The attack shows that identity thieves are becoming more sophisticated in their efforts to gather information about taxpayers — and that the measures put in place by the IRS have not been sufficient to stop them. The IRS said it paid out $5.8 billion in fraudulent tax refunds last year, although it also said about 3 million suspicious tax returns were stopped at the door this year.
So in the face of such an immense threat to people’s personal financial information, what are consumers to do?
Security experts say nothing beats constant vigilance.
The IRS said it would notify taxpayers by mail if it appeared that criminals downloaded, or attempted to download, their tax transcripts. Anyone whose files were accessed would be offered a year of credit-monitoring services by the agency. But given the serious nature of this breach, that length of time will hardly be enough.
People should continually check their credit reports to make sure no loans or accounts have been fraudulently opened in their names. Consumers are allowed three free credit reports a year through AnnualCreditReport.com, one from each of the three major credit reporting bureaus — Equifax, TransUnion and Experian.
Some of the bureaus offer services that let people check more frequently, and new federal rules will soon enable people who find errors to access their reports more frequently at no cost.
Consumers can ask the bureaus to set up credit alerts, which notify them when someone tries to take out a loan in their name. Others who are more concerned may want to freeze their credit altogether, which would block all applications for mortgages, car loans, credit cards and other debt in their name.
Some of the biggest headaches may come at tax time, when criminals may try to file fake tax returns with the information they stole from the IRS. This year, a wave of identity thieves filed fraudulent tax returns early in the tax season using a flaw in TurboTax’s online software in an attempt to grab people’s state and federal refunds. So it behooves taxpayers to try to file their returns as early as possible.
Some of the identity theft victims from the latest IRS hack are being offered a secure PIN from the agency that they will need to use to file their returns going forward. The PINs, normally offered to people whose tax refunds have been stolen, are given to taxpayers after their identities have been verified.
People who spot fraudulent tax returns or credit accounts can also file a complaint with the Federal Trade Commission and can submit a report with their local police departments, although finding results from those agencies can often be slow.
It might also help to scale back some of the information shared on social media accounts. In a conference call with reporters Tuesday, IRS commissioner John Koskinen said criminals may have used sophisticated computer programs to compile personal information from across the Web and use that data to attempt multiple times to sign on to the IRS transcript tool.
The IRS did not say when the tool, which was temporarily shut down, would be made available again. The struggle, Koskinen said, will be to add more security measures that will make it more difficult for fraudsters to break in without making it impossible for legitimate taxpayers.
But despite such assurances from the IRS, it’s likely that the victims of this crime will be facing a long financial nightmare. Ultimately, higher powers may have to step in — such as those in Congress — to pressure the IRS to offer more help to the victims and build better security into every part of its Web site.