Congrats! You're a Partner with the IRS

Congrats! You're a Partner with the IRS

On March 19, 2015 IRS Commissioner, John Koskinen, brought together representatives from the IRS, the states, and the private sector tax industry in what he called the Security Summit Group to discuss ways to combat identity theft and, specifically, identity theft that results in tax fraud. Private sector representatives included the likes of CEOs of leading tax prep firms, software developers, and payroll processors. For the first two months, the SSG met “continuously” to collaborate and brainstorm. One of the ideas that has come out of these meetings is that there is no silver bullet for putting an end to identity theft and that we need to adopt a “multi-layered and coordinated approach.” Another big idea, announced by Koskinen in a statement yesterday, is that there is a key Security Summit partner that, until now, has been left out of the equation: YOU.

We’ve made a great deal of progress for the upcoming tax season, and it shows just how much we can accomplish working together. But to keep making progress, there is another partner we need to bring on board, and that’s the taxpaying public. In fact, that’s why we’re announcing this new effort, called “Taxes-Security-Together.” We all have a part to play in fighting identity theft.

Koskinen says that now is the best time to begin this new initiative. I’m paraphrasing here, but he basically says that there will be a bunch of new electronic devices bought over the next couple months (ok, Christmas time, I follow), and people will be doing their taxes and making other transactions on these devices (um, people do their taxes on phones? really?) and a significant number of these potential ID theft portals will fall into the hands of people who don’t know how to use them, and it behooves us to help them to use them safely. This seems like a really tenuous “slippery slope” kind of thought process here, but ok. Now I’m interested to know if identity theft typically spikes in December or something.

But, needless to say, it feels pretty awesome to be a member of the Security Summit Group. I’m waiting eagerly by the mailbox for my badge and lanyard. As a member in good standing of the SSG, I would like to commend the Commissioner on his Taxes-Security-Together initiative. It sounds like fun. However, I also would like him to tell me how he plans on getting these messages out to those who really need to hear them. I will prepare now for what promises to be a barrage of public service announcements via YouTube, Facebook, and wherever else the IRS has a presence. But if you’re not connected with the IRS online somehow, either by “liking” or “following” or subscribing to their emails, just how are you going to catch wind of these tips and announcements? And between a tax professional and the general public, who do you think would benefit most from hearing them? There is no one silver bullet, but at least some bullets should hit some targets for this initiative to be successful.

IRS Makes Plans with Private Sector to Curb Future Cyber Attacks

John Koskinen, Commissioner of the IRS, announced yesterday in a press conference that his agency is making plans to join forces with states and the entire private tax industry to combat cyber tax criminals like the ones who recently accessed taxpayer data through the “Get Transcript” application of the IRS website.  It’s the whole “it takes a village” concept applied to the ongoing battle to protect sensitive information on the internet. Government and industry plan to share information in ways they have never done before.

As a tax relief attorney, I don’t know a lot about computers and information technology.  If the top level guys at the IRS are IT ninjas, I’m probably a yellow belt noodle maker.  But commingling of IRS and private sector data makes me nervous, if that’s what they’re talking about doing.  I understand the desire to cooperate on this monumental task of stopping international cyber-criminal syndicates, but I feel like a little separation between public and private sector computer systems is healthy.  It seems to my naive mind that the more connected they are, in the event of a large-scale hack, the more likely we all go down together.

Here are a few nice words from Koskinen’s press conference:

[A]ny organization in the public or private sectors with IT systems and sensitive data faces a battle that seems to grow every day. The nation’s tax system is no different….No single organization can go it alone….None of us has a silver bullet to defeat this enemy….Working together we can achieve results that none of us, working alone, could accomplish.

Such an American thing to do, don’t you think?  Everyone joining forces and working together to defeat a common enemy and prevent a crisis.  I hope this is a step in the right direction and not just the IRS telling us what we want to hear.  The upside to all this for the IRS is that the next time their systems are compromised, maybe they can share the blame with businesses and states.

