Tax Refund Fraud

To continue the theme of my last post, this post discusses a specific type of identity theft: tax refund fraud. According to NBC News (and which I can verify from my own experience), all it takes to be able to electronically file a fraudulent tax return in someone else's name is a matching name, birth date, and social security number. With that information, all a thief needs to do is fabricate some wages and an employer, report a bogus tax withholding amount, and the difference between those two numbers will be refunded however the thief directs. This works because, to quote NBC:

By law, the tax-refund system as it is currently constituted amounts to a "pay first, ask questions later" system... In other words, an imaginative crook in possession of the three basic items of a person's identity could... get the money within 30 days—the amount of time the law says that the agency must refund tax filers.

Actually, by entering their own direct deposit information on the fraudulent return, the thief could get the refund in a couple days and not have to worry about trying to cash a refund check in the victim's name. Alternatively, a patient thief could paper file a fraudulent return and not even need the victim's birth date since that is not requested on the tax form itself.

The only obstacle to success in this crime is a voluntary program whereby some financial institutions can refuse to deposit a tax refund into an account on which there is a different name from the taxpayer. But not all institutions perform this cross check. Here is some Q&A from the Bureau of the Fiscal Service, a division of the Treasury that operates the federal government's deposit systems:

Can an RDFI [Receiving Depository Financial Institution] rely strictly on the account number in the ACH Entry Detail Record when posting a tax refund payment to a customer's account?

Yes, an RDFI may post IRS tax refunds received through the Automated Clearing House (ACH) network using the account number only....

Is an RDFI liable for an IRS tax refund sent to an account that does not belong to the named or intended recipient?

No. An RDFI is not liable for an IRS tax refund sent through the ACH network to an erroneous or fraudulent account since the IRS provided incorrect account information.

In other words, the IRS is required by law to authorize a refund before verifying if it is legitimate, and the Bureau of the Fiscal Service will authorize the deposit into any account reported to them by the IRS. The bank has no obligation to verify that the name on the refund destination account matches the name of the taxpayer. The real taxpayer will be left to clean up the mess when they discover they can't file their own return. Of course, the thieves will likely be caught after the fact, but the moral of the story is to avoid the mess by protecting your personal identification information and filing your tax return early.

Read More

What to do About Identity Theft

Identity thieves can wreak havoc on your credit report and your life, and the Federal Trade Commission has a very useful informational packet designed to help victims get their lives back in order. Some highlights from that packet describing what victims of identity theft should do immediately after realizing they've been victimized are as follows:

1. Have a credit reporting company place an Initial Fraud Alert on your report. This is easy to do, it lasts for 30 days, and it will make it harder for an identity thief to open accounts in your name. This can be initiated online at each of the credit reporting companies websites, Equifax, Experian, and TransUnion.

2. Although not emphasized in the FTC's packet, identity theft victims should immediately change PIN numbers and online passwords to all financial accounts. The password to the email addresses used to reset online financial account passwords should itself be updated.

3. Order copies of your credit reports, review the reports for unauthorized charges or accounts, and contact any businesses related to the problem accounts. Placing the Initial Fraud Alert entitles you to a free credit report immediately. The FTC packet has sample letters that can be sent to businesses alerting them of the identity theft.

4. Contact appropriate government agencies. Income tax fraud is popular at this time of year; the IRS's Form 14039 can used to report identity theft to the IRS. The U.S. Postal Inspection Service, the "leading federal law enforcement agency in the investigation of identity takeovers," has a complaint form located here. Contact your state's attorney general office as well.

5. Create an Identity Theft Report. This consists of two separate documents; first is an Identity Theft Affidavit that can be generated online with the FTC's Complaint Assistant. The Identity Theft Affidavit should be taken to your local police station, along with documentation of the theft, photo ID, and proof of address. Use this information to file a police report; the police report and the FTC Identity Theft Affidavit together constitute an Identity Theft Report. Keep track of your police report number and Identity Theft Affidavit number.

After these steps have been taken, next comes the long process of clearing up your credit report, closing fraudulent accounts, ensuring that businesses remove fraudulent charges, and taking legal action where necessary. The FTC is a good resource for these steps as well.

Read More