Update 5/28: The AP reports that sources close to the IRS investigation say that the hackers who stole the information are located in Russia. However, the IRS Criminal Investigation Unit, the Treasury Inspector General for Tax Administration and the FBI are still investigating, so there's no official confirmation. In another shocking update, former Washington Post reporter, Brian Krebs, writes that his sources say "the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds."
Original Story: For months hackers have been tapping into an Internal Revenue Service system trying to steal the tax records of hundreds of thousands of U.S. taxpayers. Today the IRS announced that hackers stole records from at least 100,000 taxpayer accounts.
This is scary! It’s not like a credit card breach where you can call your bank to cancel your card and get a new one. These hackers now have tons of personal information on taxpayers across the country. Just think of everything you list on your tax return: the social security numbers of you and your family, where you work, where you live, your investments, property you own and more.
All of this information is more than enough for an identity thief to tap into your good credit, open accounts in your name, wreck your finances and worse. But the way the thieves attacked the IRS systems is bad news even if your records were not stolen this time.
That's because the hackers already had enough personal information about many more victims to trick the IRS security measures into unlocking these very sensitive income tax records.
"In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer," the agency said in a statement.
The IRS system that was targeted is the website taxpayers use to download previous returns. Known as "Get Transcript," it is not the system where current returns are filed. But with the keys to unlock Get Transcript, hackers can download stored tax returns going back for years. And on those returns is a treasure trove of personal information that can be sold on the black market or used to steal your identity.
The IRS says it shut down Get Transcript last week after some suspicious activity was discovered in mid May. The agency's investigation shows the hacking began as early as February. Since then, over 200,000 attempts were made and more than 100,000 accounts actually breached. The IRS says that during this year's tax filing season, taxpayers successfully and safely downloaded about 23 million transcripts.
How to know if you are a victim
In its announcement, the IRS says it will begin sending letters later this week to all of the 200,000 taxpayers whose accounts were targeted. The letters will alert them that third parties appear to have had access to their Social Security numbers and additional personal financial information even before the hacking attempts.
Although half of this group did not actually have their tax accounts stolen because the hackers failed the authentication tests, the IRS is still taking this additional protective step to alert taxpayers. That’s because the crooks already had sensitive personal information before the attempts to break into the tax accounts.
As word about this hack and the IRS letters spreads, there's another new danger you must watch out for. Other scam artists will mock up letters to look like they are from the IRS to send out in mass. Their point will be to trick you into giving up YOUR personal information, usually in the form of "identifying" yourself.
Please do not fall for any letters or phone calls that pressure you to give up personal information. The IRS will NEVER call requesting information and at this point it appears the letters to be sent will be for informational purposes."The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts," the agency says.
If you get a suspicious call, simply follow up directly with the IRS. Make note of the employee's name, badge number, call back number and caller ID if available. Call 1-800-366-4484 to determine if the caller is an IRS employee with a legitimate need to contact you. Do NOT call any number given to you by the caller.
If you receive a suspicious letter, notice or form via paper mail or fax claiming to be from the IRS, but you suspect they are not an IRS employee, go to the IRS home page and search for the letter, notice, or form number. Fraudsters often modify legitimate IRS letters. If you don't find information on the website or the instructions are different from what you were told to do in the letter, notice or form, call 1-800-829-1040 to determine if it’s legitimate.
As I have warned you many times before, do NOT click on any links in a dodgy email, especially now if it claims to be from the IRS. It is most certainly fake because the IRS does not communicate with taxpayers through email.
ID crooks can sit on your information for a while until the heat dies down. Or they may put it up for sale along with millions or other IDs. That's why you need to be constantly on guard for any unusual activity with your accounts.