Posts Tagged ‘IdentityTheft’

The Trouble With Identity Protection Verification Notices

Friday, September 16th, 2022

The IRS sends two types of Identity Protection Verification Letters: LTR 4883C and LTR 5071C.  If you receive a LTR 4883C, you must call the IRS’s Identity Protection unit so that your return is processed.  If you receive a LTR 5071C, you can generally respond online and have your return processed.

There are three main problems with the verification notices:

  1. Reaching a human at the IRS is extremely difficult;
  2. Tax professionals generally cannot call on your behalf if you receive one of these notices (we can be on the call with you, but the IRS wants the taxpayer to be on the line);
  3. The IRS is not following up with taxpayers who don’t respond to the notices.

Today, I’m going to look at the third issue: the lack of follow-up.  Here’s a real world example.

A client, call him John Smith, filed his 2021 tax return in May.  He owed the IRS $5,000 in tax and paid that and the appropriate amount of interest.  It was the first time Mr. Smith had ever filed a return after April 15th–and there was no extension.  The IRS assessed the late filing and late payment penalties.  Mr. Smith believed he qualified for First Time Abatement and signed an IRS Power of Attorney form allowing me to request the abatement.  I called the IRS to request the abatement (on my 10th try to reach the IRS today via the Practitioner Priority Service, I got through).  The helpful IRS agent asked me if Mr. Smith had filed his 2019 return.  I said he had (I had a copy of it).  She did some digging, and discovered that the IRS had sent an Identity Protection Letter that Mr. Smith never responded to, and his return was sitting in limbo.  Another copy of the letter is going out in the mail to Mr. Smith, so his 2019 return should soon be processed.  Once that happens, we’ll be able to request the abatement for 2021.

Mr. Smith told me he was stunned by what I wrote; he claims he never received the IRS letter.  Unfortunately, the mail isn’t perfect and it is quite possible that he didn’t receive it.  (Indeed, today a different client told me one of his past due returns had finally been processed and there’s a balance due.  I ran an Account Transcript; in theory, the IRS sent notices to him and me in March showing the balance due.  Neither of us received a notice.  But I digress….)

Let’s consider an alternative reality where three or four months after the initial Identity Protection Unit notice is sent a follow-up notice is sent (if the return remains unprocessed).  There’s a better likelihood of the taxpayer responding and getting the return processed–the goal of all involved.  And the cost of this programming change and sending the letter should be minimal.

Unfortunately, that isn’t the reality we live in today.  Instead, there’s no follow-up and it was only by accident that we discovered the issue.  If my client had timely filed his 2021 tax return, we still wouldn’t know about this issue.  IRS: It’s time to start following up on these notices.

Please Don’t Do This!

Tuesday, January 10th, 2017

Joe Kristan tweeted the following last weekend:

As I was going through my emails this morning, one of my clients (she shall remain nameless) sent me an email with her CP01A notice attached. The CP01A notice is the IRS notice giving a victim (or potential victim) of identity theft his or her Identity Theft PIN. I suspect Joe made that post on Twitter because one of his clients did the same thing as my client.

Meanwhile, another client of mine faxed me his CP01A notice. That’s a far, far safer method of sending the Identity Theft PIN to your tax professional. You can also hand it to your tax professional or upload it using their web portal (or file transfer system—the name isn’t as relevant as the method). Mail is considered a secure means of sending things, too.

Do not email anything containing personally identifiable information such as social security numbers or dates of birth. Of course, if you want to be a victim of identity theft, go right ahead and do so. But don’t say I didn’t warn you.

Third Party Transcript Requests Reportedly Will No Longer be Processed by the IRS

Wednesday, December 2nd, 2015

Form 4506-T allows a third-party to obtain a transcript with your signed permission. One use of the form has been to obtain a tax return transcript when obtaining a mortgage. There have been reports that some individuals who completed this form didn’t have the transcripts sent on. Well, it appears that the IRS is no longer honoring this form unless there’s a Tax Information Authorization (Form 8821) or a Power of Attorney (Form 2848) on file. (Of course, either a Form 8821 or a Form 2848 allows a transcript to be generated.)

This news came out today via individuals calling the IRS’s Practitioner Priority Service. This policy has not been officially published anywhere by the IRS, but based on IRS actions it appears that this policy was put in place because of identity theft concerns.

I do not know what mortgage companies will do in the future, but I would assume they will add a Form 8821 to their requests. I’m not sure how a mortgage company sending over two pieces of paper to the IRS rather than one lowers the risk of identity theft, but whatever.

In related news, the Oklahoma Tax Commission is no longer accepting Oklahoma Power of Attorney forms via fax; they must be mailed to the tax agency. It’s not clear what prompted this change but I’m guessing it’s also identity theft concerns.

Over 1,100 Returns Filed from Two Addresses Lead to Two Heading to ClubFed

Sunday, October 25th, 2015

Two separate cases out of Broward County, Florida highlight that if you submit lots of tax returns from the same address even the IRS will get suspicious. A former band director and another Floridian will be heading to ClubFed in separate identity theft cases.

