This is the accessible text file for GAO report number GAO-09-882 
entitled 'Tax Administration: IRS Has Implemented Initiatives to 
Prevent, Detect, and Resolve Identity Theft-Related Problems, but Needs 
to Assess Their Effectiveness' which was released on October 8, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

September 2009: 

Tax Administration: 

IRS Has Implemented Initiatives to Prevent, Detect, and Resolve 
Identity Theft-Related Problems, but Needs to Assess Their 
Effectiveness: 

Tax Administration: 

GAO-09-882: 

GAO Highlights: 

Highlights of GAO-09-882, a report to congressional requesters. 

Why GAO Did This Study: 

Identity thieves may use a taxpayer’s name and social security number 
to fraudulently claim a refund or gain employment. This creates tax 
problems for the innocent taxpayer when the Internal Revenue Service 
(IRS) discovers a duplicate refund claim or unreported wage income. IRS 
is revising its strategy for preventing, detecting, and resolving 
identity theft-related tax problems. 

GAO was asked to (1) describe the extent of identity theft-related 
refund and employment fraud, (2) assess IRS’s actions to prevent and 
resolve such problems, and (3) describe IRS’s identity theft-related 
coordination with other agencies. GAO analyzed IRS data on identity 
theft cases, reviewed revisions to the Internal Revenue Manual and 
other agency documents, and interviewed IRS officials responsible for 
the new strategy. 

What GAO Found: 

IRS’s ability to detect identity theft-related refund and employment 
fraud is limited, but by the end of 2008, IRS had cataloged over 50,000 
incidents. According to IRS, about 90 percent of fraudulently claimed 
refunds were stopped in 2008 with about $15 million issued before IRS 
became aware of the fraud. IRS does not know the amount of refund or 
employment fraud that goes undetected. 

In 2008, IRS began implementing four new initiatives in an effort to 
better detect and resolve identity theft cases. These include an 
identity theft indicator that IRS places on victims’ accounts so that 
IRS personnel can more easily recognize and assist the legitimate 
taxpayer in case of future account problems. The indicator further 
enables IRS to screen returns to prevent fraudulent refunds from being 
issued to identity thieves. IRS also decided to resolve legitimate 
taxpayers’ identity theft problems using a decentralized process--the 
activity that discovers a problem has the responsibility to resolve it. 
For the 2010 filing season, IRS is considering whether to expand its 
screening; however, IRS does not know how well its current strategy is 
working. IRS said it will develop performance measures, but it is not 
known whether the measures will be suitable for determining the 
effectiveness of the new initiatives, such as the number of false 
positives and negatives in the screening process or the success of the 
decentralized resolution process. Nor is it known when the new measures 
will be implemented. Measuring effectiveness matters because there have 
been glitches in implementing the initiatives. IRS is working to 
correct some discrepancies in the screening process and a GAO analysis 
of IRS data showed that some fraudulent refunds were issued even though 
taxpayers had indicators on their accounts. 

IRS’s coordination with other agencies is limited. Statutory Provisions 
protecting the privacy of tax data prohibit IRS from sharing taxpayer 
information with other agencies in many cases. Nor does IRS routinely 
receive identity theft case data because of concerns with 
substantiation. IRS has coordinated with other agencies on how to 
manage identity theft programs. 

Figure: Processes IRS Uses to Detect Identity Theft: 

[Refer to PDF for image: illustration] 

Processing tax returns: 
IRS performs procedures to determine whether tax returns are 
legitimate. When discrepancies are identified, IRS may contact 
taxpayers who may then conclude that they are victims of identity 
theft. 

Initiating compliance actions: 
IRS may initiate compliance actions, which may trigger responses from 
taxpayers that they are victims of identity theft. 

Self-reporting by taxpayers: 
Taxpayers can call the IRS identity theft hotline and report that they 
have been victims of identity theft. 

Identifying online fraud: 
IRS searches for online fraud and identifies victims involved in 
identity theft schemes. 

Sources: GAO analysis of IRS information; Art Explosion (clip art). 

[End of figure] 

What GAO Recommends: 

GAO recommends that IRS ensure that performance measures suitable for 
assessing the effectiveness of its identity theft initiatives, and 
associated data collection procedures, are in place at the beginning of 
the 2010 filing season. IRS agreed with GAO’s recommendation and 
provided comments on technical issues, which we incorporated into this 
report where appropriate. 

