Tax-related identity theft and Cybersecurity
Wednesday, November 23rd, 2016 @ 8:05PM
Tax-related identity theft continues to have significant impact on both the IRS and on victims of this crime. Identity theft for the purpose of tax fraud occurs when an individual uses another person’s name and Taxpayer Identification Number (TIN), generally a Social Security Number, to file a fraudulent tax return to obtain a tax refund. Unscrupulous individuals are stealing identities at an alarming rate for this purpose.
TIGTA found that the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, Federal agencies reported 77,183 cyberattacks in FY 2015, an increase of approximately 10 percent from FY 2014. The increasing number of data breaches in the private and public sectors means more personally identifying information than ever before is available to unscrupulous individuals. Much of the data is detailed enough to enable circumvention of most authentication processes. TIGTA emphasized that it is critical that the methods the IRS uses to authenticate individuals’ identities promote a high level of confidence that tax information and services are provided only to individuals who are entitled to receive them.
TIGTA reported that while the IRS recognizes the growing challenge it faces in establishing effective authentication processes and procedures, the IRS has not established a Service-wide approach to managing its authentication needs. As a result, the level of authentication the IRS uses for its various services is not consistent. TIGTA found that while the IRS is evaluating potential improvements to existing authentication methods for the purpose of preventing identity theft, it is not developing overall strategies to enhance authentication methods across IRS functions and programs. CFEG believes that authentication is an important tool in preventing tax-related identity theft.
In August 2015, the IRS indicated that unauthorized users had been successful in obtaining information on the Get Transcript application for an estimated 334,000 taxpayer accounts. Based on an analysis of Get Transcript access logs, TIGTA identified 620,931 taxpayers whose tax account information involved a potentially unauthorized access not identified by the IRS. Further analysis by TIGTA of these access attempts found that potentially unauthorized users were successful in obtaining access to 355,262 of the taxpayers’ accounts.
Insider Threats Posed By IRS Employees
TIGTA found that there is an insider threat posed by IRS employees abusing their access to Federal tax information and then disclosing it to others or using the tax data themselves to commit identity theft refund fraud. TIGTA reported that this is a major concern. In one recent case, an IRS National Taxpayer Advocate employee was sentenced to 110 months in Federal prison and ordered to pay approximately $438,000 in restitution for her role in orchestrating a large-scale identity theft refund scheme and attempting to obtain more than $1 million in fraudulent refunds.
Third-Party Income and Withholding Information to Detect Fraud
TIGTA previously reported its concerns that the IRS was limited in its ability to prevent the continued issuance of billions of dollars in fraudulent tax refunds. TIGTA found that the IRS did not have timely access to third-party income and withholding information needed to make substantial improvements in its fraud detection efforts. Recently enacted legislation requires the annual filing of income and withholding information by January 31, beginning in 2017. By requiring that the forms be filed at the beginning of the filing season as opposed to March 31 and February 28 for forms filed via paper, the IRS will now have an additional tool to detect and prevent tax fraud-related identity theft.
Employment-related Identity Theft
Taxpayers can also become victims of employment-related identity theft if they receive a notification from the IRS of an income discrepancy between the amount reported on a tax return and the amount employers reported to the IRS. This can occur when a taxpayer’s stolen identity is used to gain employment. It can cause taxpayers a significant burden due to the incorrect computation of taxes and Social Security benefits based on income that does not belong to the taxpayer. To combat this, based on recommendations from TIGTA, the IRS is developing processes and procedures to notify taxpayers who may be victims of employment-related identity theft.
Telephone Impersonation Scams
TIGTA reported that the telephone impersonation scam is one of TIGTA’s top priorities. This occurs when criminals pose as IRS employees with intent on deceiving taxpayers into providing their personal information or coercing them into paying money on phony tax obligations through wire transfers or preloaded debit cards. TIGTA warns that this crime continues to climb. As of August 15, 2016, TIGTA’s Office of Investigations received more than 1.5 million reports of these calls; 8,274 victims of this scam have reported to TIGTA they have collectively paid a total of more than $45 million, an average of approximately $5,511 per victim. The highest reported loss by any one individual exceeded $500,000. TIGTA has urged the IRS to work to protect taxpayers by educating them on the numerous schemes currently employed by criminals.
Despite the IRS’s efforts to reduce it, TIGTA reported that the Tax Gap remains a serious and persistent challenge. The Tax Gap is defined as the difference between the estimated amount taxpayers owe and the amount they voluntarily and timely pay for a tax year. In FY 2016, the IRS issued Tax Gap estimates for Tax Years 2008 through 2010 that suggest compliance is substantially unchanged since the last estimate for Tax Year 2006. The Tax Gap for Tax Years 2008 through 2010 is estimated to be $458 billion annually, compared to the $450 billion estimated for Tax Year 2006.
One way the IRS attempts to lower the Tax Gap is through identifying questionable tax returns to determine if any adjustments to the information reported on the tax returns are needed. In addition, the IRS issues notices and contacts taxpayers to collect delinquent taxes. If necessary, the IRS takes enforcement action, such as filing liens and seizing assets, to collect the taxes. In FY 2015, 44 percent of the IRS’s appropriation was allocated to closing the Tax Gap through the enforcement of tax laws.
