Scammers were very successful last year with a scheme to snatch W-2 pay stub data from employers. The IRS is warning that it may be one of several techniques scammers utilize this year.
How the W-2 Scam Works
Fraudsters simply identify employees with access to company payroll data and pretend to be a fellow employee emailing from an outside address. “Hi, I work in accounting. Do you think you could send me the payroll data on file? I’m traveling today and working on preparing my 2017 tax return.”
The IRS said this surprisingly simple tactic worked on more than 200 employers last year and compromised the W-2 information of hundreds of thousands of employees. The stolen data included names, addresses, Social Security numbers, income and withholdings. Scammers then used the data to file returns and claim refunds from the employees' tax withholdings.
If you’re an employee, it’s hard to defend against this kind of scam because the breach happens to your employer. If you file and get an IRS notice that a return has already been filed in your name, you’ll know you’re a victim.
How to Minimize Your Risk
If your refund was nabbed by a scammer, the good news is that the IRS will still eventually send you a replacement refund. The bad news is it can take a very long time—six months to a year or longer—for the IRS to investigate your case.
If that doesn’t sound appealing, know that there are a few things you can do to minimize your risk:
If you own a small business, be vigilant against a growing wave of identity theft against employers. Small business identity theft is a big business for identity thieves. Just like individuals, businesses may have their identities stolen and their sensitive information used to open credit card accounts or used to file fraudulent tax refunds for fake refunds.
In the past year, the IRS has noted a sharp increase in the number of fraudulent Forms 1120, 1120S, and 1041 as well as Schedule K-1. The fraudulent filings apply to partnerships as well as estate and trust forms.
Identity thieves are displaying a sophisticated knowledge of the tax code and industry filing practices as they attempt to obtain valuable data to help file fraudulent returns.
Identity thieves have long made use of stolen Employer Identification Numbers (EINs) to create fake Forms W-2 that they would file with fraudulent individual tax returns. Fraudsters also used EINs to open new lines of credit or obtain credit cards. Now, they are using company names and EINs to file fraudulent returns.
As with fraudulent individual returns, there are certain signs that may indicate identity theft.
Business, partnerships, and estate and trust filers should be alert to potential identity theft and contact the IRS if they experience any of these issues:
Passwords are often the key to protecting access to private information and data stored on computers or sent over email. Because most taxpayers file their returns electronically and access account information online, it is essential for taxpayers to not only use strong passwords for all tax-related accounts, but to do everything they can to protect those passwords.
7 Tips for Creating Strong Passwords
Here are seven tips you should consider when creating and protecting passwords:
Earlier this year, hackers managed to breach the security of Equifax, one of the three national credit reporting agencies. More than 143 million Americans — almost half the US — were exposed to the attack, and may have had their personal information stolen, including names, birthdates, Social Security numbers, and driver's license numbers.
Equifax is still figuring out precisely whose data was compromised. While you wait to find out, it's worth taking a few proactive steps to make sure hackers do not misuse your information.
Start checking. Visit Equifax's website at equifaxsecurity2017.com and enter your last name and the last six digits of your Social Security number. The site will tell you whether it's likely or not your data has been exposed, and put you on a list to get more information. You can also sign up for one year of credit monitoring provided by Equifax.
Watch your statements. Start checking your credit card statements, and pay careful attention to cards you don't use often. The first reports from the breach were that hackers may have been making charges on cards that were not used frequently.
Check your credit reports. You can look for suspicious items on your reports, such as new accounts being opened in your name, at all three credit report agencies: Equifax, Experian, and TransUnion. Free annual reports are available at annualcreditreport.com.
Freeze your credit. If you suspect you may be a victim of identity theft, you can place a credit freeze on your profile at each of the three credit reporting agencies. This stops anyone from opening new accounts in your name. Keep in mind that you'll have to unfreeze your accounts if you want to apply for new loans or make your credit accessible for things like job applications.
File your taxes early. One of the most common ways identity thieves use your information is to try to claim a tax refund with your data. This was the most common scam in 2016, according to the Better Business Bureau. If you file your tax return as early as possible, you shut down this opportunity for any potential thieves.
Equifax, one of the three main credit reporting agencies, recently announced a cybersecurity breach affecting around 143 million US consumers. More than half of US adult's information was compromised. Criminals exploited a US website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers. In addition, hackers accessed credit card numbers for 209,000 US consumers, and dispute documents with personal identifying information for 182,000 US consumers.
Equifax discovered the breach on July 29. The company has hired an independent cybersecurity firm that has been conducting a forensic review to figure out the scope of the intrusion, including the specific data affected. The company's investigation is still ongoing and is expected to be completed in the coming weeks.
I apologize to consumers... for the concern and frustration this causes.
—Richard Smith, Equifax CEO
Richard Smith, Chairman and CEO of Equifax said, "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes."
Equifax has set up a dedicated website, equifaxsecurity2017.com, to help consumers find if their information was affected and to sign up for credit file monitoring and identity theft protection.
Be Sure It's Really the IRS
IRS scams are constantly changing, so you have to stay knowledgeable of the scammer's latest methods. Pretending to be an IRS agent is one of the favorite tactics of scam artists, according to the Better Business Bureau. The con artists impersonate the IRS to either intimidate people into making payments over the phone, or to send misleading emails tricking people into sharing personal information digitally.
You can defend yourself against these scammers by knowing these simple rules:
Rule #1: Expect a Letter First
In almost every case, the IRS will send you a letter via standard mail if they need to get in touch with you. This will alert you to expect future communication from the agency and instruct you on the best ways to get in touch with them.
