With Tax Day right around the corner (April 18), the National Consumers League interviewed IRS Commissioner John Koskinen as part of their #DataInsecurity Thought Leaders series. The wide-ranging interview with Commissioner Koskinen explored a range of questions about the agency’s success at reducing tax identity fraud rates and dealing with fraudsters using stolen data.
The interview is provided courtesy of the National Consumers League, where it was originally published.
National Consumers League: Tax identity fraud remains a top concern for many consumers. For example, employment or tax-related identity fraud remains the top type of ID theft complaint filed with the FTC. For its part, the IRS has shown significant progress in reducing rates of tax identity fraud in recent years. To what do you credit this success and what remains to be done?
Koskinen: The problem of tax-related identity theft really exploded from 2010 to 2012, and for a time overwhelmed the IRS and others in law enforcement. We took a series of actions such as improving identity theft filters, creating partnerships with banks to stop suspicious refunds and offering an Identity Protection Personal Identification Number (IP PIN) for victims. We were making progress, but as we evolved, so did the nature of this crime. Initially, tax-related identity theft was a crime of opportunity committed by unscrupulous tax preparers and other individuals. But then we began to see the presence of national and international criminal syndicates. They deployed sophisticated cybercriminals who prepared and planned for tax filing season, acquiring massive amounts of data from sources outside the IRS to impersonate taxpayers, file false returns and claim fraudulent refunds. It was clear we could not fight this enemy alone.
In 2015, we convened the Security Summit, an initiative that brought together the IRS, state tax agencies and members of the tax industry. We decided to identify a series of actions that, together, we could put in place quickly for the 2016 filing season. For example, we put in place stronger password requirements for tax software products to protect taxpayers from account takeovers. And, the tax software industry agreed to share a series of data elements from tax returns with the IRS and states, to help us detect computer-generated fraudulent returns. Our focus has been on “trusted customer” features that help us have confidence that the person filing the tax return is who they say they are.
The final results from 2016 are now here. We made tremendous progress in stopping fraudulent returns. Because we did a better job keeping bad returns from ever entering our systems, we saw a 30 percent drop in the number of confirmed identity theft returns caught by our filters. We saw a 50 percent decrease in the number of questionable refunds being issued and stopped by banks. And, most importantly, we saw a 46 percent decline in the number of taxpayers reporting to us that they were victims of tax-related identity theft.
The amount of progress we made is tremendous, but we are not declaring victory. There is still much work to be done We enacted even more “trusted customer” features for the 2017 tax season and, though we have limited data, we believe we are on the right path and are continuing our progress. Congress also gave us a tremendous tool. They passed legislation requiring Form W-2s to be filed with the IRS in January instead of March. This helps us match the income information, which is very helpful to stopping identity theft and fraud.
Our various Security Summit working groups will meet again soon and decide what additional actions we will consider for 2018. One area we want to improve is in identifying suspicious returns and reducing false positives. We have been casting a pretty wide net, and we want to be able to reduce the number of legitimate taxpayers who must call us and verify their identities. Another area that holds great promise is the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (ISAC), which we began this year. This will allow all Summit partners to immediately share details on emerging schemes and allow the IRS and states to share information to protect taxpayers. It’s like a radar array or early warning system against identity thieves. The ISAC holds great promise for the future of our cooperative efforts against identity thieves and will be a focus of our efforts going forward. So, while we still have a lot of work to do, I definitely think we are on the right road, and we’re on the right road because we are working with all of our partners in this fight.
NCL: One of the reasons that tax identity fraud remains a big problem is that it’s easier than ever for fraudsters to get their hands on consumers’ personal information thanks to rampant data breaches that compromise that information. What role do you see the IRS playing in efforts to get companies and other organizations to better protect the security of that data?
Koskinen: Our message is that we all have a role in preventing identity theft. In 2015, as the Security Summit first gathered, it was clear to all of us that to be truly successful, we needed the involvement of everyone. In the fall of 2015, we launched the “Taxes. Security. Together.” campaign aimed at increasing security awareness among taxpayers. This is critical because here’s what’s happening: as the Security Summit makes progress against identity theft, these cybercriminals need more and more personal data to better impersonate taxpayers. A few years ago, if the thief just had a name and a Social Security number, they might be successful in filing a fraudulent return, but that is no longer the case. We’ve secured the front door and our filters are more sophisticated. But as we’ve changed, so have the cybercriminals. They increasingly are targeting companies and their employees’ W-2 forms.
One of the most dangerous phishing scams we’ve seen involves criminals posing as a company executive and emailing a payroll employee to request a list of employees and their W-2s. Thousands of W-2s have been stolen so far this year using this scheme. We’ve issued repeated warnings, and I think we are increasing awareness. Businesses can visit our web page, www.irs.gov/identitytheft, to learn more about this scam and how to report it to us. All employers must educate their employees about phishing scams, how to recognize them and how to avoid them. We are trying to do everything we can to raise the alarm and to give taxpayers the tools and information they need to be more secure.
NCL: NCL’s advice to consumers about the best way to reduce their risk of tax identity fraud has been to file as early in tax filing season as possible so as to get ahead of the fraudsters. In your opinion, do you think that’s sound advice? Understanding that there’s no “silver bullet” to preventing tax ID fraud, what frustrates you most about what consumers could be doing — but maybe aren’t — in order to reduce their risk?
