Every year, thousands of fraudulent tax returns are filed, costing taxpayers billions of dollars. The IRS has estimated that it paid out $5.8 billion through fraudulent tax returns in the 2013 tax season, and that is expected to rise to an estimated $21 billion in the next year or two. Nearly every state has also seen a significant rise in the number of fraudulent returns filed. (source: www.gao.gov)

Criminals only need three items of information about you to strike: your name, date of birth, and Social Security Number. Once they have possession of this information, a return is filed on your behalf, misstating information to produce a larger refund and diverting funds to their own bank accounts. There are many avenues of attack for criminals to take to find this information:

• Through one of the many data breaches that occurred in 2015 (781 breaches exposing 169,068,506 records have been publicly disclosed nationally) (source: Identity Theft Resource Center). This information is often posted online or sold.
• Using phishing emails to access accounts with permission to view information. Drake faculty and staff are at an elevated risk due to our public contact directory.
• Posing as a customer service agent or financial institution employee and asking you to “verify your identity”. In many cases a name and last four digits of your Social Security Number are all that’s needed for an attacker to turn around and gain additional information from your bank, doctor’s office, etc.
• Non-technical means such as dumpster diving can often provide criminals with bank statements, bills, and other information that already has your name and address, allowing them to piece together enough information to commit fraud.

Warning signs of tax fraud include:

• Receiving a letter from the Iowa Department of Revenue asking you to complete a confirmation process for a state tax return, even though you have not filed a return for the 2015 tax year.
• Having your state or federal tax return rejected due to an income tax return already filed in your name.
• Receiving an unsolicited Visa or MasterCard debit card in your name through the U.S. mail.

You can determine if a federal tax return has been fraudulently filed in your name by visiting www.irs.gov/Individuals/Get-Transcript and completing the registration process. If you see a 2015 tax transcript that you did not file, you are likely a victim of tax refund fraud. Note that if you have put a security freeze on your credit through the credit reporting bureaus (more on how to do so below), you will not be able to get IRS transcripts online but may request a transcript by U.S. mail.

If you receive a communication or state return from the Iowa Department of Revenue and have not filed a tax return this year or information on the return is incorrect, your best option is to call them directly at 515-281-3114 or 800-367-3388.

In the event that a fraudulent state or federal tax return has been filed in your name, follow these steps to remediate the issue quickly:

1. Do not wait until the deadline to file your state or federal taxes. You will likely need to submit both your state and federal taxes using paper forms through the U.S. mail if you have been victimized by tax fraud. Take this into account when planning your schedule for filing your taxes. It is best to use Certified Mail when sending your return.
2. Complete IRS Form 14039, Identity Theft Affidavit. Use a fillable form at IRS.gov, print, then mail or fax according to instructions. While you may fax or mail the form, do not do both. According to conversations with local IRS representatives, it is best to send this form with your paper tax filing, but it can be submitted after the fact if you have already mailed your documents.
3. File a report with the local police. Local law enforcement will take an official report and provide you with a copy. Contact your local police agency directly for information on how to complete this report.
4. File a complaint with the Federal Trade Commission. This can be done online or through the FTC Identity Theft Hotline at 877-438-4338 or TTY 866-653-4261.
5. Place a fraud alert on your credit report. Contact one of the three major credit bureaus:
   —Equifax: Equifax.com, 800-525-6285
   —Experian: Experian.com, 888-397-3742
   —TransUnion: TransUnion.com, 800-680-7289
   Note that you will need to contact only one of the above credit bureaus to set a fraud alert on your credit report, which serves as a cautionary flag to notify lenders they should take special precautions to ensure your identity before extending credit, such as contacting you at a phone number you provide when you establish the fraud alert. There is no charge to place a fraud alert. The initial alert lasts 90 days and can be renewed.
6. Close any accounts opened without your permission. For example, if you received a prepaid debit card that was not authorized by you, call the number on the back of the card (the customer service number) to close the card, or cut the card in half and return by mail to the issuer with a letter indicating you did not open or authorize the account to be opened in your name.
7. Respond to IRS notices you receive through the U.S. mail. If you receive a notice from the IRS through the U.S. mail regarding a fraudulent return filed in your name, respond immediately by calling the number provided in the letter. You may verify the phone number on the IRS website. Note that the IRS does not communicate via email; do not respond to such email messages and instead forward them to informationsecurity@drake.edu for technical analysis and blocking.
8. Continue to pay your taxes and file your tax return, even if you must do so by paper. If your state or federal tax return is rejected due to an income tax return already filed in your name, which you did not authorize, you will generally need to file a paper return this year.

If you have any concerns or questions relating to tax fraud, have been a victim, or would like more information on this topic, please contact Information Security staff within Drake Technology Services at informationsecurity@drake.edu

—Submitted by Peter Lundstedt, Information Security Analyst