Your clients may soon wonder if their key ID information is in criminal hands after headline hacks such as Equifax – a data break-in potentially affecting 143 million people, revealing Social Security numbers, driver’s license data and birth dates. According to the Federal Trade Commission, identity-theft complaints declined slightly from 2015 to 2016 (the latest year statistics are available), with 399,225 complaints of ID theft.
A little less than a third of those consumers reported that their data was used to commit tax fraud. Authorities also fear that the Equifax information may surface most strongly this coming tax-filing season, when criminals will use phony information to file tax returns and steal refunds.
Other Articles: File By Paper And Other Advice By The IRS For Victims Of Tax ID Theft • Lax IRS Controls May Help Cyber Crooks Get Refunds, GAO Says
Trending Articles: Managing Sequence Risk For Retirees • House Committee Passes Bill Repealing DOL's Fiduciary Rule
Tax-related ID theft is when your client’s SSN has been compromised on any tax filing, such as phony tax returns or false W-2 forms. “IRS systems are set up to accept one return per year per tax ID number/SSN. Any subsequent returns filed by others will be rejected,” says Janet Lee Krochman, CPA in Costa Mesa, Calif. (The later your client files before mid-April, the more time for a return to have been filed fraudulently.)
“First, determine whether your information has been comprised,” adds Dr. Sean Stein Smith, CPA, assistant professor in the Department of Economics and Business Lehman College in New York and member of the Financial Literacy Commission. “The IRS has several hotlines that taxpayers can use, and taxpayers should also consult with their CPA or tax professionals to determine next steps.”
Consequences of tax-related ID are numerous, but according to Stein Smith the most damaging can include not just fake tax returns and misdirected refunds but also having information used to open up credit cards or false mortgages or secure loans in your client’s name. “High-net-worth individuals may be potentially targeted for both account takeover and new-account fraud due to the value of their accounts and their good credit profile,” says John Krebs, an attorney with the Federal Trade Commission’s Division of Privacy and Identity Protection, where he currently leads the Identity Theft Program.
Some tax-fraud tip-offs seem obvious. Jessica Grant, tax specialist at Smith & Gesteland in Madison, Wis., knows of a high-net-worth couple who are victims of tax-related ID theft. “A fraudulent return was filed using their SSNs,” she says. “The suspicious activity was that the fraudulent return was trying to claim the Earned Income Tax Credit,” which is granted to low-income taxpayers.
If your client wants to find out if another return has been filed, he or she should contact the IRS or the state taxation agency by phone. If victimized, your client will receive a letter from the IRS or state tax authority with specific instructions as to what to do, a case number and where to send a response or additional documentation. For federal returns, victims are asked to complete Form 14039, “Identity Theft Affidavit.” Once it’s determined that a phony return has been filed with your client’s information, he or she can request a copy of the return by filing a Form 4506-F, “Request for a Copy of a Fraudulent Tax Return.”
(The IRS and state tax departments use mail and not the phone or electronic media to initially contact taxpayers, nor do they request personal or financial information over the phone or electronic media.)
Security measures may also soon slow your clients’ tax processing. For instance, the IRS will issue an e-filing IP (identity protection) PIN to the legitimate taxpayer for electronically filing future returns. “There have been discussions whether everyone should get an IP PIN. I think this will make preparing returns difficult because clients will not let us know their IP PINs,” notes Lawrence Pon, CPA in Redwood City, Calif.
Source: www.fa-mag.com JEFF STIMPSON
Equifax is one of the largest credit reporting agencies in America, which makes an announcement the company just issued particularly disconcerting. An authorized third party gained access to Equifax data on as many as 143 million Americans. That's nearly half the population of the United States as of the last census.
By Lee Mathews , CONTRIBUTOR FORBES
Equifax announced the incident this afternoon. According to the report, the breach was discovered on July 29th. Included among files accessed by hackers was a treasure trove of personal data: names, dates of birth, Social Security numbers, addresses.
