Americans at Risk of Identity Theft as They File their Tax Returns

Ian Barker, writing for BetaNews: As we move into the tax return season a new study reveals that attitudes to identity theft and a pattern of poor practices are leaving much of the public vulnerable. Data security and ID theft protection company CyberScout has carried out its second annual Tax Season Risk Report and finds 58 percent of Americans are not worried about tax fraud in spite of federal reports of 787,000 confirmed identity theft returns in 2016, totaling more than $4 billion in potential fraud. Among other findings are that only 35 percent of taxpayers demand that their preparers use two-factor authentication to protect their clients' personal information. Less than a fifth (18 percent) use an encrypted USB drive to save important documents like tax worksheets, W-2s, 1099s or 1040s. And another 38 percent either store tax documents on their computer's hard drive or in the cloud, approaches that are susceptible to a variety of hacks.

Re:

[Malizar]

I prepare taxes for a living, and I can assure you that my client's data is as secure as data can be made. However once the data is sent to the IRS all bets are off. http://www.cbsnews.com/news/ir... [cbsnews.com]

Re:

[bugs2squash]

a statement like "I can assure you that my client's data is as secure as data can be made" would be a big red flag to me.

Re:

[jfdavis668]

I guess you were just deported?

Re:

[penandpaper]

Nah, I am an undocumented tax payer.

Re:Thankful to the Donald we don't have to file

[Jason Levine]

Not paying your taxes makes you smart!*

* Only applies to billionaires. Attempts to apply this to someone in the middle class may result in jail time.

Re:

[hipp5]

ask your employer to "hire" you as a "contractor,"

At least in Canada, CRA has some pretty strict definitions of what a contractor is. If you're basically going back to full time employment for one employer, you are not a contractor and CRA will catch that if you're ever audited./p

Re:

[ayesnymous]

Only applies to billionaires who lose tons of money, so when they don't pay taxes, what's really happening is they're just shrinking their losses some. In the end they still lost money.

So what are we to do?

[ugen]

"And another 38 percent either store tax documents on their computer's hard drive or in the cloud, approaches that are susceptible to a variety of hacks." - really? So, other than a local storage ("hard drive") or remote storage ("cloud"), what other approaches are there to storing documents that are not susceptible to any hacks? Paper printouts? :) This article is brought to you by association of paper manufacturers.

Encrypt your hard drive, choose good passwords for your cloud storage and don't share them with others. Your data is at most risk at your doctors office, btw (where they have all of your personal information, along with SSN and family records). I had 2 notifications of personal information theft from doctor's billing processor's offices in the last 2 years.

Re:

[imidan]

Yeah, so my taxes, including all relevant forms sent to me and a PDF of my final return, are stored on my primary computer's hard drive. In order to steal them, someone has to come to my house and steal my computer. And probably everything else of value that I own. And most burglars probably aren't that interested in income tax fraud schemes. They're making their money hocking my TV, not committing secondary white-collar crimes.

Re:

[cbiltcliffe]

stored on my primary computer's hard drive. In order to steal them, someone has to come to my house and steal my computer.

All someone has to do is gain remote access to your computer and they have access to your documents. Could happen through a Javascript exploit. Yikes!

No kidding. You'd think someone posting on a site like slashdot would be more familiar with technology than to assume that the only way to steal documents on a hard drive is to physically steal the computer...

scare mongering getting old

[Anonymous Coward]

All these individual security tactics are NOT where the problem lies. You can encrypt your drives, use TFA, and shred all the paper. But thieves steal the enitire DB at Intuit or irs.gov. American attitudes are properly aligned. We don't control the databases where most theft occurs.

Re:scare mongering getting old

[ShanghaiBill]

All these individual security tactics are NOT where the problem lies. ... But thieves steal the enitire DB at Intuit or irs.gov.

You are correct that "individual security" is not the problem, but DBs are not the problem either. The real problem is the idiotic notion that SSNs can be both widely known and secret. I am required to provide my SSN to my employer, my bank, my doctor, my state government, etc. Yet mere knowledge of that number is supposed to authenticate my identity? That makes no sense.

Re:

[Cro Magnon]

That's one of my peeves. The SSN is fine as an ID. It is NOT fine as a password, and those people who treat it as such are idiots.

