​Scammers were very successful last year with a scheme to snatch W-2 pay stub data from employers. The IRS is warning that it may be one of several techniques scammers utilize this year.

​Fraudsters simply identify employees with access to company payroll data and pretend to be a fellow employee emailing from an outside address. “Hi, I work in accounting. Do you think you could send me the payroll data on file? I’m traveling today and working on preparing my 2017 tax return.”

The IRS said this surprisingly simple tactic worked on more than 200 employers last year and compromised the W-2 information of hundreds of thousands of employees. The stolen data included names, addresses, Social Security numbers, income and withholdings. Scammers then used the data to file returns and claim refunds from the employees' tax withholdings.
​
If you’re an employee, it’s hard to defend against this kind of scam because the breach happens to your employer. If you file and get an IRS notice that a return has already been filed in your name, you’ll know you’re a victim.

​If your refund was nabbed by a scammer, the good news is that the IRS will still eventually send you a replacement refund. The bad news is it can take a very long time—six months to a year or longer—for the IRS to investigate your case.

If that doesn’t sound appealing, know that there are a few things you can do to minimize your risk:

1. File early. By filing early you close the window of opportunity for scammers.
2. Request an IRS PIN. This one-time-use number provided by the IRS is entered on your 1040 forms as an added measure of security. Those whose identities have been stolen are automatically placed in the PIN program, but you may also opt-in to it yourself.
3. Minimize excess withholdings. If you had your withholdings calculated properly during the year, you can minimize the amount available for scammers to steal. Check your withholdings throughout the year using the IRS web tool. Unfortunately, it won’t be available for the 2018 tax year until late February, due to the recently passed Tax Cuts and Jobs Act.

​If you own a small business, be vigilant against a growing wave of identity theft against employers. Small business identity theft is a big business for identity thieves. Just like individuals, businesses may have their identities stolen and their sensitive information used to open credit card accounts or used to file fraudulent tax refunds for fake refunds.

In the past year, the IRS has noted a sharp increase in the number of fraudulent Forms 1120, 1120S, and 1041 as well as Schedule K-1. The fraudulent filings apply to partnerships as well as estate and trust forms.

Identity thieves are displaying a sophisticated knowledge of the tax code and industry filing practices as they attempt to obtain valuable data to help file fraudulent returns.

Identity thieves have long made use of stolen Employer Identification Numbers (EINs) to create fake Forms W-2 that they would file with fraudulent individual tax returns. Fraudsters also used EINs to open new lines of credit or obtain credit cards. Now, they are using company names and EINs to file fraudulent returns.

As with fraudulent individual returns, there are certain signs that may indicate identity theft.

Business, partnerships, and estate and trust filers should be alert to potential identity theft and contact the IRS if they experience any of these issues:

• Extension to file requests are rejected because a return with the Employer Identification Number or Social Security number is already on file
• An e-filed return is rejected because of a duplicate EIN/SSN is already on file with the IRS
• An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer
• Failure to receive expected and routine correspondence from the IRS because the thief has changed the address

​Passwords are often the key to protecting access to private information and data stored on computers or sent over email. Because most taxpayers file their returns electronically and access account information online, it is essential for taxpayers to not only use strong passwords for all tax-related accounts, but to do everything they can to protect those passwords.

​Earlier this year, hackers managed to breach the security of Equifax, one of the three national credit reporting agencies. More than 143 million Americans — almost half the US — were exposed to the attack, and may have had their personal information stolen, including names, birthdates, Social Security numbers, and driver's license numbers.

Equifax is still figuring out precisely whose data was compromised. While you wait to find out, it's worth taking a few proactive steps to make sure hackers do not misuse your information.

Start checking. Visit Equifax's website at equifaxsecurity2017.com and enter your last name and the last six digits of your Social Security number. The site will tell you whether it's likely or not your data has been exposed, and put you on a list to get more information. You can also sign up for one year of credit monitoring provided by Equifax.

Watch your statements. Start checking your credit card statements, and pay careful attention to cards you don't use often. The first reports from the breach were that hackers may have been making charges on cards that were not used frequently.

Check your credit reports. You can look for suspicious items on your reports, such as new accounts being opened in your name, at all three credit report agencies: Equifax, Experian, and TransUnion. Free annual reports are available at annualcreditreport.com.

Freeze your credit. If you suspect you may be a victim of identity theft, you can place a credit freeze on your profile at each of the three credit reporting agencies. This stops anyone from opening new accounts in your name. Keep in mind that you'll have to unfreeze your accounts if you want to apply for new loans or make your credit accessible for things like job applications.

File your taxes early. One of the most common ways identity thieves use your information is to try to claim a tax refund with your data. This was the most common scam in 2016, according to the Better Business Bureau. If you file your tax return as early as possible, you shut down this opportunity for any potential thieves.