View [hyperlink, http://www.gao.gov/products/GAO-09-882] or key 
components. For more information, contact James R. White at (202) 512-
9110 or whitej@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

IRS's Ability to Detect and Catalog Current Identity Theft Incidents Is 
Limited and the Amount That Goes Undetected Is Not Known: 

IRS Has Implemented New Initiatives in an Effort to Detect and Resolve 
Identity Theft Cases, but Not Enough Is Known about How Well the 
Initiatives Are Working: 

Privacy and Other Laws Limit IRS's Coordination with Other Agencies on 
Identity Theft Cases: 

Conclusion: 

Recommendation for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Description of Indicator Codes Used to Identify Tax and 
Non-Tax Related Issues: 

Appendix III: Procedures Followed for Additional Screening of Certain 
Indicator Accounts: 

Appendix IV: Comments from the Internal Revenue Service: 

Appendix V: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Number of Verified Identity Theft Cases by IRS Activity 
Cataloged by December 31, 2008 (encompassing multiple tax years): 

Table 2: Number of Verified Identity Theft Cases by Type of Fraud, 
Cataloged as of December 31, 2008: 

Table 3: Suspected Identity Theft-Related Refund Fraud Identified and 
Stopped by IRS, Calendar Year 2008: 

Table 4: Numbers of Incidents and Taxpayers with Identity Theft-Related 
Indicators Cataloged as of December 31, 2008 (encompassing multiple tax 
years for 501 and 506 indicators): 

Table 5: Percentage of Suspected Identity Theft Refunds Stopped and 
Issued by IRS When Indicators Were on the Taxpayers' Accounts, Partial 
Calendar Year 2009: 

Table 6: Indicator Codes Used by IRS to Flag Taxpayer Accounts for Tax- 
and Non-Tax-Related Identity Theft Issues: 

Figures: 

Figure 1: Processes IRS Uses to Detect Identity Theft: 

Figure 2: Total Identity Theft Complaints Received by the FTC, 2004- 
2008: 

Figure 3: Number of Fraudulent Web Sites Taken Down, 2006-2009: 

Figure 4: Process Followed to Run Tax-Related Accounts with Indicator 
Codes through Additional Screening Procedures: 

Abbreviations: 

CI: Criminal Investigation Division: 

DHS: Department of Homeland Security: 

DOJ: Department of Justice: 

FTC: Federal Trade Commission: 

IPSU: Identity Protection Specialized Unit: 

IRC: Internal Revenue Code: 

IRS: Internal Revenue Service: 

OFDP: Online Fraud Detection and Prevention: 

PIPDS: Office of Privacy, Information Protection and Data Security: 

QRP: Questionable Refund Program: 

SB/SE: Small Business/Self-Employed Division: 

SSA: Social Security Administration: 

SSN: Social Security Number: 

SAS: Statistical Analysis Software: 

TAS: Taxpayer Advocate Service: 

TC: Transaction Code: 

TIGTA: Treasury Inspector General for Tax Administration: 

W&I: Wage and Investment Division: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

September 8, 2009: 

The Honorable Max Baucus: 
Chairman: 
The Honorable Charles E. Grassley: 
Ranking Member: 
Committee on Finance: 
United States Senate: 

The Honorable John Lewis: 
Chairman: 
The Honorable Charles W. Boustany, Jr. 
Ranking Member: 
Subcommittee on Oversight: 
Committee on Ways and Means: 
House of Representatives: 

Identity theft is a serious and growing problem in the United States. 
According to the Federal Trade Commission (FTC), millions of people 
have been victims of the crime, some of whom may go years without 
knowing it. The crime takes many forms; identity thieves may obtain a 
credit card, rent an apartment, or establish a telephone account in the 
theft victim's name. The victim may not find out about the theft until 
being contacted by a debt collector, losing out on a job opportunity, 
or being denied a loan. Identity theft creates two main problems for 
taxpayers and IRS. A taxpayer may have his or her tax refund delayed if 
an identity thief files a fraudulent tax return seeking a refund using 
the legitimate taxpayer's name and Social Security number (SSN). In 
addition, a taxpayer may become subject to Internal Revenue Service 
(IRS) enforcement actions after someone else uses his or her identity 
to fraudulently obtain employment and the identity thief's income is 
reported to IRS by an employer on a Form W-2 (Wage and Tax Statement) 
or Form 1099 information returns in his or her name. 

In 2004, IRS developed a strategy to address the problem of identity 
theft-related tax administration issues. According to IRS, the strategy 
has evolved and continues to serve as the foundation for all of IRS's 
efforts to provide services to victims of identity theft and to reduce 
the effects of identity theft on tax administration. The original 
strategy was revised in July 2008 and renamed IRS's Identity Protection 
Strategy by the Office of Privacy, Information Protection and Data 
Security (PIPDS), created by IRS to reach across all IRS organizations 
on issues of privacy, identity theft, and data security. The IRS 
strategy focuses on three priority areas that are fundamental to 
addressing the identity theft challenge: victim assistance, outreach, 
and prevention. 

In this context, you asked us to assess IRS's efforts to address the 
impact of identity theft on taxpayers. The objectives of this report 
are to (1) describe how much identity theft-related refund and 
employment fraud IRS faces and whether incidents of identity theft go 
undetected by IRS, (2) assess the actions IRS is taking to prevent and 
detect identity theft-related tax problems and to assist affected 
taxpayers, and (3) describe what IRS is doing to coordinate its 
identity theft-related efforts with those of other government and 
nongovernment entities. 

