Reports show there are between 500,000 and 700,000 identify theft incidents per year, and the 2019 information breaches at CapitalOne and Equifax serve as reminders to always monitor your processes to secure information on yourself and your clients.

Identity theft places a burden on its victims and presents a challenge to many businesses, organizations and governments, including the IRS. Tax-related identity theft occurs when someone uses your stolen Social Security Number to file a tax return claiming a fraudulent refund. You may be unaware it’s happened until you file your return and discover a return already has been filed using your Social Security Number, or the IRS may send you a letter saying it has identified a suspicious return using your Social Security Number.

Identity theft can occur when individuals use your name and information to open bank/credit union accounts; file applications for housing, government benefits or utility services; and to access existing accounts, such as credit cards, checking accounts, utility accounts, savings and investment accounts.

Contact your tax professional if you encounter any of the following tax related issues:

• Your e-filed return is rejected by the IRS or state tax agency because returns with your Social Security numbers were already filed.
• You begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS to confirm your identity for a submitted tax return despite not having filed a return yet.
• You receive a refund despite not having filed a return yet.
• You receive tax transcripts you did not request.
• If you created an IRS Online Services account and receive an IRS notice your account was accessed or IRS emails stating your account has been disabled. Another variation is if you unexpectedly receive an IRS notice that an IRS online account was created in your names.
• Tax professionals or clients responding to emails that the firm did not send;

How Can I Avoid Being Hacked?

The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. If you receive communication via these channels from the IRS, do not respond or contact your tax professional to determine if there is a legitimate cause for concern.

If you’re disposing of sensitive documents, make sure the information is blacked out with a marker and shred – or even burn – all information, including mail offers, such as credit card offers.

Other tips include:

• Do not disclose confidential information (bank account numbers, PIN numbers, Social Security Number) to unknown telephone, U.S. Mail or Internet solicitors
• Always use security software with firewall and anti-virus protections. Use strong passwords and avoid combinations such as your birthday, mother’s maiden name or the last four digits of your Social Security Number.
• Protect your personal information and that of any dependents. Don’t routinely carry Social Security cards, and make sure your tax records are secure.
• Reduce your incoming mail by calling (888) 567-8688 or writing to Direct Marketing Association, P.O. Box 643, Carmel, NY 10512 to stop most mail solicitations. Include your name, address and phone number in your signed letter.
• Reduce telemarketing calls by signing up for the FTC’s National Do Not Call Registry at donotcall.gov or by calling at (888) 382-1222.
• Learn to recognize and avoid phishing emails, threatening calls and texts from thieves posing as legitimate organizations such as your bank, credit card companies and even the IRS. The University of Oregon recommends the following helpful tips:
  • Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it.
  • Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
  • Is the email addressed to a vague “Valued Customer?” If so, watch out — legitimate businesses will often use a personal salutation with your first and last name.
  • Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up.
  • Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”
  • Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details.
  • Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
  • Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address. Return Path found that nearly 30% of more than 760,000 email threats spoofed brands somewhere in the header from email address with more than two thirds spoofing the brand in the email domain alone.
  • Phishers are good at what they do. Just because an email has convincing brand logos, language and a seemingly valid email address does not mean it’s legitimate. Be skeptical when it comes to your email messages. If it looks even remotely suspicious, don’t open it.

I’ve Been Hacked: Now What?

The Federal Trade Commission recommends you regularly inspect your credit report. The law requires each of the three major nationwide consumer companies – Equifax, Experian and TransUnion – to provide a free copy of your credit report every year.

If hacked, contact one of the three aforementioned agencies to place a “fraud alert” on your credit records:

• Equifax: Equifax.com or (800) 525-6285
• Experian: Experian.com or (888) 397-3742
• TransUnion: TransUnion.com or (800) 680-7289

You also can order it online at the government-approved AnnualCreditReport.com, by calling (877) 322-8228 or completing the Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

You will need to provide some basic information including your Social Security Number and you may need to provide some personal financial information. If you plan to check your report online, be wary of impostor sites. Be absolutely certain you have reached AnnualCreditReport.com.

You also can file a complaint with the FTC at identitytheft.gov or by calling their ID Theft Hotline at (877) 438-4338.

If the incident involves a bank or credit union, call the Louisiana Office of Financial Institutions at (225) 925-2660.

And, as always, contact your tax professional for further assistance and guidance.

About Ericksen Krentel

Ericksen Krentel CPAs and Consultants, founded in New Orleans, Louisiana in 1960 with offices in New Orleans and Mandeville, believes that serving as the clients’ most trusted adviser is grounded in going beyond the numbers.

That includes helping clients achieve their business and personal financial goals by providing innovative and exceptional services in the following areas: audit and assurance services, tax compliance and planning, outsourced CFO services and business valuations for a variety of industries; employee benefit plan audits; fraud and forensic accounting; business planning; IT consulting; loss calculations; and estate planning.

Learn more at www.ericksenkrentel.com.

Related Blog Posts