Equifax, one of the three main credit reporting agencies, recently announced a cybersecurity breach affecting around 143 million US consumers. More than half of US adult's information was compromised. Criminals exploited a US website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers. In addition, hackers accessed credit card numbers for 209,000 US consumers, and dispute documents with personal identifying information for 182,000 US consumers.

Equifax discovered the breach on July 29. The company has hired an independent cybersecurity firm that has been conducting a forensic review to figure out the scope of the intrusion, including the specific data affected. The company's investigation is still ongoing and is expected to be completed in the coming weeks.

IRS scams are constantly changing, so you have to stay knowledgeable of the scammer's latest methods. Pretending to be an IRS agent is one of the favorite tactics of scam artists, according to the Better Business Bureau. The con artists impersonate the IRS to either intimidate people into making payments over the phone, or to send misleading emails tricking people into sharing personal information digitally.

​You can defend yourself against these scammers by knowing these simple rules:

​In almost every case, the IRS will send you a letter via standard mail if they need to get in touch with you. This will alert you to expect future communication from the agency and instruct you on the best ways to get in touch with them.

What to do: If you get a letter from the IRS that is unexpected or suspicious, it should have a form or notice number searchable on the IRS website. If something doesn't look right, you can call the IRS help desk at 1-800-829-1040 to question it.

​The IRS will never initiate contact with you using email. A common scammer trick is to send emails to taxpayers using accounts and graphics that imitate the agency's. They may threaten imprisonment or fines if you don't pay up, or promise an extra refund if you send money to "prepay" your taxes. Often the emails contain links to an official-looking fake website to collect payments. Clicking on them may also trigger the installation of virus programs on your computer.

What to do: Don't respond to any email communications supposedly from the IRS. Don't click on any links. Delete the email or forward it to phishing@irs.gov to help catch the scammers.

​After notification via the USPS, the real IRS may call you to discuss options to handle delinquent taxes or an audit. A real IRS agent or a debt collector won't demand immediate payment without giving you an opportunity to question or appeal the bill. Nor will they threaten lawsuits, arrest or deportation. Their tone should not be hostile or insulting. Finally, if they ask for payment, they should be asking you to make it out only to the United States Treasury.

What to do: If you get a call from the IRS or an IRS debt collector, politely ask for the employee's name, badge number and phone number. They shouldn't hesitate to provide this information. You should then end the call and dial the IRS at 1-800-366-4484 to confirm the person's identity.

​Ask the person for their credentials. Every IRS agent should be able to produce two forms of credentials: a pocket commission card and a personal identity verification card issued by the Department of Homeland Security, also called an HSPD-12.

What to do: Never provide sensitive information nor confirm information they may have without first independently verifying they are legitimate representatives of the IRS. If you have concerns you can call the IRS at 1-800-366-4484 to confirm the person's identity.

Identity theft is a growing problem in the United States. Dozens of companies offering various forms of identity theft protection have sprung up to combat it. Unfortunately, these services often do little to actually protect people's identities, according to a study released by the U.S. Government Accountability Office (GAO).

Both the GAO study and consumer protection organizations like The Identity Theft Council point out that consumers have more effective, low-cost methods to protect themselves from identity theft. Here are some of their tips:

Monitor your own credit. You can get a free credit report from each of the three credit reporting agencies once a year at annualcreditreport.com. You can stagger your request from each agency so that you can check your credit history for any suspicious new account openings every four months.

In addition, one of the most effective things only you can do yourself is to scan your monthly credit card and bank account statements. If you see any irregularities, contact the financial institution at once and let them know if you believe any charges are the result of identity theft.

Place a fraud alert. You can place a free fraud alert on your identity if you believe you've become vulnerable for any reason, either because you lost your wallet, had your home or car broken into, or had your information stolen online. All you have to do is call any of the three credit reporting agencies (Equifax 1-888-766-0008; Experian 1-888-397-3742; or TransUnion 1-800-680-7289) and they will notify the other two.

Placing a fraud alert lasts for 90 days. Any credit provider will have to take extra steps to verify the identity of any person who tries to use your credit and open new accounts. It can be renewed for free every 90 days.

Freeze your credit. If you aren't going to be applying for new credit for a while, one of the most effective things you can do to combat identity theft is to put a temporary freeze on your credit. You'll have to call each of the three credit reporting agencies and may be required to pay a small fee ($5 to $10 each) to freeze your account, after which no one will be able to access your credit to open new accounts. It won't affect your credit rating or your ability to use your existing accounts.

Keep in mind that while this shuts down other people from accessing your credit, it also stops you from opening new accounts. It typically takes three days for the agencies to unfreeze your accounts, so keep that in mind if you want to apply for new credit, or need to allow a potential new employer to access your credit report as part of a background check.

