With tax filing season winding down, there have been numerous stories in the press regarding tax fraud resulting from identity theft, including a small number of cases affecting Duke employees that are currently being investigated. The investigation gives no indication that these cases resulted from a compromised system at Duke. Nonetheless, we recognize that this is an increasing threat for everyone and so we are sending out this alert to raise awareness of these issues, and to provide recommendations for protecting your tax records with the IRS.
Who is responsible for the increase in fraudulent returns?
No one knows for sure, but many people are chalking up the spike to the increased number of data breaches last year involving victims' personally identifiable information and not from the compromise of one specific vendor. For example, see: http://wtnh.com/2015/03/03/spike-in-tax-fraud-this-filing-season/
To proactively protect yourself:
Going forward, we’d highly recommend that you consider the following:
- Register with the IRS to have them provide you a PIN Number each year for your filing (http://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN).
- Sign up for an account at irs.gov before the bad guys do (http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-i...).
- Consider putting a permanent freeze on your credit at the credit reporting agencies, or using a credit protection service. If you do this, you will have to temporarily lift the freeze if you are applying for a loan or other credit. More info can be found on these sites:
Experian - https://www.experian.com/freeze/center.html
Transunion - http://www.transunion.com/securityfreeze
Equifax - http://www.equifax.com/help/credit-freeze/en_cp
If you find that you have been the victim of identity theft through tax fraud, please take these steps immediately:
The first thing you will want to do is call your local law enforcement and file an identity theft report. This will be needed in case the perpetrators are found and a case can be made against them. You will also want the police report when dealing with the credit reporting agencies to clear up any accounts that may have been opened using your information.
Second, you will want to review the IRS recommendations for next steps. You will see instructions to:
- Contact the FTC and file an identity theft report.
- Contact the 3 credit reporting agencies and get a fraud alert placed on your credit.
- Fill out an identity theft affidavit with the IRS.
When you contact the IRS, they should also be able to help you with the steps you will need to follow to clear up this year’s filing.
Finally, please let us know by contacting your HR representative and/or emailing firstname.lastname@example.org. These reports help us to identify whether or not the source of the identity theft came from a system at Duke.
Where can I find out more?
Brian Krebs reports on this frequently, and is a good source of information: http://krebsonsecurity.com/?s=tax+return+fraud&x=0&y=0
Also, here is a good overview of the current problem from CNN Money: http://money.cnn.com/2015/02/10/technology/security/hackers-tax-refund/