TIGTA reported that the IRS’s lack of enforcement of backup withholding requirements contributes to the IRS’s continual inability to reduce the Tax Gap. In certain circumstances, payers are required to withhold tax from certain reportable payments. The purpose of backup withholding is to make sure that the Government is able to collect taxes on all appropriate income, particularly income that is not usually subject to withholding.
Approximately $26 billion (6 percent) of the $458 billion Tax Gap is due to individual taxpayers who do not file a tax return or timely pay the associated tax due on such delinquent returns (nonfilers). TIGTA estimates that $2.7 billion in additional tax revenue could be collected by addressing 127,000 Tax Year 2013 nonfilers that TIGTA identified with expired extensions who did not voluntarily file a tax return or submit full payment of the estimated tax liability.
Reducing Fraudulent Claims and Improper Payments
The Office of Management and Budget describes an improper payment as any payment that should not have been made, was made in an incorrect amount, or was made to an ineligible recipient. The Improper Payment Information Act of 2002 requires Federal agencies, including the IRS, to estimate the amount of improper payments and report to Congress annually on the causes of and the steps taken to reduce improper payments.
The Consolidated Appropriations Act of 2016 provides the IRS with additional tools to reduce EITC improper payments. However, it did not expand the IRS’s authority to systemically correct the erroneous claims it identifies. Without this authority, the IRS continues to be unable to address the majority of potentially erroneous EITC claims it identifies. The IRS can audit potentially erroneous EITC claims; however, the number of claims the IRS can audit is limited by resources. As a result, billions of dollars in potentially erroneous EITC claims will continue to go unaddressed each year.
TIGTA has also reported on concerns with the issuance of potentially fraudulent refunds. The IRS’s Return Integrity and Compliance Services organization is responsible for identifying, evaluating, and preventing the issuance of improper refunds. This includes the protection of revenue by identifying potentially fraudulent tax returns and verifying the accuracy of reported income and withholding information. However, TIGTA identified more than $27 million of refunds that were erroneously issued for 13,043 Tax Year 2013 tax returns because of a programming error.
TIGTA reviewed a statistical sample of FY 2013 closed surveys and audits of amended individual returns with claims for refunds or abatements of taxes and found that claims were not appropriately substantiated and/or had large, unusual, or questionable items on the tax return that were not adequately considered and investigated. TIGTA estimated that approximately $34.4 million in tax refunds and abatements may have been inappropriately allowed.
Improving Tax Systems and Expanding Online Services
TIGTA reported that a primary focus for the IRS over the past two decades has been to migrate taxpayers to electronic filing. In FY 2015, more than 85 percent of individual tax returns were filed electronically.
TIGTA reported that the IRS is currently developing a new fraud detection system, the Return Review Program, to identify suspected identity theft and fraudulent tax returns. The IRS believes that the Return Review Program provides new and improved capabilities that will advance its fraud detection and prevention into the next generation. However, TIGTA’s analysis showed that 54,175 confirmed identity theft tax returns with refunds totaling more than $313 million were identified by other existing fraud detection systems, but were not selected by the Return Review Program.
TIGTA reported that the IRS implemented the Integrated Production Model (IPM) to provide a single point of access to core taxpayer data (such as taxpayer accounts and tax returns) and other specific data used by a wide range of IRS business applications. The accuracy, completeness, and reliability of data on the IPM are essential to the IRS and its tax administration mission.
TIGTA determined that the IRS is not effectively managing its Tier II environment backup and restoration process. The Tier II environment consists of non-mainframe servers that run various operating systems, but they may also operate as database, web, e-mail, and file servers, and provide a host of other important functions supporting the IRS network infrastructure. Some examples of important data stored within the Tier II environment include e-mails, personal and shared files, and taxpayer information.
TIGTA further reported that IRS management has not established goals and does not regularly collect sufficient performance metrics to monitor, measure, and report on the effectiveness of the backup and restoration process. The lack of management information about the backup process contributed to a significant incident in December 2014 when a backup did not exist to restore the Work Request Management System database, which had been deleted in error. The IRS’s analysis of the incident determined that the backup for the database had not been created for four months prior to its discovery of the condition. As a result, IRS personnel expended significant resources restoring the data lost from the incident. The potential remains for these events to occur to other critical systems within the IRS.
Providing Quality Taxpayer Service Operations
Providing taxpayers with quality customer service is a key component in the IRS’s mission. For example, the IRS assisted 5.6 million taxpayers in FY 2015 at its Taxpayer Assistance Centers and plans to assist 4.7 million taxpayers in FY 2016, a 16 percent decrease from FY 2015. In addition, assistance provided to taxpayers via the telephone continues to be a challenge.
Further, the IRS’s ability to process taxpayer correspondence in a timely manner has also declined. TIGTA evaluated IRS processes for timely resolving taxpayer correspondence and reported that the over-aged correspondence inventory has steadily increased from FY 2012 to FY 2015. Delays in processing correspondence create a burden for taxpayers who must wait to obtain assistance and, in some cases, receive refunds. For the IRS, delays in processing correspondence can result in the unnecessary payment of interest. For example, in FY 2014, the IRS paid more than $27.6 million to taxpayers as a result of not timely processing or resolving correspondence cases such as amended returns, net operating losses, and injured spouse cases.
