Tax Related Identity Theft Can Happen to Anyone

It’s that time again for your annual trip to the financial dentist.  Tax time.

After the countless hours compiling documents and completing forms, you file the return and look forward to the refund.

Until…

You receive a letter from the IRS politely telling you that your tax refund has already been processed.

Welcome to tax-related identity theft. You’ve just found yourself alongside the millions of hard working Americans that annually fall victim to this growing problem.  Every year, billions of dollars in U.S. income is reported falsely.

Billions!

If There is Good News… You Will Get Your Refund

Tax-related identity theft occurs when someone uses your stolen Social Security number to file a fraudulent tax return under your name.

If you’re lucky, you will receive a letter from the IRS telling you it suspects a fraudulent tax return has been filed under your name. Otherwise, you’ll find out once you’ve filed. Either way, you have some annoying and potentially time-consuming work ahead to clear up the problem.

Here’s the good news: You will eventually get the refund due you from the IRS and/or your state.

What’s troubling is how easy the IRS makes it for thieves to file your return with fraudulent information.  Technically, all a thief needs to file is a name, Social Security number (SSN) and date of birth.  And, if you’ve read our other posts, we know of at least one company that accidentally let hundreds of thousands of those slip out last year. Unfortunately, security breaches happen too often.

Like anything else, an ounce of prevention is worth a pound of cure.

The most effective way to lower your risk for tax-related identity theft is to file early.

If you don’t, you can be assured the thieves will. For them, the earlier they file, the earlier they get your refund in their hands. At that point you’re faced with a battle you will ultimately win, but will take time.

So, if this happens to you, we have compiled seven things you need to do to get the problem cleared up as soon as possible so your refund can be paid.

So, take a deep breath, relax and review the steps.

Step #1: Report the Refund Theft Immediately

Call the IRS Identity Protection Specialized Unit at 1-800-908-4490.  You’ll also need to complete an identity theft affidavit, or a 14039 Form, so that the IRS can place an alert on your account. All of this can also be done online at https://www.irs.gov/pub/irs-pdf/f14039.pdf.

Also, don’t forget to contact your state revenue or taxing.  After all, identity thieves can and will do a significant amount of damage with your Social Security number.  You only get one.

Lastly, report the theft to your local police department. While law enforcement is unlikely to investigate the crime because it’s typically a Federal matter, many government agencies and credit bureaus require an official police theft report to help finalize the issue.

Step #2: Compile Your Evidence

When you contact the IRS or state agency about your ID tax return theft that be sure to have copies of your tax returns from the past two or three years.  There will be numerous questions throughout this process, and this will ensure you less stress, as well as allow your case to move faster.

In addition, by providing this supplemental information that the IRS can check against, you strengthen your case that the theft of your return is the legitimate one.  For example, an ID thief is unlikely to know that you got divorced two years ago and stopped filing jointly, but this fact can easily be checked by the IRS, giving your filed return more credibility.

There are other pieces of information you’ll want to have handy: driver’s license, birth certificate, passport, and if so, two recent utility bills.  Plus, if you’re married, have your marriage certificate.  You’ll need to mail copies of all these documents as well as your police report for the IRS to verify your tax return and come to conclude that the other one is fraudulent.

Step #3: Protect Yourself for The Future

Once you report the fraud and fill out the affidavit, the IRS should issue you a personal identification number, or PIN, to provide another layer of security.  You’ll need to submit this PIN along with your Social Security number when you file any tax form going forward so that the IRS knows to carefully check over your account.  Since the government can’t give you a new Social Security number, this is how you’ll protect yourself.  As an identity theft victim, you’ll get a new PIN every year.

If you live in the tax fraud meccas of Florida, Georgia, or Washington D.C., you can apply for a PIN without having been an ID theft victim.  To get this six-digit number, you need to register and verify your identity online. You can sign up here: https://www.irs.gov.

Remember, as technology moves along, we need to keep in mind that our phones, tablets, and computers are easy prey for identity thieves.  IRS studies show that fraud alerts are often linked to a phone number.  Therefore, your tax refund criminals along with other ID thieves constantly attempt to access their victims’ cell phone accounts to redirect those messages to them.  Protect your smartphone:

• Ignore unknown numbers that could harbor malware.
• Be very careful when downloading applications and disable those you don’t use.
• Make sure you also have an email address attached to fraud alerts and other ID theft-worthy news.

Protecting your records is a year-round effort.  For example: Don’t carry your Social Security card or other documents with your Social Security Number on them.  Only provide your SSN if it’s necessary and/or you know the person requesting it.  If you do the following you will have the best chance of staying ahead of thieves: protect your computers with anti-spam and anti-virus software, and routinely change passwords for your accounts, you’ll give yourself a much greater chance to keep your refund just to yourself.

Finally, don’t fall for phishing scams.  The IRS will NEVER call you to demand immediate payment, nor will it call about taxes owed without first mailing you a bill.  Any type of threatening phone call from someone claiming to be from the IRS is a hoax and should be reported to the police.

Step #4: Contact the Credit Bureaus

If you are a victim of identity theft, the Federal Trade Commission recommends contacting one of the three major credit bureaus to place a fraud alert on your credit records immediately:

• Equifax, www.Equifax.com, (800) 525-6285
• Experian, www.Experian.com, (888) 397-3742
• TransUnion, www.TransUnion.com, (800) 680-7289

If a thief had enough information about you to file a false tax return, he/she could have also opened new credit card accounts or taken out a loan in your name.

Set up free fraud alerts with the three major credit reporting bureaus, Equifax, Experian, and TransUnion. These alerts, which last 90 days, but can be renewed, warn potential creditors or lenders that you are an identity theft victim and that they must verify your identity before issuing credit.

You can even go a step further by placing a full credit freeze on your files, which instructs the credit agencies to prevent new creditors from viewing your credit score and report. With a police report, it’s free.  Without one, it can cost as little as $10, depending on your state.

A credit freeze will keep you from accessing instant credit, too.  So, if you need to apply for a loan, you will need to give the agency permission to access your data, and in some cases, you may have to pay a fee to lift the freeze, which can take a few days.

Step #5: Check Your Credit Reports

As an American consumer, you are entitled to a free copy of your credit report from each of the three agencies.  Make sure you get in the habit of checking them carefully for unauthorized activity.  Look at your history as well as recent activity.  Just because you were the first person alerted to the problem through a false tax return does not mean that’s where the ID theft began.

If you see errors in your report, such as wrong personal information, accounts you didn’t open or debts you didn’t take part in, immediately notify your bank, one of the credit agencies, and the businesses reporting that inaccurate information.

Step #6: Change ALL Your Passwords

In the past, most thieves collected data about a taxpayer and then created an account at a tax preparation software site to file a false return.  But Intuit, the parent company of TurboTax, says that in the past 18 months it has seen criminals changing their tactics.

Thieves know that people use the same password at multiple websites.  This is one of the worst security mistakes we can make.  When usernames and passwords are compromised in a data breach, a thief could use them to open a TurboTax account and file in your name.

If you have an online account at a site like TurboTax, make this password unique from any other passwords you use online.  Follow this guide to make it as secure as possible.  If you use your tax prep password at your bank or any other site with personal information, change that password immediately, as well as any other consistent accounts.

Step #7: Be Patient

The IRS says a typical case of ID theft can take up to 180 days to resolve.  And even after you’ve cleared up this year’s tax mess, tax and credit fraud can be a recurring problem.

Once the IRS has determined that your return has been fraudulently filed, the IRS will flag the actual return that you file and process it manually, examining every detail to figure out which return is authentic.  This means your refund will most likely be delayed for months.

Remember…The IRS will always pay you your refund, regardless of whether it already paid it out to a thief.

So, be proactive to protect yourself with security software with firewall and virus/malware protection. Also, only give personal information on encrypted websites. Look for “http” addresses, and use strong passwords to protect them.

And, if you do nothing else, don’t leave sensitive personal data lying around for wandering eyes to see. Treat it like cash!

IRS and States are Fighting Fire with Fire

While the bad guys always seem to be one step ahead of being caught, the IRS is having success in fighting tax-related identify theft. Annually it rejects or suspends processing of more than five million suspicious returns, which add up to more than $8 billion. Many changes are designed to better authenticate the taxpayer’s identity and the validity of the tax return at the time of filing.

The IRS has greatly improved its security for accounts by increasing the number of digits required for a password, as well as new security questions to verify identity. States are also fighting identity theft by requiring additional information that may be more difficult for thieves to acquire.

Last year, the number of suspicious electronic returns was so large in some states that Turbo Tax, one of the largest tax preparation software providers, temporarily suspended processing all state tax returns until it could block users from filing unlinked state returns, which are returns filed without a federal return.

For tax year 2017, the IRS, states, and the tax industry joined together to enact a few new safeguards to try and take additional actions to combat tax-related identity theft. Many of these safeguards will be unknown or invisible to us, but invaluable to their fight against these criminal organizations.

Visit your state’s tax agency website to see if there are changes for 2017 tax returns. (Although you may e-file your federal and state tax returns together, they are processed separately by the IRS and your state tax agency.)

If you have any questions, concerns, or tips, we’d love to hear from you.

Please visit our website at www.sttstl.com or if you’d like to learn more, give me—John Steinhauser—a call at +1 (314) 795-0004 or email me at john@sddstl.com.

And, stay safe out there!

John Steinhauser, co-owner, Secure Document Destruction of St. Louis (SDD).

John has lived and breathed the document security industry for the last decade.  John prides himself on SDD’s ability to innovate and consistently stay ahead of the curve.  However, his approach toward the business has stayed consistent, delivering incredible customer service and complete document destruction for the St. Louis area.

It’s no secret, your employees use their work computers to scour the internet on company time. However annoying that is to business owners, they generally look the other way. As you’ll read, that annoying reality could very well lead to a security breach, so it’s time you educated yourself and your team on the cold, hard facts.

Fact #1: Employees are the #1 cause of all company security breaches.

Your small business amasses a wealth of incredibly sensitive information about everyone who walks through your doors or hits your website.  Having that valuable information put in jeopardy can turn into a long and costly process to fix, not to mention potentially embarrassing to you and the business.

We’ll explore the seemingly harmless part of your employees’ daily lives that could put your business and, more importantly, your customers’ information at risk for a breach.  We’ll also provide tips to protect yourself so your business isn’t added to the ever-growing list of organizations that have had their security breached in 2017.

We’ve all heard the saying, “work smarter, not harder.”

Owning your own business is tough.  There are countless hours spent towards hundreds of different tasks across every part of the business.  If data security isn’t near the top of your priority list it should be, because the dangers are real and your employees’ mistakes can be very costly.

Fact #2: Identity theft and fraud attacks against small and mid-sized businesses skyrocketed from 18 percent in 2013 to 31 percent in 2015 and the numbers are on the rise.

Unfortunately, however much interest we put into security and discovery innovations to create an in-depth defense strategy, the reality is one wrong click from an employee innocently surfing the internet can instantly hand over your sensitive information to an identity thief.  The small mistake of opening a seemingly harmless email can upload a virus to your hardware and go unnoticed for weeks, if not months, causing irreparable damage.

Fact #3: Only 29 percent of companies with fewer than 10 employees are acting to protect against security risks.

Less than one third!

Are you part of that 71% that don’t?

There’s as much as $1 billion a year stolen from small and mid-sized businesses in North America and Europe and the numbers are only going to increase, says Mike Gross, global risk strategy director with 41st Parameter, a business fraud prevention firm owned by the credit reporting giant Experian.

Here are five must-take steps to make it tougher for offenders to steal your valuable information:

• Use an EIN: As a business owner you may operate as a sole proprietorship under your Social Security number, even if your business has employees.  Just because you have the freedom to do so doesn’t mean you should.  It’s generally safer for sole proprietors to use an EIN.  Keeping your business and personal finances separate is a must for several reasons, including identity theft prevention.
• Protect sensitive files: From bank statements to tax returns, your business likely has paper and electronic files that hold sensitive information.  Use a secure mailbox, shred documents you don’t need, and keep sensitive files in a locked area or other secure location to avoid theft.
• Be proactive: It’s crucial to use passwords or restrict employee access to certain documents.  Establish a clear protocol to follow in the event of a data breach, including assigning an employee to manage the breach and devise what actions need to be taken.
• Try to avoid the “bring your own laptop” trend: Countless companies now allow employees to use their personal computers, cell phones and other devices for work. This presents risks to a small business where, for example, an employee brings a compromised device into work and accesses secure files.  Unfortunately, you’ve just allowed a trusted employee to unknowingly compromise your sensitive information.
• Check statements regularly:  This is one of the best ways to halt fraud before it gets out of hand.  Experian and other credit reporting agencies offer monitoring services that can help.  It’s also a good idea to assess your banking agreements to determine whether your business accounts have protection against fraud.  In addition, review your insurance policies to see what coverage you have in case of a data breach.
• Despite the best efforts of many businesses, data security trends are headed in the wrong direction.  We looked back at hundreds of events throughout 2016 into 2017 to identify the top causes, in hopes we can try to limit the numbers for 2018.

 

We pulled data from the IRS and found business identity theft cases rose 250 percent through the summer of 2017.  For example, the U.S. recorded 4,000 business identity theft cases in 2016, and through August this year it’s 10,000 cases and climbing.  When you put that into numbers, business identity theft caused $15.3 billion in damage in 2016, up from the $13 billion in 2015.

When we took a closer look at the underlying issues that allowed the identity theft incidents to occur, we found one common thread: Attackers are increasingly relying on phishing emails to sidestep IT security systems.  It’s an inexpensive, but highly effective attack route to gain access to an otherwise well-secured network. Social media outlets, such as LinkedIn and Facebook, provide a treasure trove of information for attackers to identify and target employees with carefully crafted phishing emails.

Here’s another example: Criminals and IT thieves are constantly producing fake social media pages and disguising themselves as someone who seems like another person in your industry.  They reach out to connect and look as reputable as anyone.  Remember to take a minute before you accept their request.  Always be proactive in screening people, because you never know if they’re a legitimate contact just trying to expand their network or a potential security threat trying to access information about your business and how to infiltrate your company.

So…What should all this mean to you?  What should your business do?

Truth be told, there is no one-size-fits-all approach.  How you address the human component of data protection requires execution of several technical, managerial, and procedural precautions, unique to your business.  Below are some guidelines and tips to keep in mind:

• Data security awareness and training: Dispose of old devices, but first wipe the data. Train your employees and take part in programs with companies who handle sensitive information, like Secure Document Destruction of St. Louis.  Your organization’s information security policies and procedures should be part of the onboarding process and included in periodic training. These programs should be continuously updated to address the constantly evolving threat as well as staffing changes that could impact data privacy and security.  For more information on these topics please visit the FCC website @ https://www.fcc.gov/general/cybersecurity-small-business
• Simulate phishing tests: Try testing “data breaches” by sending phishing attacks on employees.  You are a step ahead by training users on how to identify and avoid phishing messages.  It could help your organization measure the vulnerability of your employees and identify the ones that need additional training.  There are many resources available, such as NTP Security Enterprises, a premier St. Louis company that specializes in these types of programs.  Visit them @ https://ntpcybersecurity.com for more information.
• Fully encrypt your devices and storage: The regularity of stolen devices containing sensitive information will continue to rise as more users store sensitive data on their laptops, mobile devices, and portable storage devices. Always implement complete encryption on all devices that contain sensitive data.  Visit the link below for a list of 2016’s top software systems for your business. https://www.pcmag.com/business/directory/encryption
• Use data loss prevention software: Your sensitive data can be breached by mistake or malicious intent.  Data loss prevention software is intended to prevent users from sending sensitive data outside your network without authorization.
• Clearly define employee access rights and privileges:  Employees should have access to only the data they need to do their job.  If you must allow them access to sensitive information, it should only be approved for the minimum time necessary.  Never forget to enforce strong standards for user identities and passwords.

When security breaches make headlines, they are often about corrupt groups in other countries. These kinds of stories are exciting to read, but they mask the reality that most breaches are caused by an action or failure by someone inside the company.

To this point, when we’ve mentioned employee mistakes causing security issues, we’ve been referring to honest people making honest mistakes.  There is another side: those employees who want to damage you.  It’s the threat you’d never expect.  They normally will fly below the radar of many detection technologies and can erase evidence of their activities to further deter investigations.

It’s a perfect crime.

Fortunately, the rise of Artificial Intelligence makes spotting insider threats easier and less invasive.  These technologies help businesses detect and prevent potential hacks and security threats to their systems.  Their cognitive processes are able to continually learn and make reliable decisions based on the data that your business is taking in.  However, even with advances in technology, you and your managers need to be aware of what to look for and how to focus security efforts to get the greatest returns on protection:

• We are creatures of habit: Your employees come to work at the same time and do familiar tasks.  The same can be said for how they use and interact with technology.  Uncover abnormalities in behavior at the level of individual employees, making it much easier to spot when your security has been compromised.
• Security is constantly evolving.  Educate yourself on your security risks, and screen at-risk employees.

By covering your basics, you can and will make the biggest impact on theft.  Every extra precaution you take, makes you that much less susceptible to theft from a person or an organization stealing your precious information.

Don’t forget the fundamentals:

• Use an EIN
• Protect your sensitive files
• Be proactive.
• Always make sure you’re the first to know.
• Try to avoid the “bring your own laptop” trend
• Check your statements regularly

These basic guidelines can have a significant impact on reducing your vulnerability to a data breach.

So, after reading this, we at Secure Document Destruction of St. Louis (SDDSTL.com) hope when you see the next scandalous headline about some Equifax’ian breach by an external hacker that you remember that these major attacks account for less than half of the breaches out there.  As you now know, the thief probably used the identity of an unsuspecting employee to pull it off.

Act now to make sure your organization isn’t the next one in the headlines.

If you have any questions, concerns, or tips, we’d love to hear from you.

Please visit our website at www.sttstl.com or if you’d like to learn more, give me—John Steinhauser—a call at (314)795-0004 or email me at john@sddstl.com

And, stay safe out there!

 

John Steinhauser, co-owner, Secure Document Destruction of St. Louis (SDD).

John has lived and breathed the document security industry for the last decade.  John prides himself on SDD’s ability to innovate and consistently stay ahead of the curve.  However, his approach toward the business has stayed consistent, delivering incredible customer service and complete document destruction for the St. Louis area.

Don’t Let Your Children Fall Victim To Identity Theft When Heading Back To College

Summer is almost over.  The days are getting shorter.  Another school year is ready to kick off, if it hasn’t already for your family.  You know what that means… forms, forms and more forms:

• Enrollment
• Scholarships
• Sports teams
• Greek life

The list goes on and on.  As eager as they may be to start another year with friends and classmates, someone else is just as eager for a new school year to start.

• Hackers
• Scammers
• Online predators
• Identity thieves

A new school year means a wealth of new online and paper data left subject to theft.

Many universities claim to have gone “paperless,” which may save time and prevent human error mix ups, but the sad truth is, there’s still countless amounts of documents sent that can and will leave opportunities for someone to invade your child’s privacy.

We’ve scoured countless government surveys and calculated that a staggering 16 million Americans were victims of identity theft in 2016. The Javelin report highlighted that $16 billion was stolen from consumers.  That’s an average of $1,000 per person!  As parents ourselves, the most painful aspect of the Javelin report was that student identity theft numbers are skyrocketing.

When the Secure Document Destruction St. Louis team dug deeper, we realized the vast majority of this theft was related to instances in which family, friends, roommates, and acquaintances are a risk factor for your child’s secure information to be stolen.

“Often people who know you have access to your personal information,” said Al Pascual, director of fraud and security at Javelin. “If they live in the same place, they may have access to information you leave lying around the house; they can intercept phone calls meant for you.”

Most college students apply for their first job, open a bank account, make online purchases and apply for financial aid, all of which require personal information such as a Social Security number, date of birth, home address and sometimes much more.

Anyone can be a victim of identity theft and the numbers coming from the college sector are only rising.  As they get started, consider these tips for keeping your child’s personal information safe.  Don’t let your student join the nearly one million Americans affected by identity theft.

• Safeguard his/her SSN. Make sure they’re not carrying their Social Security card with them. Always have it locked away and put in a secure location.
• Have their personal documents destroyed.  Always have your child destroy any piece of paper with their personal information.
• Fill out the simple form below to download our top 10 tips for avoiding identity theft.

At SDD we want to make sure you and your child are taking the necessary precautions to avoiding identity theft.

SDD realizes that the act of trusting, oversharing, or not adequately protecting access to your student’s electronic devices are the most common mistakes they can make with regards to handing out their personal information.

FOR MORE INFORMATION OR A FREE QUOTE, CONTACT US.