A local news story recently broke about some employees of my local university who had their identities stolen. This wasn’t the usual identity theft where a social security number was used to open a line of credit. This is fraudulent tax return filings. The fraudster would steal employer information found on your W-2 form. Then they’d file a tax return on the employees behalf, direct depositing your return into their bank account. So what can we do about it? What are some ideas to prevent this? How do we minimize the impact of this type of fraud?
1. Minimize the amount of your refund
Try going to your employer’s accounting department and adjusting the amount of taxes taken out of your check. A refund means you’re taking out more taxes than you owe.
2. Your employer should be working to protect your identity
This is probably where your identity was leaked. It only takes one compromised person or PC, and your information is in wrong hands. Education of basic security principals will help with a majority of this. Social engineering attempts can be made via phone, email, or in person. A companies biggest vulnerability is the people they employ. Avoid giving any passwords to anybody. Know how to look an email over for anything suspicious. Verify any visitors in the building. Don’t give any personal information out over the phone. Be careful what you throw away or leave laying on your desk.
Data encryption should be used as much as possible. Antivirus, firewalls, and locked down network security should be used. By locked down network security, I mean time and day restrictions, intrusion prevention, IP/geographic restrictions, permissions on files and folders, software patches/updates, secure wireless, etc. The network should be locked down as much as possible while allowing people to do their jobs. This is the job of the IT department.
Physical security is important too. Do you lock your PC when you leave your desk? Are your servers locked in a secure environment? Do you have privacy filters on monitors?
You cannot be overly paranoid if your dealing with sensitive information.
3. The IRS could do more to prevent this
Probably the biggest vulnerability is that the IRS allows direct deposit into the bank account without verifying the wishes of the person getting the refund. I understand that the challenge is proving the bank account information submitted matches the social security number on the tax refund. Neither banks nor the IRS have the time to do this, so we have to rethink how we do direct deposit refunds.
The best I can come up with is the have the IRS hold the funds, and have some kind of intermediate system setup. The tax payer would have to login to a website, verify their identity, before they can direct where their funds go. This is similar to PayPal or Dwolla.
The problem is security wasn’t thought out enough when checks and the ACH system were created. There is no security built into those systems to prevent fraud. It really needs an overhaul.
Do you have any ideas on how to prevent this? Please leave a comment below.