Last year I was a victim of tax return fraud, and through the IRS’s Taxpayer Advocate Service (blessed as I am by both Disability and Financial Hardship) I was able to clear up the matter and receive my refund before the end of summer. I have read that some people have waited two years or more, or are still waiting.
The thief who vandalized my TurboTax return was able to do so by the method I described here. If you forgot your 5-number PIN, which is required to submit your return electronically, all you had to do was enter a zero as the first number and any other 4 numbers of your choice! I know this was done to my 2011 tax return because TurboTax data shows the thief first submitted the return with a PIN that was rejected, and within minutes re-submitted the return with five zeroes as the PIN.
I complained about this idiotic IRS-mandated solution (according to TurboTax) to every level of the IRS I could reach. Why, I asked, were PINs not governed by the same security measures as are used by every website on the Internet that uses passwords? At no other website would I be able to enter zeroes (or any other substitution) in place of my password and be able to gain access to my account! Indeed not! Questions are asked to previously supplied answers and the password (or the ability to change the password) are sent to the email address on file. Why should a tax payer not be required to undergo the same security measures to get their forgotten PIN? The question is so ludicrous, it seems impossible that the IRS irresponsibly allowed the practice.
When I filed my taxes this year, not only was I required to input a special Identity Protection PIN provided by the IRS as a result of the theft in 2011 (this PIN is totally separate from the PIN referred to above), when I reached the section where the old 5-number PIN would have played its role, I was required to send information to the IRS via a web form or to call them for help. Because the web form required information from last year’s return, and since the fraudulent return was received first, the fraudulent information had to be entered. Since I no longer had my notes on what the thief had used as my address and email last year, and most importantly did not have the AGI amount from last year, I could not avail myself of satisfying the requirement electronically. I had to call the IRS. After interminable treatments of elevator musak and being passed to special agents who never answered, I finally chanced upon an IRS employee on my third attempt who provided me with the bogus information (but only after I satisfied her that I was, indeed, who I claimed to be) needed to jump the final hurdle.
Returns submitted with the extra Identity Protection PIN will ensure that the IRS actually looks at my submission to see if it is a forgery before processing the return, no matter how the return was submitted. This is a comfort, certainly, but why does the IRS not do this automatically for all returns? Certainly, at the very least, critical data (like name, address, SSN and dollar amounts) should be electronically checked against the IRS records and forms submitted by employers and banks, etc.
And just think, the IRS finally plugged this security hole after only twelve years (IRS e-file became operational nationwide and 4.2 million returns were filed electronically in 1990) and the loss of who knows how many millions of tax payer dollars. Have stupidity and incompetence actually been replaced by intelligence and proactivity?
Only the IRS response to the next method of theft will tell that tale, because we all know thieves are one step ahead of the game and can turn a ounce of protection into an opportunity to cause havoc, commit mayhem and steal our money.