IRS Downplays Latest Data Breach

The IRS recently announced the unauthorized access into 100,000 tax accounts by cyber-criminals through the “Get Transcript” application on the IRS website.  Virtually every word in Commissioner Koskinen’s statement is calculated to either downplay the seriousness of the breach, deflect the blame, or put a Band-Aid on it, almost to the point that it causes increased suspicion.  It’s like when someone begins a statement with the words, “to be honest,” and you can’t help but wonder if they really are.  I will list everything the Commissioner said that could be taken that way and, of course, let you read between the lines:

  1. The information that allowed the criminals access was obtained from an outside source
  2. The crime was very sophisticated
  3. Access to “Get Transcript” is only obtained through a multi-layer authentication process
  4. The matter is under review by TIGTA and IRS’ Criminal Investigation division (CI)
  5. IRS main computer systems were not affected & remain secure
  6. Although there were 100,000 successful data breach attempts, there were another 100,000 that were unsuccessful
  7. All 200,000 affected taxpayer accounts will get letters from the IRS explaining what has happened
  8. IRS is offering free credit monitoring to those whose accounts were successfully accessed
  9. “Get Transcript” application has been shut down temporarily

And then there was the obligatory and generic “make-them-feel-good” statement:

[T]he IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.

I totally understand the need to keep the comments positive in this kind of situation.  Any corporation would do the same sort of damage control in the form of some similar carefully worded, lawyer-drafted statement.  We definitely don’t want panic spreading across the nation in response to something like this.  But we are not stupid either.  If this data breach were really as benign as they want us to believe then why did they take the application down?  As much as the IRS has tried to deflect the blame for the data breach, I think they know that there are ways to tighten up security.  Nothing spells this out more clearly than the fact that the IRS immediately deactivated the application to fix it and make it more secure.

Protect Yourself Against Identity Theft

Identity theft can be a huge headache, especially when it affects your federal tax record.  There are at least a couple ways how that might happen.  An identity thief may use your personal identifying information, including your social security number, to file a false tax return and obtain a fraudulent refund.  Or a thief may use your identity to obtain a job, claim the maximum number of exemptions, and basically collect tax-free income.  Then, these W-2 wages are reported to the IRS under your social security number.  When the information on your legitimate tax return does not match up with the W-2s the IRS has on file (i.e., when you fail to report the income earned by the identity thief) then the IRS sends you a letter asking you to explain the discrepancy.

The IRS provides a comprehensive list of tips for those whose identity has been stolen.  However, some of their most useful tips explain how to avoid identity theft in the first place. What it all comes down to is safeguarding your personal and financial information, including your credit cards, social security number, even address.

Some identity thieves steal wallets and purses.  Protect your personal effects when you carry them around and never leave them in open sight in your vehicle.  Never leave a bag or purse unattended in a store or airport.  It is human nature to misplace small items such as these, but we tend to be very habitual in the handling of our wallets and purses.  The more safe habits we can acquire, the better, so that it becomes second nature to protect our personal effects.

Some identity thieves try to obtain information from you through a phone call or electronic means (especially emails).  The IRS has issued extensive and repeated warnings regarding phony IRS emails and phone calls.  The IRS has made it abundantly clear that they do not contact taxpayers through email and they do not request credit card information over the phone.  It is actually really easy to identify a phony IRS contact if you know what to look for, but very easy to be deceived if you don’t.

Some identity thieves sift through your trash.  Once you take your trash out to the curb, it is easy to consider it “gone,” but that is usually the point at which the identity thief just begins his work.  The idea here is to take steps to destroy identifying information before you throw it in the trash can.  Invest in a good quality shredder and make a habit of shredding anything with your name on it.

Some identity thieves obtain your information through unsecured websites.  Do not share your personal and/or financial information on obscure, unknown websites that cannot be trusted.  If you’re making purchases online, stick with the big time, well known websites like Amazon, eBay, and nationwide retailers.  If you ever have a question as to whether a website can be trusted, do a quick Google search of the company or, better yet, just move along to something else.

Will the IRS Bring Back Private Debt Collections?