Re:

[ShanghaiBill]

The SSN is fine as an ID.

Actually, it is not. SSNs are not unique. Many people share SSNs with other people that they have never met, and may not even be aware of. What is unique is the SSN+DOB combination. That is why any government form that asks for your SSN, will also ask for your DOB.

Re:

[Enigma2175]

Actually, it is not. SSNs are not unique. Many people share SSNs with other people that they have never met, and may not even be aware of. What is unique is the SSN+DOB combination. That is why any government form that asks for your SSN, will also ask for your DOB.

Citation needed. The SSA does not re-issue numbers. So far, it has issued 450 million out of about 1 billion numbers, but it hasn't issued any duplicates (although some people have been issued more than one). There were some news reports a while ago about a company that did analysis on databases they had access to and found that some numbers were associated with more than one name, but those were just examples of identity theft or clerical errors. Of course, the media immediately trumpeted "ZOMG other p

Re:

[ShanghaiBill]

Citation needed.

Citation [wikipedia.org]
Citation [computerworld.com]
Citation [nbcnews.com]

Re:

[The Good Reverend]

NONE of those show that the SSA reissues SSNs. The first is the Wikipedia page saying so, the second is a story about two women accidentally given the same number at birth because they share a lot of details in common, and the third is a story about numbers being used by multiple people due to fraud, mistakes, or other problems.

The SSA does not re-issue numbers.

Re:

[ShanghaiBill]

NONE of those show that the SSA reissues SSNs

Nobody said they did. I said they were NOT UNIQUE. They aren't.

Re:

[Enigma2175]

Not sure what you want me to look at on the Wikipedia article was it this?
However, there have been instances where multiple individuals have been inadvertently assigned the same Social Security number

The reference actually only mentions a single instance of this happening, not multiple as the Wikipedia article says. Yes, that was a case of two people being assigned the same number. However, they also had the same name and same birthday, so your assertion that the federal government uses a combination of S

Re:scare mongering getting old

[Jason Levine]

Another problem are credit companies who treat identity theft with a shrug and a "that's your problem." Someone obtained my name, SSN, DOB, and address. How, I'll never know. They opened a Capital One credit card in my name. The fact that the mother's maiden name was wrong on the form wasn't a red flag. Neither was the immediate address change to another state. Nor was "my wife" calling to request a $5,000 cash advance before the card was activated.

When the card arrived at my house (a lucky quirk of them paying for rush delivery and THEN changing the address), I called CapitalOne. First, they insisted that it couldn't have been fraud, asking if my wife opened it without my knowledge. (She was next to me, freaking out about the situation. That'd be a no.) Then, they admitted that it might be fraud, closed the card out, but refused to give me more information. They literally told me "If we give you the address on the account and you go there and shoot them, we'd be liable." Apparently, they didn't think anything about liability if they opened an account under my name, ignoring a lot of red flags. They even stone-walled the police - telling them to call one phone number that was "manned" by an answering machine whose messages were never returned.

Eventually, I gave up on trying to push the investigation forward and just froze my credit. For all I know, the thieves who stole my identity are still out there racking up debt on other people's credit.

Re:

[gtall]

I froze my credit records at the three big credit agencies a few years back. Just for anyone's info, you go to their sites and route around until you find out which stupid pet tricks they make you perform to do it. If I recall, two were relatively easy, one was a royal pain in the tookus to find out how. Each charges between $10-$15...back then, dunno what it is now.

If you need credit, you can get them unlocked for a period of time before the lock goes back on. I think it varies between 30-45 days. And of c

Re:

[Solandri]

The problem with freezing your credit is that as of a couple years ago the credit agencies used that lame personal background service to confirm your identity. You know, the one where your bank asks you what high school you went to, which bank you took out a car loan with, what city you were born in, etc. and gives you multiple choice answers. The identity thief usually has the answers to all these questions, or can make a good guess which of the multiple choice answers is correct - they stole your identi

Re:

[Jason Levine]

We froze both of our credit files after the identity theft. It's useful when stores try to pressure you to "save 5% now if you just sign up for our card." Nope. No can do. My credit's frozen due to identity theft. That shuts them up real quick. On the down side, though, we gave up on refinancing our mortgage a couple of years ago even though we could have saved money. It was too much of a headache to thaw our credit, get the mortgage quotes, and try to get everything signed before the freeze took effect aga

Re:scare mongering getting old

[rtb61]

Reality is "Identity Theft" is a purposeful lie produced by public relations and marketing agencies to push the burden of the crime from the banks to individuals. It is a lie. The reality is the fraud is not against the individual the fraud is against those who accept that false identity. Why the shift, so you the ignorant mug punters get stuck with the loss and the banks wander off laughing.

