Taxpayer Cybersecurity – Step 4: Recognize Identity Theft

The Security Summit, consisting of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials, is encouraging tax professionals during the 2019 summer season to take some time to assess their data security policies and review critical security steps to ensure adequate measures are in place to fully protect sensitive taxpayer information from cybercriminals and to help battle identity theft.  As part of this initiative, the Security Summit has released a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security in a special five-part weekly series over this summer.  Snell & Wilmer cybersecurity and privacy lawyers are tracking these releases.

Step 1:  Protect Your Systems! can be found here.

Step 2:  Create a Data Security Plan can be found here.

Step 3:  Avoid E-mail Phishing Scams can be found here.

Step 4Recognizing Identity Theft, is critical to reacting quickly to a possible breach of sensitive taxpayer data. The Security Summit has created a list of warning signs of possible identity theft:

  • Client e-filed returns begin to be rejected by the IRS or state tax agencies because returns with their Social Security Number were already filed;

  • Clients who haven’t filed tax returns begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS to confirm their identity for a submitted tax return.

  • Clients who haven’t filed tax returns receive refunds;

  • Clients receive tax transcripts that they did not request;

  • Clients who created an IRS Online Services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. Another variation: Clients unexpectedly receive an IRS notice that an IRS online account was created in their names;

  • The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients;

  • Tax professionals or clients responding to emails that the firm did not send;

  • Network computers running slower than normal;

  • Computer cursors moving or changing numbers without touching the keyboard;

  • Network computers locking out employees.

People often realize they have become victims of identity theft when their tax return is rejected because the IRS system has already processed a return for that taxpayer. IRS and state tax systems will only accept one unique Social Security Number for each taxpayer.

One method for taxpayer identity theft occurs when a cybercriminal improperly gains  access to a tax professional’s office computers.  When that occurs, the hacker can misuse that access to complete pending tax forms, change electronic deposit information to their own accounts and then e-file the returns – all performed remotely.

Identity thieves often try to exploit stolen data by using stolen taxpayer data to access the IRS Get Transcript system, despite the IRS two-factor authentication process. This often triggers identification of a breach by the IRS, which disables the account and sends the taxpayer a letter requesting the taxpayer contact the IRS.

Tax preparers can access their e-file applications and select “check EFIN status” to see a count of the application submitted by that tax preparer. The IRS encourages tax preparers to check that count weekly during tax filing season to stay alert for possible identity theft. If the numbers are inflated, practitioners should contact the IRS e-Help Desk.

Those who fall victim to spear phishing email scams – discussed further here – may suddenly see responses to emails they never sent. Once a cyberthief gains access to a computer system, the hacker can harvest the victim’s contact list, stealing names and email addresses of colleagues and clients and enabling the crooks to use the organization to expand their spear phishing scam. Finally, there are several tell-tale signs that office computer systems may be under attack or may be under remote control, such as the cursor moving with no one at the keyboard.

Tax professionals who notice any signs of identity theft should contact their state’s IRS Stakeholder Liaison immediately. The process for reporting data theft to the IRS is outlined in Data Theft Information for Tax Professionals.

In some states, data thefts must be reported to various authorities. To help tax professionals find where to report data security incidents at the state level, email the Federation of Tax Administrators at

This entry was posted in Cyber Security, Data Breach, Data Protection, E-mail phishing, Identity Theft, IRS, Notification, Personal Information.

Share this Article:

Leave a Reply

View Reply Form

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>