Somebody has sneaked some terrible legislation into a provision of the EXPIRE Act which, if approved, would require the IRS to hire outside private debt collection (PDC) firms to collect past due taxes.  If this sounds familiar it is because the IRS has already tried this a couple times with very little success.  These are just some of the problems that tax practitioners have identified with hiring private debt collectors to collect income taxes:

  • The IRS must hand over sensitive taxpayer information (like social security numbers) which raises concerns about privacy and identity theft.  Just like a juicy bit of gossip, the more people you tell, the greater the risk of the information spreading to the wrong people or groups.  No amount of training can ensure this won’t happen.
  • If private collection agencies are hired on a contingency basis, their motivation to collect may be higher than your average IRS employee who is paid the same regardless of how much revenue is collected.
  • Although private collection agencies would be given access to some key pieces of information, not all tax account information would be available.  This means that the taxpayer would be required to go back to the IRS anyway, to confirm what the PDC firm has done and tie up any loose ends.

I definitely saw this in my practice during the second trial run of this program 6-7 years ago.  The PDC firms were not given authority to enter into certain installment agreements, so we would have to get cases transferred back to the IRS in most cases.  Using private collection firms only complicates things at the IRS and creates bottlenecks at an agency that is already known for being a little slow.  The good thing is that many, if not most, stakeholders and authorities oppose this legislation, including the National Conference of CPA Practitioners (NCCPAP), the Taxpayer Advocate, the IRS Oversight Board, and the Commissioner himself.

Only federal employees, who have been screened and vetted through the Internal Revenue Service, should be permitted to represent the federal government in matters pertaining to individual taxes.

~ Steven Mankowski, NCCPAP Tax Policy Committee chair

IRS Tougher on Tax Crimes

Today the Criminal Investigation (CI) division of the IRS announced the release of its annual report which covers fiscal year 2013.  Everything in this report suggests that the IRS is more aggressively pursuing tax criminals.  Here are just a few highlights:

  • Criminal investigations: 12.5% increase
  • Criminal prosecution recommendations: 18% increase
  • Criminal convictions: 25% increase

But the most shocking statistic is not even reflected in this short list.  Get this: the conviction rate for fiscal year 2013 was 93 percent!  In other words, I don’t think the IRS is going to recommend prosecution of a case that it isn’t almost certain to win.  Of course, the IRS’ interpretation of this statistic is that they just have top notch attorneys:

The conviction rate is especially important because it reflects the quality of our case work, our teamwork with law enforcement partners and the U.S. Attorneys’ Offices

~ Richard Weber, Chief of Criminal Investigation

The IRS is especially intolerant of identity theft (it boasts membership in over 35 identity theft task forces) and I am sure that this accounts for many of the recent convictions.  Some of the other tax crimes mentioned in this report include public corruption, money laundering, terrorist financing, and narcotics trafficking.

If you are wondering / stressing about whether or not you will go to jail for failure to file a tax return or failure to pay your taxes, I still think the answer still has to be “you could be.”  However, this phrase picked from the IRS’ official Newswire statement is very revealing:

CI investigates potential criminal violations of the Internal Revenue Code and related financial crimes in a manner to foster confidence in the tax system and compliance with the law.

I don’t think its a coincidence that the first concern of CI is to “foster confidence in the tax system” — secondary to fostering voluntary compliance.  How does the IRS foster confidence in the tax system?  It is not done by nailing “small fish,” which would probably have the opposite effect.  It is done by high profile convictions.  The IRS is more aggressive with high-dollar cases and cases involving public figures; the kinds of stories that make the evening news.

2014 Dirty Dozen Revealed

Every year around the beginning of tax season, the IRS comes up with its “Dirty Dozen” tax scams list.  In recent years the top three have been (1) Identity Theft; (2) Phishing; and (3) Return Preparer Fraud.  The 2014 list includes Identity Theft and Phishing in the top three again, this time along with “Pervasive Telephone Scams.”  Phone scams often take advantage of recent immigrants, the elderly, or uneducated.  It is easy to avoid a phone scam if you know what to look for and if you maintain a certain degree of skepticism when receiving an unsolicited phone call.  However, as easy as it is in theory, these phone scams must be at least somewhat successful or they wouldn’t be described as “pervasive,” and they wouldn’t have made it to the top of the Dirty Dozen this year.

Here is the Commissioner’s official generic statement:

Taxpayers should be on the lookout for tax scams using the IRS name. These schemes jump every year at tax time. Scams can be sophisticated and take many different forms. We urge people to protect themselves and use caution when viewing e-mails, receiving telephone calls or getting advice on tax issues.