To meet our objectives, we analyzed IRS data on identity theft cases, 
reviewed documentation on IRS's identity theft strategy, and 
interviewed responsible IRS executives. More specifically, we reviewed 
documents on policies and procedures related to identity theft and 
relevant sections of the Internal Revenue Manual and interviewed 
officials from PIPDS, Wage and Investment Division (W&I), Small 
Business/Self-Employed Division (SB/SE), and Criminal Investigation 
Division (CI) to determine the processes and procedures used by IRS to 
prevent and detect identity theft-related tax issues and assist 
affected taxpayers. We also reviewed prior GAO and Treasury Inspector 
General for Tax Administration (TIGTA) reports on these procedures. We 
also reviewed IRS's Identity Protection Strategy. To assess whether 
IRS's initiatives were working as intended, we obtained data from the 
Taxpayer Advocate Service (TAS) and IRS to identify (1) the frequency 
with which suspected identity theft-related refund fraud reoccurred for 
taxpayers known to have had identity theft issues in the past and (2) 
how often taxpayers took identity theft-related tax problems to TAS 
after other IRS functions had determined that their issues were 
identity theft-related. We determined that the IRS data that we used 
for this analysis were sufficiently reliable for our purposes. We also 
interviewed PIPDS officials and reviewed PIPDS documents to obtain 
information on IRS's coordination efforts with law enforcement and 
other government entities. Detailed information about our methodology 
can be found in appendix I. We conducted this performance audit from 
October 2008 through August 2009 in accordance with generally accepted 
government auditing standards. Those standards require that we plan and 
perform the audit to obtain sufficient, appropriate evidence to provide 
a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. 

Background: 

Identity theft describes a wide range of types of theft and uses of 
stolen information. According to the FTC, the most common form of 
identity theft is the use of another person's information to obtain 
credit and then acquire goods or services, not pay for them, and thus 
damage the credit rating of the identity theft victim. 

As already noted, identity theft most commonly becomes a tax 
administration problem for victims and IRS in two primary ways. First, 
an identity thief may use a legitimate taxpayer's identity to 
fraudulently file a tax return and claim a refund during the filing 
season. In these cases, the identity thief typically uses a stolen SSN 
to file a forged tax return and obtain a refund early in the filing 
season. The legitimate owner of the SSN may not be aware that this has 
occurred until he or she files a tax return later in the filing season 
and IRS discovers that two returns have been filed using the same SSN. 
In this instance, the legitimate taxpayer's refund will likely be 
frozen until IRS can determine the legitimate owner of the SSN. The 
second way that identity theft becomes a problem for taxpayers and for 
IRS is through employment fraud. This occurs when an identity thief 
uses someone else's name and SSN to obtain a job. In this instance, IRS 
would receive a Form W-2 or a Form 1099 reporting income on the 
taxpayer's account, which the rightful owner of the SSN had not earned 
and does not report as income to IRS. As a result, the taxpayer may be 
subject to enforcement action when, during the filing process, IRS 
matches what the employer and the taxpayer report and it appears that 
he or she earned more income than was reported on his or her tax 
return. In a related type of case, an identity thief uses just the SSN 
of a legitimate taxpayer and the thief's own or a made up name. This 
also creates tax administration problems (as well as problems for the 
Social Security Administration) because the same SSN is now associated 
with multiple names. The name and SSN information used by identity 
thieves to commit refund or employment fraud are typically stolen from 
sources beyond the control of IRS. In many cases, the source of the 
stolen information is unknown. Someone who makes up an SSN that does 
not match a legitimate SSN and uses it to gain employment has failed to 
comply with legal requirements to supply a valid SSN but has not 
committed identity theft because no person's identity was stolen. 

Identity theft can also involve IRS in other ways, such as when thieves 
masquerade as IRS in order to steal information over the Internet 
through phishing schemes--using e-mail or Web sites to impersonate IRS 
and ask for personal and financial information from unsuspecting 
victims. According to IRS, there are a variety of online schemes that 
victimize taxpayers. "Get Your Refund" phishing e-mails appear to be 
legitimate e-mails from IRS notifying a taxpayer that they are entitled 
to a refund and can claim it quickly by clicking on a fraudulent link 
within the e-mail and providing their personally identifiable 
information. Fraudulent free e-file Web sites claim to be legitimate 
free e-file Web sites. Once a taxpayer enters his or her tax 
information, the identity thief enters his or her own bank account 
number and then steals the refund along with the taxpayer's personal 
information, such as the SSN. Other schemes include surveys and 
malware.[Footnote 1] Surveys are usually sent through e-mails, where 
the fraudulent party masquerades as IRS asking taxpayers to rate their 
experience with IRS. Malware is an executable file sent through an e- 
mail, which asks the recipient to save and run a file. Once the file 
runs, information is pulled from the victim's computer and sent to the 
fraudulent party. Identity theft can also involve IRS when IRS loses 
taxpayer data in either electronic form, such as information stored on 
a lost laptop computer, or on paper, such as documents lost in transit 
when being sent from one IRS facility to another. However, lost 
taxpayer data will not result in identity theft unless the data were 
found by an identity thief who uses the data for personal gain. Figure 
1 describes the ways that identity theft issues come to light for IRS 
and taxpayers. 