In the first case, a former band director apparently used his position to steal 419 identities. From the DOJ press release:

According to court documents, IRS-CI investigators noticed that 419 suspicious tax returns claiming refunds totaling $754,470 were filed from Rogers’ residential address from January 25, 2014 to April 20, 2014. Based on this information, a search warrant was executed at Rogers’ residence and agents discovered and seized papers, notes, and documents containing thousands of PII (including names, dates of birth, and social security numbers) including PII contained in records of more than a dozen Broward County School District students, some dating back to the late 1990s and others into the late 2000s. Agents also seized numerous printed 2013 tax returns.

Delvis Rogers of Hollywood, Florida admitted when his apartment was searched (under a search warrant) that he had prepared and filed hundreds of phony tax returns from his apartment. Mr. Rogers pleaded guilty to two identity theft related charges. He received 61 months at ClubFed and agreed to make restitution to the IRS of $129,321.

In the second case, Keyiona Wright of Plantation, Florida pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. From the DOJ press release:

According to court documents, from March 25, 2014 to May 6, 2015, forty-six federal tax returns were filed with the IRS claiming refunds of $135,196 from an IP address in Plantation. From September 16, 2014 to May 5, 2015, at least 688 rejected federal tax returns, claiming refunds of $733,276, were electronically transmitted to the IRS from this same IP address. Agents confirmed that the IP address was assigned to an apartment rented by Wright.

A search warrant found notebooks, bags, documents, papers, and computers containing personal identification information. “A forensic analysis revealed that the documents, computers, and debit/credit cards seized from Wright’s residence contained identifying or account information for over 14,000 individuals.” And agents found another computer that had a video with Ms. Wright counting money. At least she didn’t post it on Facebook like the Queen of Tax Fraud.

In the end, Ms. Wright pled guilty. She’ll have plenty of time at ClubFed to think over her decisions; she was sentenced to 7 years.

IRS to Tax Professionals: Rules for Thee but Not for Us

Thursday, October 8th, 2015

Today I received an alert from the IRS that a new version of Publication 4557 is available. (At this point, only the web version of the publication is available.) Interestingly, the IRS notes the following:

To safeguard taxpayer information, you must determine the appropriate security controls for your environment based on the size, complexity, nature and scope of your activities. Security controls are the management, operational and technical safeguards you may use to protect the confidentiality, integrity and availability of your customers’ information. Examples of security controls are:

1. Locking doors to restrict access to paper or electronic files;
2. Requiring passwords to restrict access to computer files;
3. Encrypting electronically stored taxpayer data;
4 .Keeping a backup of electronic data for recovery purposes;
5. Shredding paper containing taxpayer information before throwing it in the trash.
6. Do not mail unencrypted sensitive personal information.

Further, Authorized IRS e-file Providers that participate in the role as an Online Provider must follow the six security, privacy and business standards to better serve taxpayers and protect their individual income tax information collected, processed and stored. See “Safeguarding IRS e-file” in Publication 1345 for more information. [emphasis added]

There’s nothing wrong with these recommendations; in fact, they’re excellent. But note that the IRS says that authorized e-file providers that participate in the role as an Online Provider must follow these rules.

I highlighted the last rule (#6, above) regarding mailing unencrypted sensitive personal information. Why? Because the IRS is one of the biggest offenders in this area. Indeed, just yesterday TIGTA (the Treasury Inspector General for Tax Administration) issued a report stating this. From the TIGTA press release:

In Fiscal Year 2014, the IRS mailed more than 141 million notices and 37 million letters to taxpayers for various reasons, to help them understand and meet their tax obligations. In a prior review, TIGTA reported that the IRS had not made significant progress in redacting or masking taxpayers’ SSNs from systems, notices, and forms. This audit was initiated to assess the IRS’s progress in eliminating taxpayer SSNs from correspondence.

TIGTA found that as of January 2015, the IRS estimates that it has removed SSNs from 58 (2 percent) of the 2,749 types of letters and 93 (48 percent) of the 195 types of notices it issues.

“A person’s Social Security Number is the most valuable piece of personal data identity thieves can obtain.” said J. Russell George, Treasury Inspector General for Tax Administration. “The fact that the IRS does not have processes and procedures to accurately identify all correspondence that contain Social Security Numbers remains a concern.”

There’s not much to add to this. The IRS needs to act on this as they are a far larger source of identity theft than tax professionals. I state that as I open up an IRS letter and an IRS notice to clients that both contain their social security numbers. And there was the IRS notice which didn’t have the full social security number but put the number within a bar code instead….

IRS Removes Social Security Number from Some Notices But…

Sunday, September 6th, 2015

The IRS has begun removing social security numbers from some IRS notices in the header (leaving just the last four digits, such as xxx-xx-1234). The reason for this is the problem of identity theft. And I give kudos to the IRS for this. Unfortunately, the IRS hasn’t executed this that well.

Today I opened an IRS notice that was sent to a client. The good: The social security number in the header had only the last four digits. The bad: Right below the header the IRS put in a bar code–presumably to make processing of the return mail easier. Below the bar code in relatively small print (but easily readable by me, and I wear glasses) was the deciphering of the code. Of course, it contained the social security number.