The reason that the IRS releases the Dirty Dozen list in February is that they have noticed a spike in tax scams around this time of year.  However, just as the IRS can (and will) collect on delinquent tax accounts by issuing a wage garnishment or bank levy throughout the year, tax thieves and scam artists pretty much work around the clock.

Some IRS News & Some FTB News

Internal Revenue Service

The IRS expects the 2014 tax season to be delayed by one to two weeks.  That would mean the new tax season would begin somewhere between January 28th and February 4th.  The reason for the delay?  None other than the historic Fall 2013 government shutdown.

The IRS normally begins tuning and tweaking their complicated tax return processing systems in the fall, even before the start of the 4th quarter.  This year’s system testing period was delayed when the IRS closed its doors during the first half of October.  You should also be aware that the February 4th start date is only an estimate.  The IRS will re-evaluate and confirm the 2014 Tax Season start date in December.

California Franchise Tax Board

We often hear about federal tax scams, but the FTB recently sent out a warning to California residents to keep their eyes and ears open for phishing schemes and identity theft.  There is apparently a scheme which targets elderly taxpayers in Beverly Hills.  The caller, posing as a FTB employee, tells the victim that they were ticketed for a red light violation and their case has been forwarded to the FTB for collection purposes.  As ridiculous as this may sound, the IRS has been given so many additional responsibilities over the years that it’s hard to say what they may have a hand in.  So, why not the FTB too?

The moral of the story is the same as it always is for the IRS: they won’t contact you by email, and they will rarely call you without sending a series of notices first.  You need to be suspicious if either of these things happen to you.

Another IRS Mistake: Thousands of Social Security Numbers Exposed on Internet

This time the IRS leaked thousands of social security numbers on its 527 “non-profit political groups” website.  The security lapse was brought to light by

It is unclear how many SSNs were exposed and whether or not the SSNs were displayed alongside any other identifying information.  I think this would be an important detail.  I’m not sure what exactly is needed to perpetrate an identity theft or a financial crime using a SSN, but it seems to me that more would be needed than simply the SSN.  I would think that a criminal would need at least the name that goes with it too.

Furthermore, it looks like this information probably did not fall into the hands of any criminals.  The data remained up on the site for less than 24 hours, and during that time (if I understand the geek speak) there were only 8 total clicks on the page in question and no actual privacy complaints.

Still, as with all the other recent IRS blunders, what bothers most taxpayers is the fact that the mistake was made, not the end result or the damage that was done.  Think of how many visitors gets each day.  Popularity-wise we don’t like it, but traffic-wise, it is one of the most visited websites in the country.  It just so happened that the SSNs were exposed in a little obscure corner of a massive, content-rich IRS website.  It is easy to see how this was a close call and could have been a much more serious mistake.  When it comes to our personal identifying information and our financial information, we don’t like close calls.  A close call just means that there could easily be a “next time” and next time we might not be so lucky.

IRS Expands ID Theft Program to All 50 States

Around this time last year, the IRS began a pilot program in the state of Florida that allowed IRS personnel to share confidential taxpayer information with local law enforcement to simplify the finding and prosecuting of identity thieves. Then in October 2012, the IRS opened up the program to eight more states: California, Texas, Alabama, Oklahoma, Georgia, Pennsylvania, New Jersey, and New York. Now effective Friday, March 29, 2013, the “Law Enforcement Assistance Program” has been opened to all 50 states.

This is basically how the program works:

  • Local law enforcement identifies potential identity theft situation
  • With the help of IRS, local law enforcement reaches out to identity theft victim to request consent for disclosure of personal tax records
  • If victim agrees to disclose the information, the victim completes a special IRS disclosure form
  • Law enforcement submits paperwork to IRS Criminal Investigation
  • IRS Criminal Investigation processes the paperwork and disclosure forms, then forwards the relevant documents to the requesting local law enforcement officer(s)

This appears to be an important and successful program, with more than 1,560 waiver requests received over the last 12 months. However, it is also apparent that the goal of helping the victims of identity theft will be achieved with or without the cooperation of local law enforcement. The IRS says it has resolved a whopping 200,000 identity theft cases since the beginning of 2013!

The IRS follows a three-pronged approach to combating identity theft:

  1. Prevent it from ever happening in the first place
  2. Where it cannot be prevented, detect it as early as possible
  3. Assist those who have been victimized