recommended reading

Report: Identity theft is more prevalent than IRS data shows

Identity theft-related tax fraud is more widespread than Internal Revenue Service statistics indicate, according to a new report from the Government Accountability Office.

The IRS catalogued more than 50,000 incidents of identity theft and employment fraud in 2008 and stopped 90 percent of fraudulently claimed tax refunds before they were processed, according to the report (GAO-09-882). But the "data provides an incomplete picture of the amount of identity theft-related fraud occurring at IRS," said James White, director of tax issues on GAO's strategic issues team.

Limited resources and the large number of mismatches in employer-provided versus taxpayer-reported wage data make it difficult for the IRS to pursue every case of potential fraud, the report noted. Also, agency officials have difficulty detecting incidents where a thief steals the identity of a person with no tax filing obligation, such as a child, and files returns and pays taxes using that person's name and Social Security number. "From IRS' point of view, a tax return has been filed with a name and SSN that match and the income on the tax return matches income reported by an employer," White said.

IRS fraud-detection processes often cause incidents to go unnoticed for a long time, GAO added. "It is only after IRS notifies a taxpayer of unreported income that IRS may learn from the taxpayer that the income was not his or hers and that someone else must have been using his or her identity," White said. "By the time both the victim and IRS determine that an identity theft incident occurred, well over a year may have passed since the employment fraud."

The IRS can't identify how many incidents of fraud go undetected, partly because it lacks metrics to assess the effectiveness of existing efforts, according to the report. For example, the IRS does not measure the number of false positives -- where a legitimate return is flagged as being fraudulent -- or false negatives. The agency also fails to track the cost or time required to resolve cases referred to employees.

IRS Commissioner Douglas Shulman agreed with GAO's recommendation to develop performance measures to assess the effectiveness of identity theft initiatives by the beginning of the 2010 filing season.

"The security and privacy of taxpayer information is of the utmost importance to the IRS," Shulman wrote in response to the report. "I have made it a priority of this agency to reduce the burden placed on the taxpayer and the tax system because of identity theft."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.