GAO recommended the IRS do an updated risk assessment for the TPP and improve its identity theft cost estimates. The IRS agreed with the GAO’s recommendations.
“Securing our systems and taxpayer data continues to be a top priority for the IRS,” wrote IRS deputy commissioner for services and enforcement John M. Dalrymple in response to the report. “We continue to devote significant time and attention to this challenge, despite constrained resources as a result of repeatedly decreased funding over the past few years. Because IDT [identity theft] criminals have significant resources to devote to their schemes, their methods are constantly evolving.”
The IRS is constantly analyzing and looking for ways to improve its detection of identity theft and making adjustments to its filters and processes, he noted. Nevertheless, the criminals are staying one step ahead of the IRS.
“We are finding that tax-related IDT schemes are growing at an alarming rate with increasing complexity and sophistication,” said Dalrymple. “Perpetrators are no longer just individual criminals with a personal laptop and a list of stolen social security numbers and prepaid cards. Instead, these criminals are part of organized internet crime syndicates who are networked across the world and have turned IDT and tax fraud into a highly lucrative business, with deep resources to avoid detection.”