Bryan Buck, a federal bank examiner from St. Louis, got a letter last week from Anthem Insurance saying that “cyber attackers” had executed a “sophisticated attack” on its data systems and that his personal information may have been compromised.
He wasn't surprised. He already knew someone else had used his Social Security number to file for a tax refund.
Only days before the Anthem letter arrived, Buck tried to file his tax return electronically using software from a well-known and respected company. “I had everything lined up and ready to go and submitted it to the IRS, and probably within 10 minutes the filing had been rejected,” Buck said. Even before the IRS rejection, Buck says an email from his software provider alerted him to a “duplicate Social Security number match.”
IRS spokeswoman Julianne Breitbeil, says Buck’s experience is similar to that of a growing number of Americans. “Most taxpayers first find out that they’ve become the victim of identity theft when they receive a bounce back from e-filing their tax return.” She says such notices usually inform an individual that their return could not be processed “because somebody had already filed with that Social Security number.”
While it’s not known whether Buck’s information was compromised in this year’s Anthem breach or the 2013 attack on customer data at Target stores, of which Buck was also a victim, or in some other manner, it is evidence that criminals have exploited weaknesses in data security and laws that have so far failed to push companies to update security practices in ways that more completely protect consumers’ financial information.
Protections?
U.S. Sen. Roy Blunt, R-Mo., is pushing cyber security legislation that would require private sector businesses to cooperate with the government and share information about such attacks. Earlier this year, representatives for retailers, cyber security companies and consumer advocates presented testimony before a Senate panel on the issue.
Banks and credit unions that issue debit and credit cards and retailers where those cards are used are confronting the costs of upgrading their systems to accept what is known as Pin and Chip technology. Cards come with a computer chip. The information on a chip is used in combination with an individual’s personal identification number, or pin, to safeguard financial transactions. Most cards issued by U.S. financial institutions don’t have computer chips and most retailers don’t have terminals to handle such cards.
As for the IRS, it too is confronting a growing number of identity theft cases, but Breitbeil says the vast majority of Americans, about “98 to 99 percent are going to come through our system without any problems.”
What to do?
That’s small solace for those who do find that someone has already filed a return with their Social Security number. Breitbeil says those taxpayers must file a paper return and fill out an Identity Theft Affidavit – form 14039, found on the IRS website. “These are among our most complex cases, because we need to figure out that you are who you say you are.”
She says part of that verification process involves IRS officials using historical data and what she called other filters to resolve cases involving identity theft before a taxpayer’s return can be processed and a refund issued. Breitbeil says the current wait for refunds to be issued in such cases is about 120 days (as opposed to approximately three weeks for regular returns). But it can be longer. Buck says he was told that he’d likely have to wait up to six months before seeing his return.
Breitbeil says the first thing victims should do is to fill out the affidavit. She says that’s necessary to begin an IRS investigation. It also shows that you attempted to file your taxes by the April 15 deadline.
Even if you wait until the last minute to file electronically and your return is rejected, you won’t face a penalty for filing by paper after the deadline if you can show that you attempted to e-file prior to April 15. She says if that happens, you should file your paper return as quickly as possible, and follow instructions on the Identity Theft Affidavit.
Breitbeil says the Federal Trade Commission, not the IRS, takes the lead in investigating identity theft cases involving Social Security numbers. She also says the FTC recommends that victims file a police report. “If you’re a victim of identity theft, it’s part of a larger process and you may need that police report down the line to make sure you can validate that there was unauthorized activity on your accounts” for other organizations.
Breitbeil says victims are also encouraged to contact their financial institutions, the FTC, the three major credit reporting agencies and the Social Security Administration.
For his part, Buck says he did all of that, but he says his experience also shows that the IRS is “struggling to keep up with everything right now” with its need for more staff. He says when he first tried to visit the IRS offices in both St. Louis and Chesterfield last Friday, he was turned away from both offices “because they didn’t have any more appointments or openings.”
Buck says he met with an IRS official first thing Monday morning and was told that the fraudulent return had been filed just days prior to his attempt to file his return. He says that while the IRS officer would not give him details, the fraudulent return was claiming a refund for “quite a bit more than what I was actually filing for with my legitimate return.” He also says it’s likely in his case the IRS may have been alerted to the fraud before it paid the bogus refund.
With nearly 20 years of experience dealing with financial institutions, Buck says he thought he had managed his financial information “pretty securely” and that he has “complex passwords” – all of which he’s changed in recent days. He says, “It just proves it can happen to anybody.”
What are the numbers?
Area police departments report more than 2,500 individuals have filed identity theft reports related to their tax returns so far this year.
The IRS says from 2011 through October of last year it stopped 19 million suspicious returns and blocked more than $63 million fraudulent refunds from being issued. In the Fiscal Year that ended last Sep. 30, the IRS says it initiated 1,063 identity theft-related investigations with 748 cases resulting in convictions. Court-imposed jail time according to a statement from the IRS ranged from 43 months to 27 years.
IRS Tips to Avoid Becoming an Identity Theft Victim
Every January, the IRS begins its annual campaign to warn taxpayers about scams that can put their personal financial information at risk. It also offers suggestions on ways to help avoid becoming an identity theft victim.
- Don’t carry your Social Security card or any documents that include your Social Security number or Individual Taxpayer Identification Number
- Don’t give a business your SSN or ITIN just because they ask. Give in only when required
- Protect your financial information
- Check your credit report every 12 months
- Review your Social Security Administration earnings statement annually
- Secure personal information in your home
- Protect your personal computers by using firewalls and anti-spam/virus software, updating security patches and changing passwords for Internet accounts
- Don’t give personal information over the phone, through the mail or on the Internet unless you have initiated the contact or you are sure you know who you are dealing with
The following links can help you avoid becoming a victim of identity theft and help you if someone does steal your identity:
IRS Taxpayer Guide to Identity Theft
IRS Form 14039 - Identity Theft Affidavit
The Social Security Administration
Credit Reporting Agencies
Inform our coverage
This report contains information gathered with the help of our Public Insight Network. To learn more about the network and how you can become a source, please click here.