Tax identity theft

What is tax identity theft and how does it manifest?

Tax identity theft is the use of a victim's tax-identification number (US Social Security Number, UK National Insurance Number, India PAN, etc.) by an unauthorised party to file a fraudulent tax return claiming a refund the victim is entitled to receive. The most common pattern: an organised-crime ring acquires SSNs through data breaches, social engineering, or insider sources at financial institutions; files early-season fraudulent returns using fabricated W-2 data; directs the refund to a prepaid debit card or controlled bank account. The victim typically discovers the theft when they attempt to file their own legitimate return and are rejected by the IRS as a duplicate filing. Secondary patterns include employment-related identity theft (an unauthorised party obtains employment using the victim's SSN, generating W-2 income that gets reported to IRS but never actually reaches the victim) and dependent identity theft (a victim's dependent SSN is claimed by an unauthorised filer for the Child Tax Credit). The US IRS reported ~1 million flagged tax-identity-theft cases per year peaking in 2015, declining materially post-2018 with improved fraud-detection systems but still substantial.

How does the US recovery process work?

The US victim-recovery process is administered by the IRS Identity Theft Victim Assistance unit. Key steps: (i) file Form 14039 (Identity Theft Affidavit) with the IRS — establishes the formal claim of identity theft and triggers a victim-protection flag on the SSN account; (ii) file the legitimate return on paper (not electronically — the duplicate filing rejection blocks e-file) with Form 14039 attached; (iii) request an Identity Protection Personal Identification Number (IP PIN) through IRS.gov — a 6-digit PIN required on all subsequent filings to prevent recurrence; (iv) report the theft to the FTC at IdentityTheft.gov for the broader credit-monitoring and identity-recovery resources; (v) place a Fraud Alert or Credit Freeze with the three credit bureaus (Equifax, Experian, TransUnion). The IRS Taxpayer Protection Program (TPP) and the Identity Theft Victim Assistance unit handle the substantive case resolution, which typically takes 6-9 months with refund release at the end. The IP PIN program has been expanded post-2020 to all US filers — voluntary registration prevents fraudulent filings even before any theft has occurred. The post-2023 Tax Practitioner Identity Theft framework provides parallel protection for tax preparers facing PTIN-related identity theft.

What prevention measures should filers take?

Common prevention measures practitioners discuss with clients: (i) register for IP PIN voluntarily — adds a layer of verification that prevents fraudulent filings even before any theft occurs; (ii) file early in the tax season — first-mover advantage prevents fraudulent filings from being processed first; (iii) place a credit freeze with all three credit bureaus to prevent unauthorised account-opening; (iv) review annual Social Security Statement at SSA.gov for unfamiliar earnings (employment-identity-theft early warning); (v) secure tax-document storage — physical and digital W-2s, 1099s, and prior-year returns should be encrypted at rest; (vi) avoid public WiFi for tax-software access; (vii) screen e-mail for phishing — IRS communications never originate via email or text; (viii) review bank-account statements for unfamiliar tax-refund deposits indicating fraudulent filings using your SSN. The IRS publishes Publication 5027 (Identity Theft Information for Taxpayers) with the comprehensive checklist; the FTC publishes the broader IdentityTheft.gov resource with cross-agency recovery steps. Tax practitioners should also implement Written Information Security Program (WISP) requirements under Gramm-Leach-Bliley Act and the FTC Safeguards Rule — mandatory for all tax preparers from 9 June 2023.

How do other jurisdictions handle tax identity theft?

Most major economies operate analogous victim-recovery processes administered by the national tax authority. UK: HMRC operates a dedicated identity-theft and tax-fraud reporting line; victims complete a Suspicious Email Form for phishing or call HMRC's fraud helpline. The Action Fraud national reporting framework operates alongside for the broader identity-theft response. Canada: CRA operates an Identity Theft Reporting webpage with formal claim process via 'My Account' or by paper submission. CRA also operates the Verification of Identity (VOI) protocol for high-risk filers. Australia: ATO Identity Theft and Tax Fraud line + ScamWatch national framework. The Tax Practitioners Board operates a parallel framework for registered tax-agent identity theft. Germany: Bundeszentralamt für Steuern victim-recovery process administered locally by Finanzämter. France: DGFiP victim-assistance process via the impots.gouv.fr portal. India: PAN-related identity theft handled by Income Tax Department's e-filing portal with mandatory Aadhaar-PAN linking providing additional verification. The cross-jurisdictional pattern: most major economies have moved to multi-factor authentication for tax-portal access since 2020 with material reduction in fraud incidence; the recovery process for victims when fraud does occur typically takes 3-12 months depending on jurisdiction.

What scams do practitioners commonly see?

Common scam patterns practitioners catch: phishing emails purporting to be from the IRS or HMRC requesting account verification or password reset — both authorities communicate via mail, never email or text for substantive matters; phone scams claiming the victim owes back-tax with immediate-payment demand via gift card or wire transfer — the IRS uses certified mail and follows due-process procedures, never demands immediate payment; tax-preparer scams where a preparer files inflated refunds under the victim's name and pockets the excess — tax practitioners are required to provide a copy of the prepared return and to sign with their PTIN; W-2 phishing targeted at corporate payroll departments to extract employee W-2 data en masse for downstream identity theft; stolen-identity refund fraud (SIRF) at scale by organised-crime rings; employment identity theft discovered via Social Security Statement review showing unfamiliar earnings; dependent identity theft where a non-custodial parent or unrelated party claims the victim's child as a dependent. The compounding effect is real — a single SSN-data-breach event can produce identity-theft consequences across multiple years and multiple agencies (IRS, SSA, FTC, state tax authorities).