Figure 1: Processes IRS Uses to Detect Identity Theft: 

[Refer to PDF for image: illustration] 

Processing tax returns: 
IRS performs procedures to determine whether tax returns are 
legitimate. When discrepancies are identified, IRS may contact 
taxpayers who may then conclude that they are victims of identity 
theft. 

Initiating compliance actions: 
IRS may initiate compliance actions, which may trigger responses from 
taxpayers that they are victims of identity theft. 

Self-reporting by taxpayers: 
Taxpayers can call the IRS identity theft hotline and report that they 
have been victims of identity theft. 

Identifying online fraud: 
IRS searches for online fraud and identifies victims involved in 
identity theft schemes. 

Sources: GAO analysis of IRS information; Art Explosion (clip art). 

[End of figure] 

Federal and state legislatures have toughened laws that prohibit the 
theft of identities. In October 1998, Congress passed the Identity 
Theft and Assumption Deterrence Act,[Footnote 2] which expanded the 
criminalization of fraud in connection with identification documents to 
cover the unlawful transfer and use of identification documents. The 
law addresses identity theft by including instances when someone 
"knowingly transfers or uses, without lawful authority, a means of 
identification of another person with the intent to commit, or to aid 
or abet, any unlawful activity that constitutes a violation of Federal 
law, or that constitutes a felony under any applicable State or local 
law." According to the President's Identity Theft Task Force, all 50 
states and the District of Columbia have some form of legislation that 
prohibits identity theft, and in all of those jurisdictions, except 
Maine, identity theft can be prosecuted as a felony. 

In addition to congressional efforts to combat identity theft, there 
have been administrative efforts as well. The President's Identity 
Theft Task Force was established in May 2006 by Executive Order 13402. 
[Footnote 3] The task force was created to coordinate federal agencies 
in their efforts against identity theft and to create a strategic plan 
to combat (increase awareness of, prevent, detect, and prosecute) 
identity theft. 

Victims of identity theft can file a complaint with the FTC. The FTC 
maintains an Identity Theft Data Clearinghouse, which is the sole 
national repository of consumer complaints on identity theft. In 2008, 
the FTC received 313,982 identity theft complaints, a large increase 
over the number reported in prior years, as shown in figure 2. 

Figure 2: Total Identity Theft Complaints Received by the FTC, 2004- 
2008: 

[Refer to PDF for image: line graph] 

Tax year: 2004; 
Number of complaints: 246,882. 

Tax year: 2005; 
Number of complaints: 255,613. 

Tax year: 2006; 
Number of complaints: 246,174. 

Tax year: 2007; 
Number of complaints: 259,266. 

Tax year: 2008; 
Number of complaints: 313,982. 

Source: GAO analysis of FTC data. 

[End of figure] 

Intending to strengthen IRS's enterprisewide approach to identity theft 
and data security, IRS established PIPDS in July 2007. PIPDS includes 
four offices with roles defined by IRS as follows: 

* Privacy. Promotes the protection of individual privacy and integrates 
privacy into business practices, behaviors, and technology solutions. 

* Identity Protection. Identifies risks and reduces vulnerabilities of 
identity information, enhances services and reduces burden and harm to 
identity theft victims, and increases collaboration and communication 
with IRS stakeholders and external partners. 

* Incident Management. Assesses and reduces IRS data loss incidents, 
promotes protection of personal identity information by IRS employees, 
and informs taxpayers of identity theft risks discovered by the IRS. 

* Online Fraud Detection and Prevention. Reduces and prevents online 
fraud against IRS and taxpayers. 

PIPDS collaborates with IRS activities[Footnote 4] that deal with 
identity theft cases and issues. A technical working group was formed 
to provide a forum for developing recommendations on how processes and 
procedures can be improved to address and reduce the burden on 
taxpayers who are victims of identity theft. Additionally, IRS 
established two advisory committees to oversee Identity Theft and 
Incident Management and Online Fraud Detection and Prevention 
activities. The advisory committees include executive management from 
Small Business/Self-Employed (SB/SE), Wage and Investment (W&I), 
Criminal Investigation (CI), and the Taxpayer Advocate Service (TAS). 

