I’m sure this isn’t breaking news to any of you- it’s been all over the news, internet, and social media- but the IRS was recently hit with an extensive cyber hack.
Though the criminal investigation is still ongoing (by the IRS Criminal Investigation Unit, the Treasury Inspector General for Tax Administration, and through investigative inquiries from Congress), what we do know is that more than 100,000 taxpayers’ personal tax information was stolen and used to claim over $50 million in fraudulent tax refunds over the last several months. The IRS believes that it began sometime in February, though it was only discovered 2 weeks ago when they noticed a 3700% increase in the number of taxpayers requesting transcripts. Investigators believe these cyber hackers are from Russia.
The information was gathered off the IRS’s “Get Transcript” website (which has since been shut down after discovering the hack), where hackers had to complete a screen asking very secure information on each taxpayer, including the Social Security number, date of birth, filing status, address, etc.
This isn’t the first time there’s been identity theft involving the IRS, and the issue is pervasive. Taxpayer data security has been an IRS problem for years, and in October of 2014, was named the IRS’s #1 problem. Shortly after the breach, auditors tested the security controls, and the databases failed over 30% of the tests. In 2012, the IRS sent a total of 655 refunds to 1 address in Lithuania, and 343 refunds to 1 address in Shanghai. In 2013, the IRS estimated that they paid over $5.8 billion in fraudulent refunds to identity thieves.
What I’d like to focus this blog post on is HOW the criminals got the information, and WHAT to do if the IRS informs you that you were one of the taxpayers whose information was accessed.
If you were among the hundreds of thousands of individuals whose information was compromised, the IRS will NOT call or email you- you will receive an IRS letter via US mail. Here’s an excerpt from one of the letters we’ve seen:
“The IRS places the utmost priority on safeguarding personal information. While the Service has strict policies and extensive computer security protocols in place to protect your privacy, we recently learned that fraudsters used your personal information (obtained from another source) to view your tax information through our ‘Get Transcripts’ application. If you have received a refund direct deposited from the IRS, please be aware your bank account and routing number may have been compromised. The IRS is taking a number of steps to help you in this difficult situation, including marking yoru tax account to ensure that no one besides you files a tax return with your information. Visit www.IRS.gov for more information... We don’t know if someone will misuse your tax information; however, for your protection, we arranged for you to receive a free identity theft protection product for one year from Equifax.”
The letter goes on to explain how to obtain an Identity Protection Personal Identification Number as well as provides you with an Equifax enrollment code.
Many tax experts fear that as a result of this hack, there will be greater attempts to impersonate the IRS by calling taxpayers and threatening jail or lawsuits to those who do not send them money since they now have additional personal information about these individuals. PLEASE beware of any calls or emails you receive from individuals stating they are with the IRS. The IRS will NOT request any personal information from taxpayers in these written notifications regarding the security breach. If you have any doubts as to whether the contact you receive is legitimate, contact an IRS professional such as a tax resolution attorney or CPA for advice before acting on their threats or requests.
Another very important thing to know about this hack is that according to the IRS, the criminals obtained this secure information from sources other than the IRS. The thieves had to know the answers to several personal identity verification questions to gain access to the bulk of the information compromised. A large amount of this information was likely obtained on the black market, and most of the necessary information was “out of wallet” information- things like cars the taxpayer purchased, high school mascots, spouse names, etc. The black market databases compiled rely on information found all over- including social media- to gather the answers to these questions.
Here are some helpful tips suggested in Tech Guru Daily’s June 5th article “7 Simple Steps to Protect Yourself in the Wake of the IRS Hack” and Fox Business’ Money Tree Article “Are you ‘Over-Exposed’ Online? Lessons from IRS Hack” that I strongly urge everyone to consider:
Be careful with what you post on social media and who you allow to see posts and other personal information. Posting your high school alma mater would give identity thieves the information they’d need to determine your high school mascot, posting your relationship status would provide them with your spouse’s name, and posting a status that you’re still procrastinating with filing your income taxes tips hackers that they still have time to file a fraudulent income tax return on your behalf.
You should also monitor the status of your refund more closely. If you notice anything suspicious about the status of your refund, contact the IRS. Also, filing earlier in the year may help you reduce the risk of thieves beating you to the filing deadline.
Be sure that all online passwords you use are strong and significantly different from all other passwords you have. Use caution with the websites you choose to log into when using public WiFi connections. Note that your phone is more likely to be comprised than your computer, both because it is more likely to be stolen and because a poorly-coded app can make your phone more susceptible to an attack. Speaking of smart phones, make sure you always do a factory reset when turning in or discarding an old cell phone.
When banking or shopping online, use a dedicated credit card and bank account with credit limits and strict controls and alerts for online purchases.
Even though most identity theft is via online, cyber thieves usually start with a paper trail, so be sure to shred any sensitive information prior to throwing it away, such as bank statements, receipts, etc.
The IRS is providing all victims with free credit monitoring services. Though the hackers used this information to steal tax refunds, the same information can be used to get loans and impersonate the victims in other transactions as well. Any victims of this hack are encouraged put fraud alerts or security freezes on their credit reports and monitor bank and credit accounts.
For those who may not receive a letter, please be advised that the transcript request website was taken down and will remain down until the matter is resolved. If you need copies of your IRS transcripts, you still can request transcripts via mail using the Form 4506 (http://www.irs.gov/uac/Form-4506,-Request-for-Copy-of-Tax-Return). Also note that even if you have not been notified by the IRS as an affected taxpayer, I do suggest you always take precautionary measures as discussed above- you can never be too safe with your online personal information security.
“IRS Hack Came from Russia”, by Associate Press; New York Post http://nypost.com/2015/05/27/irs-hack-came-from-russia/
“The IRS Hack: Beware of Follow-up Scams”, by Liz Weston of Moneywatch; CBS News http://www.cbsnews.com/news/the-irs-hack-beware-of-follow-up-scams/
“IRS Says Identity Thieves Accessed Tax Transcripts for More than 100,000 Taxpayers”, by Kelly Phillips Erb, Forbes.com http://www.forbes.com/sites/kellyphillipserb/2015/05/26/irs-says-identity-thieves-accessed-tax-transcripts-for-more-than-100000-taxpayers/
“7 simple steps to protect yourself in the wake of the IRS hack”, by Arkady Bukh, Tech Guru Daily http://www.tgdaily.com/social/132841-7-simple-steps-to-protect-yourself-in-the-wake-of-the-irs-hack
“Are you ‘Over-Exposed’ Online? Lessons from IRS Hack”, by Kristin Bianco, Money Tree Fox Business http://www.foxbusiness.com/personal-finance/2015/05/27/are-over-exposed-online-lessons-from-irs-hack/