Identity thieves don’t need houses full of dependents, creative deductions or fancy accountants to score a big tax refund.
All they have to do is file fraudulent tax returns or redirect authentic ones, sometimes even from behind bars, in order to collect millions of dollars—at the expense of legitimate taxpayers and the government.
Sounds like a scam just dumb enough to work, and so far it has—in staggering sums. Though no one knows exactly how much money these tax bandits have stolen, the picture appears grim. Fraudulent tax refunds filed by prison inmates alone quadrupled from $68 million to $295 million over a five-year period ending in 2009, according to an audit of the IRS by the U.S. Treasury Inspector General for Tax Administration. In the same year, tax-related fraud affected more than 43,000 people, and the IRS Identity Protection Specialized Unit, which tracks and responds to identity theft issues, took 87,000 calls.
The IRS—which is, after all, pretty good at math—recognizes the scope of the problem and has taken steps to remedy it, with some positive results. But critics argue that the agency’s efforts are inadequate.
“With IRS financial systems security, it’s one step forward, one step back,” said Greg Wilshusen, the U.S. Government Accountability Office’s director of information security issues. “They do take corrective actions, but in some cases they’re not sufficient, and we find new issues every year. Many of these are very basic information-control issues that you’d think should be addressed.”A perfect storm
Every year identity thieves come up with new ways to dupe the IRS. Some file fake W-2s in victims’ names to collect refunds. Others create phony websites posing as the IRS or an accounting firm to trick taxpayers into submitting personal information.
The IRS is a tantalizing target, given its size and antiquated data systems.
The sprawling agency has tens of thousands of full-time employees at its Washington, D.C., headquarters, 10 service center campuses, three enterprise computing centers and dozens of field offices and walk-in centers across the country. It’s all run on networks of computer systems that dwarf those of most large corporations.
“Several IRS computer systems are very old and are caught in varying states of modernization,” Wilshusen said.
Add thousands of seasonal workers and an ever-changing tax code and you have the perfect storm of bureaucratic gridlock and data vulnerability.The IRS takes action
The agency stepped up its game in 2008, when it developed a marker system to identify victims of fraud, introduced new screening procedures, opened the Identity Protection Specialized Unit and unveiled an identity theft hotline.
By 2010, the IRS had reported some success:
- Through September, more than 615,700 taxpayer accounts had received markers indicating substantiated identity theft. That number is expected to increase this year.
- More than 82,000 returns were selected for additional screening.
- More than 48,000 fraudulent returns were stopped before refund checks were issued.
- 4,109 phishing websites purporting to be irs.gov were shut down.
And, in an attempt to reduce sham refunds issued to prisoners, the IRS also reached an agreement with the Federal Bureau of Prisons.
Still, some say it’s not enough.
“Prisoner tax fraud is a low priority for the federal government,” said Sen. Chuck Grassley, an Iowa Republican and member of the Senate Finance Committee, after the 2009 Inspector General audit.
The GAO takes a similar view. The independent, nonpartisan agency keeps tabs on how taxpayers’ money is being spent—and keeps other government offices on the straight and narrow. It annually audits the IRS’s data-handling practices and makes security recommendations.
In 2009, the GAO issued a report documenting 89 “control weaknesses and program deficiencies”—such as insufficient protection of tax-return information and poor employee passwords and file permissions—which made the IRS vulnerable to hackers and con artists. A year later, the GAO found that the IRS had corrected only 31 percent of these problems.
The GAO also identified 23 new issues in its 2010 report. It plans to release a follow-up this month.
Last year, the IRS announced it was drafting a “detailed corrective plan” in response to the GAO report. Asked about it recently, nearly a year later, an IRS spokesperson replied simply, “There are no updates available at this time.”
© CyberScout, LLC. All Rights Reserved.