IRS's Ability to Detect and Catalog Current Identity Theft Incidents Is 
Limited and the Amount That Goes Undetected Is Not Known: 

IRS began systemically cataloging data on identity theft incidents in 
January 2008, but limitations on the data mean that the data provides 
an incomplete picture of the amount of identity theft-related fraud 
occurring at IRS. IRS catalogs identity theft incidents after 
identifying a possible case, validating that identity theft-related 
fraud occurred, and substantiating the identity of the victim taxpayer. 
Because of the timing of tax return filing, IRS is often unable to 
detect suspicious cases until well after the fraud occurred. Validating 
the identity theft and substantiating the victim's identity takes 
further time. For example, IRS may not be able to detect potential 
employment fraud until after the following year's tax filing deadline 
of April 15 when it matches Form W-2 information against filed tax 
returns. It is only after IRS notifies a taxpayer of unreported income 
that IRS may learn from the taxpayer that the income was not his or 
hers and that someone else must have been using his or her identity. By 
the time both the victim and IRS determine that an identity theft 
incident occurred, well over a year may have passed since the 
employment fraud.[Footnote 5] 

Time lags are not the only issue obscuring a complete picture of 
identity theft tax cases at IRS. Some cases go undetected altogether. 
One reason for this is that IRS does not investigate every case of 
potential employment fraud. Because of the large volume of mismatches 
between what is reported on a Form W-2 or a Form 1099 information 
return and what is reported on an income tax return, and also because 
of IRS's limited resources, IRS does not pursue some mismatches. 
Consequently, IRS is not in a position to detect any underlying 
identity theft in those cases. Also, if an identity thief steals the 
identity of a person with no tax filing obligation, such as a child, 
and files returns and pays taxes using the name and SSN of that person, 
IRS may have no way of detecting the identity theft. From IRS's point 
of view, a tax return has been filed with a name and SSN that match and 
the income on the tax return matches income reported by an employer. 

Many IRS Activities Detected Identity Theft: 

Table 1 shows the tax-related identity theft incidents that IRS 
cataloged as of December 31, 2008. Most of the incidents in the table 
are for identity thefts that occurred since 2005, but some incidents go 
back many years. 

The incidents shown in table 1 include open tax-related identity theft 
cases reported by various IRS activities. A case is considered open if 
the taxpayer continues to have identity theft-related issues. For all 
of the incidents shown in table 1, IRS validated that the identity 
theft-related fraud occurred and substantiated the identity of the 
victim taxpayer. The table demonstrates that IRS detects identity theft 
throughout the course of normal tax administration activities, 
including processing tax returns, examining returns to verify 
compliance, and collecting tax debt. 

Table 1: Number of Verified Identity Theft Cases by IRS Activity 
Cataloged by December 31, 2008 (encompassing multiple tax years): 

IRS activity: Criminal Investigations: Investigates questionable 
refunds and fraudulent refund schemes; 
Number of incidents[A]: 17,836; 
Number of taxpayers affected: 16,696. 

IRS activity: Automated Underreporter: Compares amounts reported by 
third parties to amounts reported on individual income tax returns; 
Number of incidents[A]: 10,536; 
Number of taxpayers affected: 9,527[B]. 

IRS activity: Field Assistance: Provides face-to-face assistance to 
taxpayers at Taxpayer Assistance Centers; 
Number of incidents[A]: 10,792; 
Number of taxpayers affected: 7,671[B]. 

IRS activity: Accounts Management: Responds to taxpayer inquiries and 
works to resolve cases of duplicate tax returns; 
Number of incidents[A]: 3,486; 
Number of taxpayers affected: 2,691[B]. 

IRS activity: Taxpayer Advocate Service: Assists taxpayers who are 
experiencing economic harm or seeking help in resolving tax problems 
that have not been resolved through normal channels; 
Number of incidents[A]: 2,308; 
Number of taxpayers affected: 1,827[B]. 

IRS activity: Correspondence Exam: Conducts audits of individual tax 
returns by mail; 
Number of incidents[A]: 1,549; 
Number of taxpayers affected: 1,434[B]. 

IRS activity: Automated Substitute for Return: Creates a substitute tax 
return where none was filed and makes a tax assessment; 
Number of incidents[A]: 2,621; 
Number of taxpayers affected: 1,304[B]. 

IRS activity: Automated Collection System: Contacts taxpayers by 
telephone to collect and resolve delinquent tax cases; 
Number of incidents[A]: 1,709; 
Number of taxpayers affected: 983[B]. 

IRS activity: Compliance Service Collections Operations: Contacts 
taxpayers by correspondence to collect and resolve delinquent tax 
cases; 
Number of incidents[A]: 828; 
Number of taxpayers affected: 492[B]. 

IRS activity: Other[C]; 
Number of incidents[A]: 37; 
Number of taxpayers affected: 32[B]. 

Source: GAO analysis of IRS data. 

[A] The number of incidents of identity theft is higher than the number 
of taxpayers because a taxpayer can have more than one incident of 
identity theft. 

[B] A taxpayer may have been identified as a victim of identity theft 
through different tax administration activities in different tax years 
by different IRS activities; therefore, a taxpayer may be counted more 
than once. According to IRS data, the total number of taxpayers double 
counted was 1,779. 

[C] Other includes Field Examination, Field Collection, and Office of 
Privacy and Information Protection. 

[End of table] 

The 51,702 incidents cataloged in table 1 are primarily refund or 
employment fraud, as shown in table 2. 