What to do: If you get a letter from the IRS that is unexpected or suspicious, it should have a form or notice number searchable on the IRS website. If something doesn't look right, you can call the IRS help desk at 1-800-829-1040 to question it.
Rule 2: Never over Email
The IRS will never initiate contact with you using email. A common scammer trick is to send emails to taxpayers using accounts and graphics that imitate the agency's. They may threaten imprisonment or fines if you don't pay up, or promise an extra refund if you send money to "prepay" your taxes. Often the emails contain links to an official-looking fake website to collect payments. Clicking on them may also trigger the installation of virus programs on your computer.
What to do: Don't respond to any email communications supposedly from the IRS. Don't click on any links. Delete the email or forward it to firstname.lastname@example.org to help catch the scammers.
Rule 3: Proper Phone Call Etiquette
After notification via the USPS, the real IRS may call you to discuss options to handle delinquent taxes or an audit. A real IRS agent or a debt collector won't demand immediate payment without giving you an opportunity to question or appeal the bill. Nor will they threaten lawsuits, arrest or deportation. Their tone should not be hostile or insulting. Finally, if they ask for payment, they should be asking you to make it out only to the United States Treasury.
What to do: If you get a call from the IRS or an IRS debt collector, politely ask for the employee's name, badge number and phone number. They shouldn't hesitate to provide this information. You should then end the call and dial the IRS at 1-800-366-4484 to confirm the person's identity.
Rule 4: Check In-Person Visits
Ask the person for their credentials. Every IRS agent should be able to produce two forms of credentials: a pocket commission card and a personal identity verification card issued by the Department of Homeland Security, also called an HSPD-12.
What to do: Never provide sensitive information nor confirm information they may have without first independently verifying they are legitimate representatives of the IRS. If you have concerns you can call the IRS at 1-800-366-4484 to confirm the person's identity.
You do not need to navigate this problem on your own. Call Ellsworth & Associates for assistance. It is good to have a knowledgeable expert on your side.
Identity theft is a growing problem in the United States. Dozens of companies offering various forms of identity theft protection have sprung up to combat it. Unfortunately, these services often do little to actually protect people's identities, according to a study released by the U.S. Government Accountability Office (GAO).
Both the GAO study and consumer protection organizations like The Identity Theft Council point out that consumers have more effective, low-cost methods to protect themselves from identity theft. Here are some of their tips:
Monitor your own credit. You can get a free credit report from each of the three credit reporting agencies once a year at annualcreditreport.com. You can stagger your request from each agency so that you can check your credit history for any suspicious new account openings every four months.
In addition, one of the most effective things only you can do yourself is to scan your monthly credit card and bank account statements. If you see any irregularities, contact the financial institution at once and let them know if you believe any charges are the result of identity theft.
Place a fraud alert. You can place a free fraud alert on your identity if you believe you've become vulnerable for any reason, either because you lost your wallet, had your home or car broken into, or had your information stolen online. All you have to do is call any of the three credit reporting agencies (Equifax 1-888-766-0008; Experian 1-888-397-3742; or TransUnion 1-800-680-7289) and they will notify the other two.
Placing a fraud alert lasts for 90 days. Any credit provider will have to take extra steps to verify the identity of any person who tries to use your credit and open new accounts. It can be renewed for free every 90 days.
Freeze your credit. If you aren't going to be applying for new credit for a while, one of the most effective things you can do to combat identity theft is to put a temporary freeze on your credit. You'll have to call each of the three credit reporting agencies and may be required to pay a small fee ($5 to $10 each) to freeze your account, after which no one will be able to access your credit to open new accounts. It won't affect your credit rating or your ability to use your existing accounts.
Keep in mind that while this shuts down other people from accessing your credit, it also stops you from opening new accounts. It typically takes three days for the agencies to unfreeze your accounts, so keep that in mind if you want to apply for new credit, or need to allow a potential new employer to access your credit report as part of a background check.
Do your taxes early. One of the most common kinds of identity theft is when people use a stolen Social Security number and other personal information to file a fraudulent tax return in the hope of snatching a refund. Your best defense is to simply file your return as soon as possible. Once the IRS receives your return, it shuts the door on potential identity thieves.
Tips on Making Charitable Contributions:
Another long-standing type of deception involves scams that happen in the wake of natural disasters.
Following major disasters, it’s common for scam artists to impersonate charities to get money or private information from well-intentioned donors. Scam artists use a variety of strategies. Some scammers operating bogus charities may contact people by telephone or email to ask for money or financial information.
Before you give, utilize Select Check on the IRS website to determine if a non-profit is real or not.
The IRS is a common lure for scammers this time of year. These tax scams take many different forms. The most common scams are phone calls and emails from thieves who pretend to be representing the IRS. Scammers use the IRS name, logo or a fake website to attempt to steal money from taxpayers. Identity theft is often another motive.
Fake IRS Calls
Be wary of phone calls or automated messages from anyone who claims to be from the IRS. Frequently these criminals will tell you that you owe money. They also demand payment immediately. Other times scammers will lie and claim you are due a refund. The thieves ask for bank account information over the phone.
IRS employees will never:
Fake IRS Emails
In most cases, an IRS phishing scam is an unsolicited, bogus email that claims to come from the IRS. Criminals often use fake refunds, phony tax bills or threats of an audit. Some emails link to fake websites that look real. The scammer’s objective is to convince you to give them your personal and financial information. If they get what they’re after, they use it to steal your money and identity.
If you receive a “phishing” email, remember these important tips:
6 Signs of Identity Theft
No matter how cautious you are, identity thieves might be able to steal your personal information. When thieves manage to do that, they try to quickly turn that data into cash by filing fraudulent tax returns.
Watch out for these signs that you may be a victim of tax-related identity theft: