A new Government Accountability Office report says that, while the Internal Revenue Service was able to prevent identity thieves from pocketing $22.5 billion in fraudulent tax refunds in fiscal year 2014, more than $3.1 billion was paid out to criminals using other taxpayers' identities. But according to the GAO, the losses could grow much higher, as criminals use increasingly sophisticated methods to combat IRS security measures.
The IRS has multiple layers of protections in place to detect identity thieves attempting to file bogus tax returns, both automated and in person.
But as the GAO notes, the "sources of stolen identities are limitless," as are the opportunities for thieves to sell and trade stolen information on the black market to commit an array of other crimes.
The extent of the threat has grown worse as both governments and private industry collect more and more personal information from citizens and customers.
"Identity thieves can hack into government or commercial systems, recruit insiders (such as employees in the healthcare or education industries) to steal PII [personally identifiable information], or purchase or put pieces of PII together to create an identity," the report said.
The IRS itself was the target of a massive security breach in 2015, when hackers stole information on more than 720,000 taxpayers from the agency's Get Transcript program, which gave them a wealth of information from taxpayers' previous returns.
The IRS shut down the Get Transcript program while it worked to strengthen its security protections. The program went back online earlier this month.
The IRS has taken other steps to combat identity thieves, including moving up the deadline to Jan. 31 for companies to file W-2 forms with the agency each year. This will allow the IRS to more quickly assess whether a refund is going to the actual taxpayer, or to an identity thief.
But as the GAO notes, even moves such as this may not be enough.
In March 2016, the IRS alerted payroll and human resource professionals of a new phishing e-mail scheme where "fraudsters pose as company executives requesting personal information on employees, including W-2s."
According to the report, "[f]raudsters then have the potential to use this information to imitate the legitimate taxpayer and file fraudulent tax returns seeking refunds."
The GAO report notes that, while the IRS's efforts to strengthen the safeguards and security measures built into its Taxpayer Protection Program, which is designed to combat refund fraud, are critical, "evidence suggests that the agency’s efforts to authenticate taxpayers in filing season 2015 may not have kept pace with the evolving threat of "identity refund fraud."
The IRS last conducted a risk assessment of its TPP in 2012. The GAO recommends the agency conduct a new assessment "to identify new or ongoing risks for TPP’s online and phone authentication" program, and take actions "to mitigate risks identified in the assessment."
The GAO also wants the IRS to use new measurements to more accurately estimate the amount of fraudulent refunds it has prevented, and how many have slipped through cracks in its security.
In response to the GAO report, IRS deputy commissioner for services and enforcement John Dalyrmple said identity theft is growing at "an alarming rate with increasing complexity and sophistication."
Dalrymple said the agency realizes "more work needs to be done" to strengthen taxpayer safeguards, and that the agency will conduct an "updated risk assessment" for its Taxpayer Protection Program.
He also said the IRS had created the new position of "Identity Assurance Executive" that will spearhead agency efforts to further enhance security measures across the agency.