Table 2: Number of Verified Identity Theft Cases by Type of Fraud, 
Cataloged as of December 31, 2008: 

Type of fraud: Refund fraud; 
Number of incidents: 23,124; 
Number of taxpayers affected[A]: 21,047. 

Type of fraud: Employment fraud; 
Number of incidents: 24,925; 
Number of taxpayers affected[A]: 17,645. 

Type of fraud: Both; 
Number of incidents: 1,036; 
Number of taxpayers affected[A]: 793. 

Type of fraud: Other[B]; 
Number of incidents: 2,617; 
Number of taxpayers affected[A]: 2,016. 

Source: GAO analysis of IRS data. 

[A] A taxpayer may be counted more than once if he or she has been 
identified as a victim of identity theft through different IRS 
activities or in different time periods. According to IRS data, the 
number of taxpayers double counted was 623. 

[B] The "Other" category includes identity theft incidents that cannot 
be identified as related to any current year tax administration issue, 
such as issues that occurred in tax year 2007 but were not detected 
until 2008. 

[End of table] 

IRS identifies refund fraud primarily through the Questionable Refund 
Program (QRP) in CI. QRP was established to identify fraudulent 
returns, stop the payment of fraudulently claimed refunds, and, in some 
cases, refer fraudulent refund schemes to CI's field investigation 
offices. CI may ultimately refer refund schemes to the Department of 
Justice (DOJ) for possible criminal prosecution. According to data from 
CI, the median amount of suspected identity theft-related refunds 
identified during the 2009 filing season was about $3,400.[Footnote 6] 

Over the past 4 years, CI has investigated a number of tax-related 
identity theft cases that DOJ successfully prosecuted. For example, a 
former Girl Scout troop leader is now serving 10 years in federal 
prison for using children's identities to defraud the government. The 
defendant pleaded guilty to multiple counts of filing fictitious tax 
refund claims and identity theft. The defendant created fake medical 
release forms for her troop members and told their parents that she 
needed the girls' SSNs in case of an emergency. The scheme helped her 
claim more than $87,000 in fraudulent tax refunds. 

According to CI data, in 2008, IRS stopped about 90 percent of 
suspected identity theft-related refunds it identified as shown in 
table 3.[Footnote 7] For the other 10 percent, a majority of the 
refunds were issued to suspected identity thieves before the legitimate 
taxpayer filed their return. It is only when IRS finds a duplicate tax 
return (a second return filed using the same name and SSN) that IRS has 
an indication of potential refund fraud. 

Table 3: Suspected Identity Theft-Related Refund Fraud Identified and 
Stopped by IRS, Calendar Year 2008: 

Fraudulent tax returns identified by IRS; 
Number: 30,328; 
Dollars: $179,129,228. 

Fraudulent tax returns stopped by IRS; 
Number: 26,385; 
Dollars: $163,819,228. 

Percent stopped; 
Number: 87%; 
Dollars: 91%. 

Source: GAO analysis of IRS data. 

Note: Not all tax returns identified were verified as identity theft 
related during 2008. 

[End of table] 

As shown in table 3, about $15 million in fraudulent refund payments 
were issued in calendar year 2008. IRS officials said that they could 
not determine how many of those refunds have been recovered. They said 
that in instances where CI opens a criminal investigation and the 
government successfully prosecutes the identity thief, upon conviction 
the perpetrator may be ordered by the court to pay restitution. 
However, this process may take a long time, and it is rarely possible 
to associate any restitution paid with a specific refund fraud incident 
because these prosecutions generally involve more than fraudulent 
refund schemes. Officials also noted that in cases that do not result 
in criminal prosecutions, IRS does not often recover the stolen refund. 

IRS Has Implemented New Initiatives in an Effort to Detect and Resolve 
Identity Theft Cases, but Not Enough Is Known about How Well the 
Initiatives Are Working: 

In 2008 and 2009, IRS implemented four initiatives to detect and 
resolve identify theft cases: identity theft account indicators, 
screening procedures for returns with indicators, the Identity 
Protection Specialized Unit (IPSU), and call centers with an identity 
theft telephone hotline. 

Identity Theft Indicators Placed on Taxpayer Accounts: 

In January 2008, IRS began placing identity theft indicators, 
Transaction Code (TC) 971, on taxpayers' accounts where IRS determined 
there to be current or potential identity theft issues. The indicators 
are visible to all IRS personnel with account access. The purpose is to 
help both IRS and the taxpayer by making sure all IRS activities know 
that the taxpayer is an identity theft victim so that the taxpayer does 
not have to repeatedly explain this or prove his or her identity. The 
indicator also will alert IRS personnel that a future account problem 
may be the result of a previous identity theft incident; IRS expects 
this to help expedite future problem resolution. 

