Perfect timing, as I’ve been thinking about this a lot. Unfortunately, they don’t seem to have many answers.
What the GAO found (from their summary):
Understanding the extent and nature of identity theft-related refund fraud is important to crafting a response to it, but Internal Revenue Service (IRS) managers recognize that they do not have a complete picture. Program officials said that one of the challenges they face in combating this type of fraud is its changing nature and how it is concealed. While perfect knowledge about cases and who is committing the crime will never be attained, the better IRS understands the problem, the better it can respond and the better Congress can oversee IRS’s efforts. IRS officials described several areas where the extent and nature of identity theft is unknown.
- Total number and cost of fraudulent returns. IRS does not know the full extent of the occurrence of identity theft. Officials said that they count the refund fraud cases that IRS identifies but that they do not estimate the number of identity theft cases that go undetected.
- Identity of the thieves. Unless IRS pursues a criminal investigation, IRS generally does not know the real identity of the thieves.
- Whether a fraudulent return is an individual attempt or part of a broader scheme. Identifying new schemes or significant cases, such as one thief using numerous taxpayer identities, depends on analysts noticing patterns or other indications that a few cases may be part of a larger scheme. As a result, some schemes or cases involving multiple taxpayers may go undetected.
- Characteristics of known identity theft returns. IRS officials told us that the agency does not systematically track characteristics of known identity theft returns, including the type of return preparation (e.g., paid preparer or software), whether the return is filed electronically or on paper, or how the individual claimed a refund (e.g., check, direct deposit, or debit card).
Add to the list of questions they can’t answer: how are the criminals obtaining the identity information used for these purposes? We know guess there are many sources: buying information from online fora, low-tech mail theft, insider breaches, hacking, phishing, etc. But what percent are from insider breaches, and which sector seems most vulnerable to this problem? My bet would be financial and medical, but are there any data?
Full report (GAO-13-132TNovember 29, 2012)