Data breaches have become so common lately that you may not even blink. However when it happens to the Internal Revenue Service and affects some 100,000 taxpayers, that’s bound to get your attention. This week the IRS announced that not only did hackers compromise the tax records of those 100,000; attempts on another 100,000 were unsuccessful.
At the time of this writing, organized Russian criminals are suspected to be behind the attack on the IRS website’s “Get Transcript” service. The online transcript tool was rolled out only a few years ago as an instant alternative to requesting personal tax information by mail. I’ve used this handy tool with clients to retrieve missing W2 information or copies of prior year returns. Unfortunately, the criminals found it handy too. According to the IRS, their system itself was not hacked, but rather the thieves stole taxpayer information by providing personal information and gaining access to individual accounts and the gold mine of data found within. Armed with information, they were able to then file fraudulent tax returns for during the recent tax season and claim bogus refunds. Some of the tax data alternatively may have not been used yet, but saved to be used for next year’s filing season or to steal identities and open fraudulent accounts. Had the breach gone undiscovered, the potential danger was huge; with this knowledge, damage may be limited by diligence.
The IRS will be contacting all the victims and attempted victims by mail, and those whose data was stolen will be offered credit protection. But there are other steps we all can take, whether knowingly affected or not.
Authorities mentioned that information used by thieves to access taxpayer accounts was obtained from various sources, including social media. To create a Get Transcript account, a person needs to know things like your name, social security number, date of birth, and filing status, as well as more obscure data points like past employers, the street you grew up on, or the name of the lender who gave you a car loan in 1985. The questions my clients were asked in setting up their accounts were at times difficult, if not impossible to answer. These criminals were highly skilled in mining for data and in some respects the IRS’s statements about social media smacks of blame the victim. But in any case, lock down your profiles and be careful about sharing even obscure details about yourself; you never know who is watching.
Check your accounts- often
I’m a fan of automating finances; bill paying, direct deposit and the like. But that doesn’t mean we get a pass from checking what’s going on. Log in to your accounts frequently so you can pick up on fraudulent activity quickly before much damage is done. Your liability may be limited but the aggravation isn’t.
Change your PINs and passwords
Again, don’t set it and forget it. We have passwords for everything and it’s easy to choose a master password and use it in perpetuity, but that’s not going to cut it anymore. Change passwords and PINs often and use variations rather than a single password. Use pass phrases instead of passwords, vary capitalization, and use special characters. And don’t write them in a book marked “passwords!”
Check your credit report
We are entitled to one free copy of our credit report per year from each of the three credit bureaus, Experian, TransUnion, and Equifax, through Annual Credit Report. Stagger your requests to receive a report from one bureau every four months to keep an eye on your credit and see if anything has popped up.
Place fraud alert or freeze credit
Checking your credit report only provides information after the fact though, leaving possible activity undetected. As a preventative measure, you can notify one credit bureau to place a fraud alert on your account (that bureau will notify the other two). A fraud alert is free and requires any creditor to verify your identity before issuing new credit in your name. This can slow down the opening of fraudulent accounts, but is not failsafe; if the thief has gathered enough information on you, he may falsely verify himself as you or use your information to create additional identifying documents. The fraud alert is initially in place for 90 days, and you may renew for additional 90 day periods.
Freezing credit on the other hand stops anyone, including you, from obtaining new credit in your name. To freeze your credit you must request a credit freeze from each of the three bureaus directly and pay a fee, usually under $10 each. If you are victim of fraud, the fee is waived. Should you wish to apply for credit in the future, you can temporarily thaw out your credit, or permanently lift the freeze. Each of those once again requires a fee. Although more time and labor intensive, a credit freeze is more secure.
Credit monitoring or safeguarding services
While the IRS will be offering free credit monitoring to those affected, you may wish to engage one of several commercial credit monitoring services on the market on your own dollar. Services vary in ranges of monitoring, protections, and fees. Some offer assistance should your identity in fact be stolen, and others simply monitor your accounts for suspicious activity. Whether to use a service like this or not depends on your level of vulnerability as well as your diligence in watching your credit yourself.
Change your tax withholding
If there was ever a time to avoid paying extra tax each paycheck to accrue a refund later, this is it. Our tax system is “pay as you go” so you can’t completely eliminate your tax withholdings, but you can calculate your minimum required payment and make sure only that or a small amount more is being withheld during the course of the year. If a fraudulent return is filed for you next year, any refund you were expecting will be caught up until the mess is resolved, so by limiting your refund you are limiting your exposure. File your tax return early and electronically as well; if you file first under your number, then the thieves cannot.
The IRS will not call you or email regarding this issue, so if someone does, do not respond. There will likely be scammers seeking to capitalize on this breach. The IRS does not routinely call taxpayers as a first contact about an issue, although an agent may call as a follow up to an ongoing matter. Agents are aware of the scams, so if you are contacted by a legitimate agent, he will understand your skepticism and provide means to verify the legitimacy of his call (call back number, letter in the mail, supervisor’s information for example). Take him up on it and verify that he is for real. You can also call the IRS at 800-366-4484 to verify an agent and bade number. Never provide personal information or payment information to an unverified IRS contact, or click a link in an email purportedly from the IRS. You may also call the IRS at 800-829-1040 to verify any letter received. If you are contacted by a suspected scammer, report it to [email protected] or online.