The Washington PostDemocracy Dies in Darkness

Opinion The IRS’s stimulus payment plan is basically asking for fraud. Here’s how to avoid it.


Mike Chapple is an associate teaching professor at the University of Notre Dame’s Mendoza College of Business.

The Cares Act offers much-needed relief to millions of Americans struggling to pay for food and housing during this unprecedented crisis. Most are entitled to payments under the bill, and direct deposits started arriving in bank accounts this week. Unfortunately, the system implemented by the Internal Revenue Service puts the payments at serious risk of identity theft.

Americans who filed a tax return last year and are below the Cares Act income thresholds can receive a direct deposit in the bank account used for their most recent tax refund. The catch is that not all Americans are required to file tax returns. The Tax Policy Center, a joint venture of the Urban Institute and the Brookings Institution, estimates that about 10 million single taxpayers did not earn more than $12,200 in income and fit into this group of “non-filers.” This group includes some of the neediest members of our society. They’re entitled to receive stimulus payments, but the IRS does not have the information required to pay them.

Full coverage of the coronavirus pandemic

Recognizing this problem, the IRS worked with Intuit to create a website where non-filers can register their bank account information to receive their stimulus payment. That’s a wonderful idea in theory, but it falls apart in practice. The brief form asks non-filers to prove their identity by providing their name, Social Security number, address, phone number and date of birth. The form also allows, but does not require, individuals to provide their driver’s license number.

But none of the information requested by the IRS is secret. Numerous data breaches over the past decade have exposed every one of these pieces of information for virtually every American to identity thieves. Data breaches have affected federal government employees, veterans and Equifax credit report subjects. Anyone who doesn’t fall into one of these three groups has probably been affected by smaller data breaches. This information is lost forever, irretrievably put up for sale on the dark web, where it sits available to identity thieves — allowing them to request a stimulus payment under the name of an unsuspecting non-filer.

The IRS should know better. The agency has fallen victim to this type of fraud before. In 2015, the IRS discovered that it had been victimized by attackers who gained access to the accounts of approximately 390,000 Americans. That system used stronger security than the Cares Act non-filer form — in addition to the identity questions above, it included security questions pulled from applicants’ credit files. It’s almost certain that the weaker Cares Act system will allow fraudsters to steal stimulus payments.

To get Cares Act payments into the hands of the low-income Americans who need them most, the government must perform additional vetting on non-filer claims to prevent fraud, and it should do so quickly.

The most effective way to accomplish this is by requiring that those filling out the Cares Act form upload a snapshot of their photo identification — a process used by many other federal systems. It’s relatively easy for a hacker to steal a driver’s license number; it’s far more difficult to obtain a photo of a driver’s license. For people who have no photo identification, the IRS should insist on sending a paper check so that the bank cashing the check can verify the depositor’s identity.

The IRS must also urgently investigate possible cases of fraud. Internal controls can search for red flags, such as multiple deposits being sent to the same bank account or deposits being sent to local banks far from the filer’s last known residence. Information provided by filers can be automatically cross-referenced with other federal databases for accuracy. Suspicious transactions should be flagged for manual review by an IRS analyst before funds are released.

The Opinions section is looking for stories of how the coronavirus has affected people of all walks of life. Write to us.

After this crisis passes, the agency must prevent a problem like this from ever occurring again. Two independent watchdogs, the Treasury Inspector General for Tax Administration and the National Taxpayer Advocate, have both repeatedly informed the IRS that their identity and access management practices were not effective and required immediate investment to protect taxpayers and the government. It’s time to make that investment.

Read more:

Helaine Olen: The coronavirus crisis exposes how America really feels about small businesses

Paul Waldman: How to spin a giveaway to the rich

Catherine Rampell: The covid-19 pandemic has revealed another area of critical government underinvestment

Robert J. Samuelson: The unnerving tale of having my Social Security hacked

Kathleen Parker: The shutdown is a great time for identity thieves. I know this firsthand.

Coronavirus: What you need to know

Vaccines: The CDC recommends that everyone age 5 and older get an updated covid booster shot designed to target both the original virus and the omicron variant. Here’s some guidance on when you should get the omicron booster and how vaccine efficacy could be affected by your prior infections.

Variants: Instead of a single new Greek letter variant, a group of immune-evading omicron spinoffs are popping up all over the world. Any dominant variant will likely knock out monoclonal antibodies, targeted drugs that can be used as a treatment or to protect immunocompromised people.

Tripledemic: Hospitals are overwhelmed by a combination of respiratory illnesses, staffing shortages and nursing home closures. And experts believe the problem will deteriorate further in coming months. Here’s how to tell the difference between RSV, the flu and covid-19.

Guidance: CDC guidelines have been confusing — if you get covid, here’s how to tell when you’re no longer contagious. We’ve also created a guide to help you decide when to keep wearing face coverings.

Where do things stand? See the latest coronavirus numbers in the U.S. and across the world. In the U.S., pandemic trends have shifted and now White people are more likely to die from covid than Black people. Nearly nine out of 10 covid deaths are people over the age 65.

For the latest news, sign up for our free newsletter.