The truth is, when you get hit by a false claim, you are entitled to seek the prosecution of those who attempted to make that false claim. By any reasoned justice those who made the false claim against you must now prove they were defrauded by another party, else be charged with fraud themselves. It should never ever be up to you to prove anything, you should just be able to forward a complaint of false fiscal claims against you as fraud to the authorities and let them deal with it.

Of course the banks would end up with the bill, hence the scam of identity theft, where you the innocent party and now liable for the corrupt stupidity of the banks until you can prove your innocence, can you not see the criminal corruption in that.

Re:

[h4ck7h3p14n37]

Put the liability for improper identity verification on the financial institutions and watch the problem get fixed real fast.

I know it's not done because of cost, but identity verification really should be done in-person. You verify their government issued documents, maybe confirm some biometrics and if someone is trying to commit fraud you have them right there for the police to apprehend.

Re:

[phantomfive]

That sounds like a lawsuit waiting to happen for them. "Accessory to a crime" or something.

Re:

[Bourdain]

People should consider asking for an IP PIN to help prevent an additional vector of identity theft

https://www.irs.gov/individual... [irs.gov]

by signing up at the above (well in advance of the return due date, it's likely too late to ask for one for your 2016 return), it essentially functions as a password for your return

I suspect

[fredrated]

they can't hack the paper forms I mail in.

Re:I suspect

[ShanghaiBill]

they can't hack the paper forms I mail in.

They can as soon as the forms are scanned, and your info is inserted into the same DB as everyone else.

Re:

[tsqr]

they can't hack the paper forms I mail in.

Right. Because no one with access to your mail would ever possibly read it.

Mathtime

[Verdatum]

787000/330000000 = less than a 1:500 chance. This just in: Site that wants to sell you peace of mind is trying to frighten you into thinking you need peace of mind.

Re:

[ShanghaiBill]

787000/330000000 = less than a 1:500 chance.

Most households only file one return. Last year there were about 140M returns filed. So the chance is actually about 1:150 ... and those are only the confirmed cases.

Re:

[Verdatum]

Fair enough.

IRS PIN

[__aaclcg7560]

Some years ago I filed for unemployment benefits and discovered that a C RAMOS had used my Social Security number to work under. Notified EDD and IRS. EDD removed C RAMOS contributions for a smaller but honest weekly unemployment benefit. The IRS sent me a PIN to use with my tax return. Without the PIN, I can't file. No one else can either. I've been filing every federal tax return with a PIN.

Paper tax return

[PPH]

Not just because it's much less likely to be hacked. I just want the IRS to feel some pain trying to read my chicken-scratch handwriting to make up for what I feel when handing them my money.

IRS motto: We've got what it takes to take what you've got.

Re:

[hipp5]

So you make it harder for yourself... in order to put more burden on an agency that's funded by YOUR tax dollars. WTF kind of immature logic is that?

Re:

[PPH]

So you make it harder for yourself

It's not really harder to fill out the forms by hand. And its an issue of the vulnerability of electronic filing that I am concerned with. Somebody has to key in the figures, so it might as well be done by the IRS rather than me. What makes life easier for them also makes it easier for the scammers.

We have to stop thinking of ourselves as being subservient to our bureaucratic overlords.

Re:

[s1d3track3D]

Not an issue for Greeks and major companies.

True, I think the ancient Greeks will not be affected by this. However, lot's of Seagate employees (and employees of other major companies) will disagree with you.

shared knowledge

[bugs2squash]

The IRS already know everything I send to them. The only reason they have me write it up and send it in again is to generate coprorate welfare for the tax prep industry. They could make a lot of this go away by simply sending me a summary and if I agree with it no further action is necessary and no further confidential uploads to the IRS are needed.