In tax year 2008, IRS detected incidents of identity theft and placed 
indicators on those taxpayer accounts, as shown in table 4. The TC 971 
is shown by one of four indicators that indicate taxpayers are victims 
of identity theft. The indicator used by IRS depends on the 
circumstances in which IRS receives indication of an identity theft- 
related problem.[Footnote 8] 

Table 4: Numbers of Incidents and Taxpayers with Identity Theft-Related 
Indicators Cataloged as of December 31, 2008 (encompassing multiple tax 
years for 501 and 506 indicators): 

Action code: 501; 
Definition of indicator: Taxpayer receives indications from IRS 
activity about potential problems on their account and the taxpayer 
believes they may be a victim of identity theft; 
Number of incidents: 33,866[A]; 
Number of taxpayers affected: 24,182. 

Action code: 504; 
Definition of indicator: Taxpayer's identify information is stolen (the 
theft does not involve IRS), but taxpayer notifies IRS as a precaution; 
Number of incidents: [B]; 
Number of taxpayers affected: 643[C]. 

Action code: 505; 
Definition of indicator: IRS loses taxpayer data, which may result in 
identity theft-related issues for the taxpayer; 
Number of incidents: 149; 
Number of taxpayers affected: 911. 

Action code: 506; 
Definition of indicator: IRS determines that a taxpayer is a victim of 
identity theft through review of taxpayer account and return; 
Number of incidents: 17,836[A]; 
Number of taxpayers affected: 16,696. 

Source: GAO analysis of IRS data. 

[A] The number of incidents of identity theft is higher than the number 
of taxpayers because a taxpayer can have more than one incident of 
identity theft. 

[B] The number of incidents was not available. 

[C] Only 3 months of data are provided because IPSU was not established 
until October 2008. 

[End of table] 

Once IRS substantiates the identity theft and the identity of the 
innocent taxpayer,[Footnote 9] either through IRS processes or the 
taxpayer providing documentation of the identity theft, IRS will place 
the indicator on the taxpayer's account and will notify the taxpayer. 
[Footnote 10] In the case of the 501 or 504 indicators, if the taxpayer 
does not substantiate the identity theft, IRS will not place the 
indicator on the taxpayer's account. IRS processes do not require 
substantiation for a 505 or 506 indicator because, in those cases, IRS 
independently determines the taxpayer's identity. IRS will remove an 
indicator after 3 consecutive years if there are no incidents on the 
account or will remove an indicator sooner if the taxpayer requests it. 

Screening 2009 Returns for Possible Identity Theft-Related Refund 
Fraud: 

During the 2009 filing season, IRS screened returns filed in the names 
of taxpayers with 501 and 506 indicators looking for characteristics 
indicating that a return was filed by an identity thief instead of the 
legitimate taxpayer. IRS did not run the 504 and 505 indicators through 
the screening procedures in 2009. IRS officials told us in August 2009 
that they plan to use the results of the 2009 screening as they 
consider whether to expand the screening to include 504 and 505 
indicators in the 2010 filing season. The purpose of the screening was 
to prevent false returns from posting and to allow legitimate returns 
to quickly be placed back in regular return processing. Identity theft 
subject matter experts created the screen based on patterns they 
identified as being typical of identity thieves attempting to 
fraudulently gain refunds. If a return failed the screening, it was 
subject to additional reviews by IRS personnel. (See figure 4 in 
appendix III for a graphical representation of this process). 

From January 2009 through June 2009, 18,183 returns had not passed the 
screening procedures; as of July 2009, 2,503 of these returns were 
still being analyzed to determine which were legitimate and which were 
filed by identity thieves. 

Identity Protection Specialized Unit: 

In October 2008, IRS established IPSU to serve as a central point of 
contact primarily for taxpayers who had their identity stolen and 
wanted to notify IRS as a precaution before they had tax-related 
identity theft problems. IPSU processes these taxpayers' substantiation 
documentation and places a 504 indicator on their accounts. 

In some cases, taxpayers contact the IPSU after another IRS activity 
has already identified an identity theft issue, or the taxpayer may 
send his or her identity theft substantiation documentation to the IPSU 
instead of the IRS activity responsible for resolving the problem. IPSU 
forwards such information to the correct IRS activity and monitors the 
taxpayer's account to see if the other activity substantiates the 
identity theft, places a 501 indicator on the account, and resolves 
identity theft-related issues. From October 2008 through June 2009, 
IPSU monitored 19,910 cases with tax-related identity theft issues. 

IPSU does not monitor accounts where the taxpayer deals directly with 
another IRS activity unless contacted by the taxpayer. Nor does IPSU 
resolve taxpayers' identity theft-related issues. Problem resolution 
responsibility stays with the IRS activity where the problem 
originated. IRS officials concluded that it would slow down resolution 
of taxpayer issues and require more staff time to transfer problems 
from the activity that found the problem to IPSU for resolution. 

Based on a recommendation from TAS,[Footnote 11] IPSU sampled a small 
number of identity theft cases with the 501 indicator to look for 
evidence of identity theft-related problems that neither IRS nor the 
taxpayer have identified. For each sampled case, IPSU looked across the 
taxpayer's account and found a majority of these accounts had other 
identity theft issues. Subsequently, IPSU retroactively reviewed all 
cases with a 501 indicator. Based on this assessment, IPSU will take on 
an additional role starting in August 2009 by doing a similar review of 
all cases where a 501 indicator was placed on an account. If IPSU 
identifies a new identity-theft related issue on an account that they 
cannot resolve, IPSU will forward the information to the proper IRS 
activity to resolve. 

