IRS wins some, loses a few in fight against identity theft and data loss
GAO report says internal security weaknesses could lead to identity theft
- By William Jackson
- Oct 13, 2009
The IRS recorded more than 51,000 cases of apparent taxpayer identity theft last year and paid out $15 million to fraudulent tax refund claims, according to a report released by the Government Accountability Office.
The IRS is developing an identity protection strategy and its Online Fraud Detection and Prevention office, established in 2007, helped to shut down more than 3,000 Web sites suspected of phishing for taxpayer data in 2008. The program had shut down 949 malicious sites through April of this year. But the IRS also faces internal threats to taxpayer privacy, GAO said. The agency reported 149 incidents of data loss affecting 911 taxpayers last year.
“Perhaps more importantly, IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft,” GAO said.
In January, GAO reported that IRS did not have consistent security controls to prevent and detect unauthorized access to its systems. The agency did not always enforce strong password requirements for user authentication and did not adequately restrict user access to data needed to perform job functions.
The agency said it is in the process of addressing weaknesses in authentication and authorization.
Overall, identity theft creates tax problems for a relatively small number of people, GAO said, but those problems can be serious and long-lasting because the incidents typically do not surface at the IRS until well after the theft has occurred. The IRS established an Identity Protection Specialized Unit in 2008 to act as a central point of contact for incidents of identity theft, but investigation and resolution of these cases remains decentralized, each being handled by the office that discovers it.
The agency was able to stop about 90 percent of $164 million worth of refunds identified as fraudulent last year and is refining its procedures for dealing with identity theft. About $15 million was paid before the IRS identified them as fraudulent. But the GAO said IRS needs to create performance measures to determine how effective its programs are. IRS said it expects to have such measures in place for the 2010 tax filing season.
Identity theft usually becomes a tax problem for victims when a thief files a fraudulent tax return to claim a refund, typically using a stolen Social Security Number. In this case, the legitimate taxpayer’s refund will likely be frozen until IRS can determine the legitimate owner of the number. The second tax problem caused by identity theft is use of someone else’s name and Social Security Number to obtain a job. Income reported to the account as a result of the fraudulent employment can then appear to be income unreported for the legitimate owner of the number. This could subject the taxpayer to IRS enforcement action.
Tax refunds also are used as phishing bait to steal identities, GAO noted. “According to IRS, there are a variety of online schemes that victimize taxpayers. ‘Get Your Refund’ phishing e-mails appear to be legitimate e-mails from IRS notifying a taxpayer that they are entitled to a refund and can claim it quickly by clicking on a fraudulent link within the e-mail and providing their personally identifiable information.”
Web sites offering phony electronic tax return filing services also are used to steal personal taxpayer information.
The IRS Online Fraud Detection and Prevention office searches for fraudulent online activity and identifies possible victims of these schemes. There are challenges in combating such sites, however. “OFDP officials stated that schemes and Web sites that originate outside the United States are particularly challenging because of jurisdictional issues,” GAO said. Using multiple IP addresses also can make it difficult to identify and stop an offender.
There also can be reluctance by victims to report fraud. “To help overcome this, officials stated that they are working with organizations such as the National Cyber Forensics and Training Alliance, Anti-Phishing Working Group, and others, to facilitate and improve information sharing about fraud schemes,” GAO said.
William Jackson is freelance writer and the author of the CyberEye blog.