The recent Equifax data breach sent a message to the public. It also sent one to accountants.
It was a hack that reportedly exposed identifying information of nearly 150 million United States citizens. The shocker for most was that something like this could affect well over half of the country’s population.
Accounting professionals look at it a slightly different way — it’s also a number about as large as the entire amount of federal taxes forms filed each year.
Rebecca Fitzhugh, partner in the fraud practice at accounting and consulting firm Sobel & Co., said that means next tax season could be full of unwelcome surprises.
“When people start filing tax returns, some will find out someone has done it in their name already, using information that was stolen,” she said. “And, because of how Equifax has handled this, this may be the first time they’ll find out they’re a victim of this breach.”
In 2016 alone, the IRS identified about $4.1 billion in suspected identity theft tax refund fraud.
Although the full extent of exposure victims of the Equifax breach is not entirely known, the incident — in which names and Social Security numbers were allegedly stolen by hackers — has the potential to exponentially increase the number of identity theft tax refund fraud cases.
“Tax preparers will bear the brunt of this,” Fitzhugh said. “They’re going to have to know what’s going on and how to deal with it through the IRS. And, hopefully, the firm involved has the resources to respond to the (fraud) volume we may see.”
The IRS has taken a step to help prevent fraud and verify taxpayer identities this coming tax season in a $7.25 million deal it made with Equifax.
Anurag Sharma, a principal at WithumSmith+Brown PC, said high-profile data breaches are nothing new, but what separates this one from those experienced by Target or Home Depot is the type of data taken. As opposed to prior breaches, which affected consumers’ credit cards, this one revealed an unprecedented depth of personal identity information, such as names with birthdates and Social Security numbers.
“The majority of people I interact with have been impacted by this … I was even part of the breach myself,” Sharma said. “It’s bad enough that I’m recommending to a lot of people to just freeze their credit, because that’s the only foolproof way to ensure this information can’t be misused.”
Sharma, who helps lead a cybersecurity practice at WithumSmith+Brown, added that what people may not realize is that the sort of identifying data exposed by this incident may allow cybercriminals to extract even more information.
“There are financial institutions that, when you forget your user ID or password, will allow you to just put in information like your Social Security number to get access to your account,” he said. “That’s all out there in the wild now, making it so that are a lot of things people have to look out for (on top of a fraudulent) tax return.”
When people are the victims of stolen identities on tax returns, the IRS has taxpayers apply to extend their Social Security number to additional digits. It is not an anticipatory step for people to avoid the initial tax fraud, however, and tax professionals say that, once the fraud has already occurred, it can be a headache to have it corrected, because the IRS needs ample evidence that the person reporting it is not the actual fraudster.
And, in the face of this massive hacking attack, many tax professionals are saying more should be done to prevent fraud before it becomes a hindrance to an accountant’s work.
But as Jo Anna Fellon, principal at Friedman LLP, points out, not every solution would be agreeable to the business community.
“If the (suggested course of action) is increased data security requirements for companies, this could be an impact to a business owner in terms of the cost of increased compliance,” she said.
Of course, Fitzhugh explains that data breaches of this sort aren’t the only ways that identities get stolen for tax fraud.
“We’ve seen that fraud is more easily committed today, with the internet opening up more avenues to get to people,” she said. “Things have changed since the times of Nigerian scam emails asking for money … that it was amazing people fell for. Now, it’s harder to detect. Cybercriminals can send (phishing) emails that look very legitimate.”
Fellon also has seen tools for cybercrime evolve over time, and the recent Equifax breach — and the threat it brings to taxpayers — is now bringing that message home for everyone else, too.
“I think it’s really a reset for everyone,” she said. “People are seeing technology biting back.”
Ways to mitigate risk of someone filing a tax return under your identity
- File as early as you can when tax season opens; gather up information soon enough to do so.
- Change your tax withholdings, so that there’s not as much money there for an identity thief to take on a fraudulent return.
- Take some of the usual precautions, such as ensuring that you’re still receiving normal communications from financial institutions you have accounts with.
Source: Rebecca Fitzhugh of Sobel & Co.
One more thing
The number of tax fraud cases encountered during the coming tax season would seem to be a good measure of the amount of breached Equifax data that is being utilized for identity theft.
But whether that will, in fact, be the time for taking stock is questioned by Peter Metz, tax principal of accounting firm Grassi & Co.
“These are like the equivalent of sleeper cells,” Metz said. “Once the information is out there, criminals can decide when they want to act — which might be when they think they can get away with it. And perhaps now is not the time, when everyone is focusing on it.”
Metz believes that five or six years down the road, a compromised Social Security number still has just as much potential to create problems — as a taxpayer is stuck with that number, and isn’t likely to change their name or other identifying details. And that goes for all sorts of tax returns.
“Everyone is focusing on federal tax returns, but if a criminal can apply for tax refund using your name at state level, then why would they stop at the federal level?” he said.
Over a decade’s time, the numbers could add up to a staggering figure.
“This may amount to more money than is probably needed to take care of recent victims in Puerto Rico, Texas and Florida combined, if you can imagine the billions of dollars in fraud we’re talking about,” Metz said.