TIGTA also identified continuing issues with assistance to victims of identity theft. In September 2013, TIGTA reported that, on average, it took the IRS 312 days to resolve tax accounts of identity theft victims for the cases we reviewed. In March 2015, TIGTA reported that taxpayers were still experiencing long delays in resolving their tax accounts and that the IRS continued to make errors on the victims’ tax accounts. TIGTA also reported that the majority of identity theft victims are no longer provided with a single point of contact and found that the IRS’s process does not ensure that taxpayers are timely informed about the IRS’s receipt of their supporting documentation or the status of their identity theft claims.
TIGTA reported that the IRS has not established an effective process to ensure that the required notice is sent to the Social Security Administration to alert it of earnings not associated with a victim of employment-related identity theft. TIGTA’s review of a statistically valid sample of 71 cases from the population of 1,878 Tax Year 2013 cases closed as identity theft (i.e., cases involved a discrepancy related to wages reported on the tax return) identified that the Social Security Administration had no record of receiving an IRS notice for 15 (21 percent) of the 71 cases.
TIGTA also reported that the IRS did not place identity theft incident markers on the tax accounts of 3,206 of the 289,843 taxpayers it initially identified as affected by the Get Transcript application breach. TIGTA also found that the IRS did not offer an IP PIN or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access.
Impact of Global Economy on Tax Administration
TIGTA found that tax compliance of business and individual taxpayers involved in international transactions remains a significant concern.
The IRS is implementing the Foreign Account Tax Compliance Act, which requires taxpayers and foreign financial institutions to report to the IRS specified financial assets that exceed certain thresholds.. Additionally, the IRS established the Offshore Voluntary Disclosure Program (OVDP) to encourage taxpayers with offshore accounts and related income to return to the tax system.
In an audit assessing how well the IRS is managing the OVDP, TIGTA found that the IRS needs to improve its efforts to address noncompliance of taxpayers who are denied access to or withdraw from the OVDP. Taxpayers who intentionally fail to report income earned on offshore accounts or who neglect to disclose foreign assets as required by law face significant penalties and possible criminal prosecution if discovered by the IRS. While giving noncompliant taxpayers the opportunity to resolve their potential tax delinquencies through the OVDP, it is important for the IRS to ensure that these taxpayers actually become compliant with their tax obligations. TIGTA found that the IRS did not assess approximately $21.6 million in delinquent Reports of Foreign Bank and Financial Accounts penalties on OVDP requests that were either denied or withdrawn. TIGTA also identified internal control weaknesses that led to delayed or incorrect processing of OVDP requests through poor communication among IRS functions involved in the OVDP. These weaknesses include the use of separate inventory controls and two separate IRS addresses for taxpayers to send correspondence, which contributed to incorrect processing of some taxpayer disclosure requests.
Protecting Taxpayer Rights
In general, the IRS has improved its compliance with these statutory taxpayer rights provisions and is documenting its protection of taxpayer rights. However, during the review of the IRS’s compliance with Notice of Federal Tax Lien due process procedures, TIGTA found that the IRS did not always notify the taxpayers’ representatives of the Notice of Federal Tax Lien filings as required. Based on the sample results, TIGTA estimated that 22,866 taxpayers may have been adversely affected because the IRS did not follow procedures to notify the taxpayers’ representatives of the taxpayers’ rights related to the Notices of Federal Tax Lien.
TIGTA also identified errors related to the determination of the Collection Statute Expiration Date (CSED) on taxpayer accounts during our review of the IRS Office of Appeals Collection Due Process Program. The CSED is the expiration of the time period established by law to collect taxes. From a statistically valid sample, TIGTA identified instances in which the IRS incorrectly extended the CSED, allowing the IRS additional time it should not have had to collect the delinquent taxes.
Achieving Program Efficiencies and Cost Savings
Continuing to identify and achieve greater program efficiencies and cost savings is imperative for the IRS as it strives to successfully accomplish its mission in a period of shrinking budgets and declining resources.
TIGTA reported that the IRS purchased $12 million in software subscriptions for an enterprise e-mail system that, as it turned out, it could not use. The purchase was made without first determining project infrastructure needs, integration requirements, business requirements, security and portal bandwidth, and whether the subscriptions were technologically feasible on the IRS enterprise.
TIGTA conducted a follow-up review to its 2013 report on IRS conference spending. Excessive conference and event spending by Federal agencies has been brought to light by recent Inspectors General reports and resulted in congressional hearings. Given its limited budgetary resources, the IRS must effectively manage conference and event spending to ensure that taxpayer funds are used efficiently.
TIGTA found that the IRS issued comprehensive guidance for event planning, approvals, and cost tracking that addressed each of the prior recommendations that TIGTA made in 2013. However, TIGTA identified 55 events that did not receive the correct level of approval and 26 events that exceeded approved costs by more than 15 percent, or exceeded specifically stated thresholds listed in the approval documents, without required reapproval.