Do your taxes early. One of the most common kinds of identity theft is when people use a stolen Social Security number and other personal information to file a fraudulent tax return in the hope of snatching a refund. Your best defense is to simply file your return as soon as possible. Once the IRS receives your return, it shuts the door on potential identity thieves.

Tips on Making Charitable Contributions:

• Be wary of charities with names that are similar to familiar or nationally known organizations. Some fake charities use names or websites that sound or look like those of respected, valid organizations. Legitimate charities will make available their Employer Identification Number (EIN), if requested, which can be used to verify their legitimacy through the IRS.
• Don’t give out personal financial information, such as Social Security numbers or passwords, to anyone who solicits a contribution. Scam artists may use this information to steal identities and money from victims. Donors often use credit cards to make donations. Be cautious when disclosing credit card numbers. Confirm that those soliciting a donation are calling from a legitimate charity.
• Don’t give or send cash. For security and tax record purposes, contribute by check or credit card or another way that provides a receipt of the gift.

Another long-standing type of deception involves scams that happen in the wake of natural disasters.

Following major disasters, it’s common for scam artists to impersonate charities to get money or private information from well-intentioned donors. Scam artists use a variety of strategies. Some scammers operating bogus charities may contact people by telephone or email to ask for money or financial information.

Before you give, utilize Select Check on the IRS website to determine if a non-profit is real or not.

The IRS is a common lure for scammers this time of year. These tax scams take many different forms. The most common scams are phone calls and emails from thieves who pretend to be representing the IRS. Scammers use the IRS name, logo or a fake website to attempt to steal money from taxpayers. Identity theft is often another motive.

Fake IRS Calls
Be wary of phone calls or automated messages from anyone who claims to be from the IRS. Frequently these criminals will tell you that you owe money. They also demand payment immediately. Other times scammers will lie and claim you are due a refund. The thieves ask for bank account information over the phone.

IRS employees will never:

• Call demanding immediate payment. The IRS will not call a taxpayer if they owe tax without first sending a bill in the mail.
• Demand payment without allowing the taxpayer to question or appeal the amount owed.
• Require the taxpayer pay their taxes a certain way. For example, demand taxpayers use a prepaid debit card.
• Ask for credit or debit card numbers over the phone.
• Threaten to contact local police or similar agencies to arrest the taxpayer for non-payment of taxes.
• Threaten legal action such as a lawsuit.

If you receive a call from a scammer, report it to the Federal Trade Commission.

Fake IRS Emails
In most cases, an IRS phishing scam is an unsolicited, bogus email that claims to come from the IRS. Criminals often use fake refunds, phony tax bills or threats of an audit. Some emails link to fake websites that look real. The scammer’s objective is to convince you to give them your personal and financial information. If they get what they’re after, they use it to steal your money and identity.

If you receive a “phishing” email, remember these important tips:

• Don’t reply to the message.
• Don’t give out your personal or financial information.
• Forward the email to phishing@irs.gov. Then delete it.
• Do not open any attachments or click on any links. They may have malicious code that will infect your computer.

No matter how cautious you are, identity thieves might be able to steal your personal information. When thieves manage to do that, they try to quickly turn that data into cash by filing fraudulent tax returns.

Watch out for these signs that you may be a victim of tax-related identity theft:

1. Your attempt to file your tax return electronically is rejected. You get a message saying a return with a duplicate Social Security number has been filed. First, check to make sure you did not transpose any numbers. Also, make sure one of your dependents, for example, your college-age child, did not file a tax return and claim themselves. If your information is accurate, and you still can’t successfully e-file because of a duplicate SSN, you may be a victim of identity theft. You should complete Form 14039, "Identity Theft Affidavit". Attach it to the top of a paper tax return and send it to the IRS.
2. You receive a letter from the IRS asking you to confirm whether you sent a tax return bearing your name and SSN. The IRS holds suspicious tax returns and sends taxpayers letters to verify them. If you did not file the tax return, follow the instructions in the IRS letter immediately.
3. You receive income information at tax time from an employer unknown to you. Employment-related identity theft involves the use of your SSN by someone, generally an illegal immigrant, for employment purposes only.
4. You receive a tax refund that you did not request. You may receive a paper refund check by mail that the thief intended to have sent elsewhere. If you receive a tax refund you did not request, return it to the IRS. Write “VOID” in the endorsement section, and include a note explaining why you are returning it. If it is a direct deposit refund that you did not request, contact your bank and ask them to return it to the IRS.
5. You receive a tax transcript by mail that you did not request. Identity thieves occasionally attempt to test the validity of the personal data they have selected or they try to use your data to steal even more information. If you receive a tax transcript in the mail and you did not request it, it could be a sign of identity theft, so call the IRS and let them know.
6. You receive a reloadable, pre-paid debit card in the mail that you did not request. Identity thieves sometimes use your name and address to create an account for a reloadable prepaid debit card that they use for various schemes, including tax-related identity theft.