The IRS recently released its annual list of the top 12 tax related schemes, known as its “Dirty Dozen” and described in detail by the IRS. Both the top item on the list and a number of the others relate to the risk of identity theft and provide advice about how to protect against it. In summary, the list includes the following warnings for taxpayers:
- Identity Theft – For instance, a fraudster may use a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund.
- Phishing – Phishing schemes employ an unsolicited email or a fake website to extract personal and financial information that may be used for identity theft.
- Return Preparer Fraud – Tax preparers can prey on clients via refund fraud or identity theft. The IRS warns taxpayers that they should use only preparers who sign the returns they prepare and enter their IRS Preparer Tax Identification Numbers (PTINs).
- Hiding Income Offshore – Financial accounts maintained abroad still have reporting and disclosure requirements. The IRS has pursued numerous individuals for evading U.S. taxes by hiding income offshore.
- “Free Money” from the IRS & Tax Scams Involving Social Security – Scammers advertise free money from the IRS (often targeting low income and elderly individuals) and then charge for advice suggesting false entitlement to tax credits or non-existent Social Security refunds or rebates.
- Impersonation of Charitable Organizations – Fraudsters may impersonate charities to get money from taxpayers or private information from disaster victims under the guise of assistance with the filing of casualty loss claims and special tax refunds.
- False/Inflated Income and Expenses – Includes reporting income that was never earned in order to maximize refundable credits or filing excessive claims for the fuel tax credit.
- False Form 1099 Refund Claims – In this ongoing scam, the perpetrator files a fake information return, such as a Form 1099 Original Issue Discount (OID), to justify a false refund claim on a corresponding tax return.
- Frivolous Arguments – The IRS has a list of frivolous tax arguments that taxpayers should avoid, as they have been rejected by the courts.
- Falsely Claiming Zero Wages – Filing a phony information return to lower the amount of taxes an individual owes.
- Disguised Corporate Ownership – The improper use of third parties to disguise the true ownership of the business in an effort to underreport income, claim fictitious deductions, avoid filing tax returns, participate in listed transactions and facilitate money laundering and financial crimes.
- Misuse of Trusts – Some highly questionable transactions involving trusts are primarily used as a means of avoiding income tax liability and hiding assets from creditors, including the IRS.
While the above warnings are valid, the IRS itself presents a security risk to personal information that could lead to identity theft. According to the United States Government Accountability Office’s (“GAO”) March 2013 Report to the Acting Commissioner of Internal Revenue on Information Security, the IRS has made strides to improve security controls, but certain weaknesses persist. Specifically, the GAO reports that “serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data.” The GAO highlights that the IRS has not consistently
“(1) implemented effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers;
(2) appropriately restricted access to its mainframe environment;
(3) effectively monitored the mainframe environment; or
(4) ensured that current patches had been installed on systems to protect against known vulnerabilities”
And further warns:
”Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification, or disclosure, possibly without being detected.”
The GAO suggests the IRS fully implement the GAO’s prior recommendations, as well as take the following four actions:
- “Update policies and procedures to ensure that they address (1) both methods available for granting all users access to mainframe resources, (2) audit and monitoring of access from one processing environment to another, (3) use of appropriate accounts by multiple databases on a single server, (4) data storage shared between systems, (5) out-of-date security standards, and (6) reconciliation of access privileges;
- update test and evaluation methodology to ensure that it determines whether authentication controls are operating effectively;
- update mainframe test and evaluation processes to improve periodic monitoring of compliance with IRS policies; and
- fully document a continuous monitoring strategy that includes requirements and activities definitions at each organizational tier.”
In support of these recommendations, the GAO also provided 30 detailed recommendations in a separate limited distribution report. Clearly, the IRS has significant work ahead to ensure the safety of taxpayer information with which it is entrusted.
Fulcrum Inquiry performs forensic accounting services, including fraud investigations.