In some cases -- Equifax states around 209,000 -- the records also included actual credit card numbers. Documentation about disputed charges was also leaked. Those documents contained additional personal information on around 182,000 Americans.
So how did hackers gain access to the Equifax data? By exploiting a vulnerability on one of the company's U.S.-based web servers. On the surface, at least, that seems to indicate that one of the three major U.S. credit bureaus was victimized by a relatively unsophisticated attack.
Alex Heid, chief security researcher at SecurityScorecard has seen this before. "As surprising as it seems, the same web application vulnerabilities from decades ago are still some of primary vectors that are leveraged by hackers in modern attack scenarios," he said in a comment to Forbes. Heid added that "it seems that the underlying legacy codebase that handled the [Equifax] web application was vulnerable enough for an attacker to exploit."
Personal data like this is a major score for cybercriminals who will likely look to capitalize on it any way they can. One of those ways is by selling off bits like SSNs and drivers' licenses -- which can fetch as much as $20 a piece, according to Patrick Tiquet, Director of Security & Architecture at Keeper Security. And even though Social Security numbers sell for just 1/20th that price, multiply that by 143 million and the attackers could be looking at a major payday.
Another way they may try to profit is by launching targeted phishing campaigns. Noted security researcher Kenneth White believes that "Based on the disclosure, the impact of this could be as far-reaching as the OPM breach." The OPM -- Office of Personnel Management -- fell victim to a hack in June of 2015. Months later, ransomware criminals used the 22 million stolen email addresses to launch a large-scale attack.
The July breach is not the first the company has had to deal with. Earlier this year its TALX payroll group was victimized by hackers. Equifax also isn't the only U.S. credit bureau to be successfully attacked. Experian, the second of the three major bureaus, saw hackers gain unauthorized access to data on 15 million Americans in 2015.
It all paints a pretty grim picture of security at the credit bureaus. Noted researcher Brian Krebs feels that the bureaus "have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers."
That oversight could well be coming. Senator Mark Warner, who leads the Senate Cybersecurity Caucus, is extremely concerned about the Equifax breach. It is no exaggeration to suggest that a breach such as this," he said in a statement, "exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”
Warner also mentioned the need to "create a uniform data breach notification standard" and "rethink data protection policies."
For its part, Equifax disclosed the breach quickly and was quick to point out that its "core consumer and commercial credit reporting databases" were not accessed. The roughly 400,000 individuals whose credit card numbers or dispute data were accessed will be notified directly by mail.
The company has created a dedicated website to educate those impacted about the risks, and a call center is open from 7am to 1am Eastern to answer questions. Equifax will also be providing free credit monitoring services for all those affected -- you may need to try a few times to complete the registration process as servers have been overwhelmed with requests thus far.
A growing threat to mobile security is hitting cell phones across the country.
By Airtalk scpr.org
An article published this week in the The New York Times says hackers have been deceiving some of the world’s largest mobile service providers and transferring phone numbers and account information to a device hackers have in their possession.
Once hackers take control of a mobile number, they have the ability to reset passwords for Facebook, Twitter and Google accounts that use cellphones as backup. For example, if a hacker clicks “forgot password” on a login page and sends a reset code to the commandeered cell phone, they can take control of accounts in the time it takes to send a text message.
According to the Times, the attackers are targeting people who discuss owning virtual currencies on their social media accounts. But it’s not limited to them.
Lorrie Cranor, professor of computer science at Carnegie Mellon University joins the show to walk through the new form of mobile hacking.
What steps do you take to protect your mobile account information?
CLICK FOR PODCAST LINK
On December 1, all employers would have been required comply with the Department of Labor (DOL)’s new overtime rules. The rules increased the minimum salary required to be considered exempt from overtime under the Fair Labor Standards Act (FLSA). The DOL estimates that approximately 4.2 million workers will be impacted. We urge our clients to stay tuned to assess the impact on their business and ensure that their pay practices comply with the FLSA. We can help you with any questions.