BPM
Search

2015 IRS Breach and Fraudulent Tax Returns

06.30.15

Summary

Every year fraudulent tax returns are filed at the state and federal level by criminals so they can claim your tax refund for themselves. This year, a significant increase in the number of fraudulent tax returns filed occurred due to information acquired from the Internal Revenue Service (IRS).

How Did This Occur?

The IRS maintains a Get Transcript application on their , allows taxpayers to obtain a copy of their prior year tax returns by answering a series of personal questions before gaining access to create a user name and password. The assumption the IRS made was that only the individual taxpayer would know this information and, therefore, answering the questions would authenticate the taxpayer.

Earlier this year, criminals attempted to use the Get Transcript application to access prior year tax returns for approximately 200,000 taxpayers. They were successful about half the time and gained access to over 100,000 accounts. With this information they were able to fill out and file a 2014 state or federal tax return on behalf of the taxpayer; making minor adjustments to increase the refund amount and redirecting the refunds to someone other than the taxpayer. If your account was accessed prior to you filing your tax return, your attempt to file would have failed and you are already aware of being a victim. If the criminals attempted to get your information and failed, the IRS will be sending a notification to you.

Clearly the IRS's assumption that the answers to the verification questions are known only to the taxpayer was incorrect and caused a serious issue. This method of authentication is not new and is used on various websites, but it is not generally considered to be a secure solution. The answers to the personal questions asked on these forms are often easier to know or guess than they should be. Sometimes a simple internet search or gaining access to your social media accounts can provide the answers. Information can also be obtained through other security breaches, such as what recently occurred at retailers, healthcare companies, and the Veterans Administration.

What You Can Do To Protect Your Information.

The IRS has temporarily shut down the Get Transcript application while they make adjustments to reduce the likelihood of this happening again. In the meantime, taxpayers can fill out , to get a copy of their transcripts. It's hard to know when the adjustments will be finished and what exactly will be changed when the Get Transcript application returns, but it's difficult to imagine the IRS will be able to resolve the core challenge of finding a secure way to authenticate a taxpayer who has not yet registered with the Get Transcript application.

As soon as the Get Transcript application is available again, taxpayers should register themselves and choose a secure password before criminals do it on your behalf. The password chosen should not be the same password used for social media sites, e-mail, banking sites, and any other sites you log into so that a hacked e-mail account can't provide access to the extensive financial information in a tax return. A username and password combination is always more secure than personal questions, but the personal questions solution is commonly used to help with password resets on banking and other sites. One way to make it harder to crack is to replace personal question answers with passwords. This is much easier to do if you use a secure, encrypted password manager on your computer, tablet, or smartphone.

Articles of Interest

IRS Statement on the "Get Transcript" Application

Get Transcript Application: Questions and Answers

States Seek Better Mousetrap to Stop Tax Refund Fraud