Re:

[originalGMC]

Objectively, yes. It's not corporate welfare for tax prep though. Tax Preparers are like any worker, there's a group of people who say they don't want to do their own taxes and there's a group of people saying 'i'll do that for money' ... simple supply/demand. Of course, these are also the people (especially in small business tax firms, like your local CPA) that help people hide/budget/invest their money, so there's also that service level to consider. Taxes are just one example of a government sponsored i

Re:

[whoever57]

Many people in the UK don't do a tax return and their tax is exactly correct at the end of the year.

This is accomplished in several ways: 1. Just like the USA, employers and other entities send data to HMRC. 2. Many allowances are limited to basic rate tax, so the amount of the allowance doesn't change based on income. 3. Interest and dividends are taxed at source. and probably the most significant difference: 4. Employers calculate tax to be deducted on a rolling basis (taking account of prior income and t

Re:

[Enigma2175]

Then congress should quit trying to do their social engineering through the tax code and remove all those deductions, the only thing I can see there that would require any input from the taxpayer is "received money from a friend/relative" and I'll guarantee 99% of such transactions go unreported anyway. If congress wants to encourage having children, or home ownership, or having solar panels, or being a blind railroad worker, let them make a direct appropriation and send checks to the people who they decid

old guy here

[k6mfw]

I still file mine hardcopy in the mail since the 20th century. So no worries of internet hacking.

Actually one concern is throughout the years there have been staff cuts at IRS, and probably more soon. A friend who has a accounting/taxes business says Fresno office used to have a couple auditors that were good to work with (yes, not all tax audits are perilous, occasionally they want to review certain returns). So maybe filing hardcopy might soon be a thing of the past as less competent people to deal with

Fraudulent 1040 filed for me last year

[Poisonous Drool]

On March 30, 2016 someone filed a fraudulent return with a refund going to a debit card. I found out when the IRS returned a payment. It's been a big headache with lots of paperwork. Only one of the credit bureaus accepted my paperwork to freeze my credit. The others gave bogus reasons for rejecting my application. My bank couldn't handle a auto loan. My suggestion: file your taxes early before the criminals can.

Re:

[h4ck7h3p14n37]

It blows me away that the IRS will just mail a pre-paid card out for someone's tax return, from what I understand it doesn't even have to be sent to the address on file for the taxpayer. At least with a check or an electronic deposit there's a paper trail.

I already filed,

[waspleg]

but if I hadn't, they'd have been welcome to pay what I owed.

Re:

[coinreturn]

but if I hadn't, they'd have been welcome to pay what I owed.

I'm pretty sure the criminals filing false returns are also using false data so they can get a false refund.

W2 Spearphishing

[Mike Van Pelt]

I'm seeing a lot of W2 spearphishing.

From: $CEO_PERSON <$CEO_USERNAME@cornpany.com>

To: $HR_PERSON <$HR_USERNAME@company.com>

Hey, $HR_PERSON,

Hope your day is going well. I need to get a copy of the W2s, addresses, etc. for all employees. Please attach it as a PDF file.

Thanks,

$CEO_NAME

Note the return domain CORNPANY.com not COMPANY.com.

just do the prez...

[Patent Lover]

Just file as Donald Trump. He's on the no taxes owed and no taxes paid list do you're good to go.

Seriously?

[Zemran]

We are talking about a nation of people who think it is somehow wrong not put your real name on Facebook and publish all your details where everyone can easily find them. If the thief cannot find enough there they can look you up on LinkdIn. Why would anyone go anywhere else to steal someone's identity?

Another reason to scrap the income tax

[moeinvt]

Yet another good reason why we should abolish the personal and corporate income tax in favor of the fair tax [fairtax.org] The fair tax is a consumption tax, but avoids any disproportionate impact on the poor by providing a pre-paid tax credit in the amount that a poor person would pay in taxes over the course of a year.

Everyone understands that taxation creates a disincentive for particular behavior, which is precisely why tobacco is taxed at such ridiculous levels. Why the hell do we tolerate a tax system which creates a disincentive for working and producing things?

Eliminating the ridiculously complex, multi-thousand page income tax code also gets rid of the government's favorite and most convenient mechanism for handing out favors to wealthy special interests. It creates an incentive for businesses to invest in the U.S. & makes U.S. goods more competitive vs. imports ... and of course we would be far less vulnerable to this sort of tax fraud.