Back in the day—say 2011--tax fraud was pretty straightforward. Taxpayers deliberately understated income or overstated deductions to cheat the system for their own benefit.
Not anymore. Now, a growing share of such fraud is about crooks using the identities of innocent taxpayers to steal money. If you have a home phone or an email account, these scams are hard to miss. We are inundated with phishing, spoofing, and all variety of cyberscams.
And this trend is especially worrisome now. Identity theft and other cybercrimes are blossoming just as the IRS is trying to make itself more accessible online—a confluence of events that could prove dangerous for taxpayers and catastrophic for the already-troubled agency.
The trend is clear. Each year, the IRS publishes a list of its “Dirty Dozen” tax scams. In 2011, just one involved some form of identity theft. This year no less than one-third were phone-based or online scams. Today, about one-quarter of all IRS criminal investigations are focused on identity theft.
In mid-March, at the height of the recent filing season, the Treasury Department’s Inspector General for Tax Administration reported that it was getting as many as 12,000 complaints a week about a phone scam in which callers who claimed to be representing the IRS demanded that taxpayers purchase prepaid debit cards to pay purported tax bills. The scamsters would then get the card numbers from the victims and clean out their accounts.
But those phone-based gimmicks may be trivial compared to a new con: stolen identity refund fraud.
The game is simple: Crooks steal Social Security numbers, file returns that claim refunds, and have the refunds electronically deposited into fake bank accounts or delivered to mail drops. Not only do they steal money from the government, but they create an enormous headache for legitimate taxpayers whose IDs they have stolen.
The IRS has been warning about these scams for years, but has now set up a new team to investigate cybercrimes. The Justice Department’s Tax Division has been focusing on these cases since 2012, and has begun about 1,000 investigations and brought 725 prosecutions.
But there is a real question about whether either agency has the resources to keep up with this wave of identity theft. The new IRS cyberfraud team investigated about 1,000 cases in the past year, but it only has about a dozen agents, according to The Wall Street Journal(paywall). The agency told the Journal that its overall criminal investigations staff has fallen by 15 percent since 2011, due to budget cuts. Agency officials tell me the staffing problem is even worse because it is losing some of its most experienced investigators through retirement.
Oddly, the agency’s technological obsolescence may be its best protection against cyberfraud. Because the IRS only communicates with taxpayers by snail mail, and never initiates any contacts by phone or email, it takes little thought to hit the delete button whenever purported IRS emails appear in our inboxes.
And at a recent Tax Policy Center conference on tax administration, Commissioner John Koskinen acknowledged that the agency’s database software is so old that hackers don’t have the programming knowledge to break in.
But one of Koskinen's top priorities is to make it easier for taxpayers to digitally communicate with the IRS. His dream: Taxpayers could make payments, check on return status, and even get questions answered through their online accounts.
This all makes perfect sense in 2015. But by moving into the digital age without state-of-the art security, the IRS is taking an enormous risk.
Just ask banks, retailers, and health insurers, all of whom have suffered high-profile data breaches in recent years. Such an event would be catastrophic for the IRS. So would an online system that is secure but non-functional for taxpayers. If Koskinen wants to know what happens when the government runs a website that consumers can’t use, he can ask those responsible for the Affordable Care Act’s health exchanges.
One small step the agency could take to improve its digital cred: Let taxpayers know when their Social Security numbers are stolen. A bipartisan group of senators has just introduced a bill that would require the agency to do just that.
With no support from Congress or the White House, and with insufficient resources, the IRS is trying to do two very hard things—crack down on cybercrime and open its electronic doors to taxpayers. I wish it luck.