Koskinen: We advise taxpayers to file their returns only when they have all the information and documentation they need to file accurately. If they file trying to “beat” the fraudsters, they may increase their chances of making an error or not having all their documentation, which could either delay their refund or require them to file an amended return. It’s our job to identify and stop fraudulent tax returns, protect tax revenue and the nation’s taxpayers. I want to make clear that there is no blaming the victim here. I also want to make clear that this is not just an IRS issue or a tax fraud issue. Tax fraud is just one way criminals try to quickly monetize their stolen data.
But, as noted, we do need everyone’s help. There’s a saying that applies here: “Treat your personal data like you do your cash; don’t leave it lying around.” Consumers can take a series of easy and simple steps to help make sure their information is secure. Example: Use anti-malware software to protect yourself on the web. Use long, unique and complex passwords to protect each of your accounts and don’t use the same user i.d. and password on all of your accounts. Learn to recognize and avoid phishing emails. Don’t fall for the “update your account now” email scam that seeks to steal your password. Don’t open any links or attachments from suspicious emails. As part of our “Taxes. Security. Together.” campaign to increase awareness, we created Publication 4524, Security Awareness for Taxpayers, that gives a quick overview of steps everyone can take to be safer. Last December, we held our first National Tax Security Awareness Week, and we hope to do that again this year.
NCL: Millions of consumers rely on professional tax preparers to help them prepare and file their taxes every year. What do you think the tax preparation industry could do to better protect their clients from tax ID fraud?
Koskinen: Tax professionals are among our most important allies in the fight against identity theft. Both the tax software industry and the tax practitioners are working with us and state tax agencies every step of the way. And, what we’ve seen in recent years is that both the tax software providers and the tax practitioners increasingly are targeted by these criminal syndicates. Phishing scams target taxpayers and tax preparers in an effort to steal their username and passwords to access their tax software accounts. Scammers posing as potential clients try to download keystroke-tracking software onto preparers’ computers. We’ve even seen cases where cybercriminals were able to gain remote control of preparers’ computers, find clients’ tax returns, finish and file the returns, and redirect refunds to the criminals’ accounts. As a follow-up to the “Taxes. Security. Together.” Campaign, we launched a “Protect Your Clients; Protect Yourself” effort aimed at increasing awareness among tax professionals. The phishing scams that are specifically targeting tax professionals are becoming more common and more elaborate. Every tax preparer should be aware that they are in the crosshairs of these criminals and that they have an obligation to protect their clients’ data. There is a need to increase security awareness among some in the tax professional community, just as there is for the taxpayers at large.
NCL: 2017 was the first year that EITC and ACTC-eligible consumers were affected by the PATH Act’s requirement that the IRS hold their refunds until February 15. The delay was intended to give the IRS additional time to spot and stop tax ID fraud and other types of tax fraud. In its first year of effect, do you think the PATH Act is having its intended effect?
Koskinen: We know having this additional time to review tax returns will be helpful. However, we won’t be able to quantify how useful until the filing season is over. At that point, we will have better information about the impact of the refund holds. The PATH Act also contained a provision that required Form W-2s to be sent to their IRS in January instead of March, which is a great help as well.
This has already allowed us to authenticate and release more quickly legitimate tax returns and refunds that our filters stopped because of suspicious characteristics.
NCL: Are there other topics related to tax identity fraud and/or data breaches that we didn’t cover, but you think consumers should be aware of?
Koskinen: Every day, there are more than one million attempts to breach the IRS systems. I want to reassure individual and business taxpayers that our main files with taxpayer accounts remain secure. But protecting our systems requires resources and it requires personnel. Congress recognized that, and in 2016 gave us our first budget increase in six years in part to fight identity theft. That was very helpful.
I also would be remiss if I did not mention one of the most vexing scams and its various mutations: the IRS impersonation call, email and text. Thousands of people have lost millions of dollars to the phone scam alone. The telephone call often comes from another country, but because of computer technology, criminals can mask the phone number to make it appear as if it’s coming from Washington, D.C. or your home state. The caller generally threatens their victim with jail or a lawsuit unless they immediately pay by a debit card.
I want people to realize it’s easy to tell the scammers from the IRS. First, a phone call is not our first contact with taxpayers who owe a tax payment. We send a letter before we call. Second, we never threaten people. Third, payments are made to the U.S. Treasury by check or electronically – not a debit card. If you are ever in doubt about whether a person who called you is really from the IRS, you can check by calling our toll-free telephone helpline and talking to one of our customer service representatives. Another variation of the IRS impersonation scam is a letter threatening a lien or levy unless payment is made immediately. If you get a suspicious call, letter or email out of the blue, please check it out and please keep in mind the IRS never asks for a specific payment method, such as a debit card.
The need to be aware of phone scams is especially important now, because the IRS is beginning a private-debt collection program. Under that program, we have contracted with several private collection firms that will contact a limited number of taxpayers about back taxes they owe. I want everyone to know that the taxpayers whose accounts are selected have already been contacted by the IRS multiple times and know they have a tax debt. Plus, these taxpayers will first be notified by the IRS by letter that they have been selected, even before they hear from the private collection firm. We are very concerned scam artists could use this program as a cover to swindle taxpayers. So if you believe you’re current on your taxes and you get a call from someone demanding you pay an overdue federal tax bill, that’s a sure sign of a scam. Once again, I would urge everyone to do everything possible to protect their personal and financial information.