My helpful hint to the IRS: It does no good to remove the social security number from the header and then add it right below the bar code. Identity thieves can read it there, too.

When Even IRS Employees Are Tempted to Commit Identity Theft…

Sunday, August 30th, 2015

…you know there’s a huge problem. Especially given that the employee should realize that the Treasury Inspector General for Tax Administration (TIGTA) does look at alleged criminal activities by IRS employees. Yet it happens.

Take Kenneth Goheen of Austin. Mr. Goheen worked in the IRS Austin Service Center. He apparently looked at applications for an Individual Taxpayer Identification Numbers (ITINs) and used those applications to file more than 50 fraudulent returns. He pocketed over $120,000 while committing his crimes. Luckily, TIGTA and IRS Criminal Investigation found out about his malfeasance.

As noted in the Department of Justice press release,

“Goheen’s conduct is doubly offensive. He not only stole money from the government, but he used his unique position in the government—a position of trust—to wrongfully enrich himself,” stated U.S. Attorney Richard L. Durbin, Jr.

Mr. Goheen was sentenced to two years plus one day at ClubFed, must forfeit $15,442 seized from his bank account, and must make restitution of $104,292.

While it’s well and good that TIGTA and IRS Criminal Investigation caught Mr. Goheen, consider the question why did Mr. Goheen commit his crimes? Obviously he thought he’d get away with it–and that’s disturbing. No, I suspect that most criminals think they’ll get away with their crimes. Here, though, Mr. Goheen should be aware of the IRS efforts (or lack thereof) in fighting identity theft. Clearly, he felt that that the IRS efforts weren’t particularly meaningful. And that’s what bothers me here.

How to Commit Tax Fraud 101

Sunday, August 23rd, 2015

The Florida Center for Investigative Reporting (FCIR) has an article spotlighting tax return fraud. That in itself isn’t surprising given that Florida is the hotbed for this crime. What is depressing is how easy it is to commit the crime. While the Social Security Death List is no longer available for the fraudsters, FCIR reports that they turned to a commercial service called findmypast.com. The site is designed for finding your ancestors, but enterprising crooks discovered it could be used to commit tax fraud.

My guess is that old records contain social security numbers–the numbers weren’t as big a deal in the pre-Internet era–and they just find people in that manner. Sure, they are undoubtedly violating the Terms & Conditions of the website but if you’re going to commit a felony (or several), what’s the big deal about violating some T&C’s?

Meanwhile, two press releases from the East Bay (near San Francisco) highlight the magnitude of this problem. Ebony Standifer conspired to obtain false identities and used them to obtain $193,602 in false refunds. She pleaded guilty this week to one count of conspiracy to file false claims and one count of aggravated identity theft. Three other East Bay residents pleaded guilty to conspiracy to file false claims in what appears to be a separate tax fraud scheme. These individuals received $287,498 in false refunds.

Until the IRS makes it far more difficult for the fraudsters, this epidemic will continue. As I’ve said, why rob banks?

IRS: Free Identity Protection Services After a Data Breach Isn’t Includable in Income

Thursday, August 13th, 2015

The IRS noted Announcement 2015-22 today, that states:

[T]he IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.

Generally, any accession to wealth is includable in income, and there’s a value for the data protection services. Of course, one of the largest data breaches this year was at the hands of…the IRS. While this is a clearly common sense approach, still one must wonder if the IRS would have released this announcement if one of the biggest entities to cause a data breach wasn’t the IRS.

Why Rob Banks, Redux

Tuesday, August 11th, 2015

Back in 2012 I noted that gangs were looking at identity theft as the successor to bank robbery. From Los Angeles comes the news that the California Attorney General’s Office, along with the Long Beach Police and the US Postal Inspection Service did a “takedown” of the “Insane Crip” street gang; 22 members are in custody on charges that include 283 counts of conspiracy, 299 counts of identity theft, and 226 counts of grand theft.

The arrest is the culmination of a three-year investigation into the Insane Crip street gang that began after a Long Beach crime spree tied to the gang. A Long Beach Police Department detective discovered evidence containing the personal identifying information of hundreds of California residents at an address associated with the gang. The defendants had used the stolen personal identifying information to commit financial crimes, including identity theft and tax return fraud.

The defendants exchanged the stolen information via text messages to the leaders of the scheme, who would then file fraudulent tax returns, obtain the refunds and load them onto prepaid debit cards in the name of other victims. The debit cards were then used to fund the gang’s illicit activities, lavish lifestyle and to recruit members.

Kudos to all involved, but I will point out, again, that while the IRS has done more to make identity theft difficult, they’ve done nowhere near enough. Even today most of what the IRS does on this front is reactionary. While electronic returns filed now note the computer they’ve been filed from–which is a help–there is much more the IRS could do. The modest proposal I made nearly three years ago would still stop much of today’s identity theft. Yet the IRS spends money on the Annual Filing Season Program. Oh well, venting doesn’t do any good….