Call Centers Supporting a Dedicated Identity Theft Hotline: 

Taxpayers who know of or suspect identity theft can call a dedicated 
toll-free number, established in October 2008, where customer service 
representatives can review his or her information and account history, 
answer questions, and explain what documentation is needed to 
substantiate the identity theft. From October 2008 through June 2009, 
the specialized call centers received 87,138 calls and provided service 
to 82,470 taxpayers. These numbers do not include identity theft- 
related calls received on IRS's general toll-free number. 

IRS Implemented Its Identity Theft Initiatives Without Measures to 
Assess How Well They Are Working: 

IRS has not assessed the value of its new initiatives. IRS officials 
said they want to make such assessments. However, currently IRS has not 
defined measures that would provide an empirical basis for answering 
questions such as those listed below. This list of questions is not 
meant to be exhaustive. 

* How many false positives (cases where a legitimate return is flagged 
as being fraudulent) and false negatives (cases where a fraudulent 
return is not flagged) are generated by the screening process? 

* How long does it take and what is the cost to resolve cases that do 
not pass the screening and get reviewed by IRS personnel? This is 
important to taxpayers because refunds are held up while the review is 
conducted. 

* How well does the current division of responsibility for resolving 
identity theft cases work or would a more centralized process work 
better? 

* How well are taxpayers' questions answered and issues resolved using 
the hotline?[Footnote 12] 

IRS has developed objectives for its Identity Protection Strategy, 
which is a step towards effective performance measurement: 

* reduce taxpayer burden while addressing and resolving identity theft 
cases, 

* protect Treasury revenue by identifying suspicious filings before the 
refunds are generated, and: 

* increase operational efficiency of IRS by detecting and processing 
reported identity theft incidents as early and consistently as 
possible. 

Further, PIPDS has recently developed one identity theft-related 
performance measure, "Increase revenue protected from erroneous refunds 
to identity thieves" and is reviewing the results of returns that were 
run through the business rules to capture data for this measure. PIPDS 
also stated that it has contracted with a consultant to help develop a 
suite of performance measures by the end of 2009. However, at the time 
we concluded our work, it was not known whether the performance 
measures will answer the types of questions we outlined above. 
Furthermore, for the measures to be in place in time to assess the 
initiatives performance during the 2010 filing season, timely action 
will be required. The measures will need to be developed early enough 
to give IRS time to develop a plan for capturing the data needed to 
implement the measures. 

The answers to questions such as those listed above were not available 
when IRS designed its identity theft initiatives. IRS did not have an 
empirical basis for knowing what approach, such as having IRS 
activities rather than IPSU resolve cases, would work best. 
Furthermore, there have been some glitches with implementation. PIPDS 
officials told us that they are aware that some IRS activities have not 
been consistent in how they applied the identity theft indicators, 
causing some discrepancies in how returns were run through the 
screening procedures. For example, some activities would put the 
indicator on the taxpayer's account before ensuring that the 
information by the identity thief was removed from the taxpayer's 
account. Therefore, this resulted in legitimate taxpayer's returns 
failing the business rule screening and may have delayed the taxpayer's 
refund. In June 2009, PIPDS officials subsequently met with the 
different IRS activities to revise their procedures for placing 
indicators on taxpayer accounts before the 2010 filing season. 

Our own review of the effectiveness of the identity theft indicator and 
screening process also uncovered some possible issues. We compared IRS 
data from PIPDS and CI to test whether IRS issued refunds to suspected 
identity thieves in cases where there was already a 501 or 506 identity 
theft indicator on the account of the innocent taxpayer. We used the 
limited data available for 2009 because we wanted to look at cases 
handled after the new initiatives were put in place. As shown in table 
5, we found that IRS failed to prevent a fraudulent refund 15 times in 
early 2009 even though the account had an identity theft indicator. 
During the same period, CI stopped 3,281 refunds, 14 percent of which 
had an identity theft indicator on the associated taxpayer account. Our 
analysis covers only part of the year and the initiatives are still 
new, so it is not possible to know whether this represents the long- 
term effectiveness of the initiative or not. 

Table 5: Percentage of Suspected Identity Theft Refunds Stopped and 
Issued by IRS When Indicators Were on the Taxpayers' Accounts, Partial 
Calendar Year 2009: 

Number of returns: 
Refund stopped: 3,281; 
Refund issued: 559. 

Number of returns with indicators: 
Refund stopped: 474; 
Refund issued: 15. 

Percentage of returns with indicators: 
Refund stopped: 14; 
Refund issued: 3. 

Source: GAO analysis of IRS data. 

Note: The data used in this analysis are from January 1, 2009, through 
April 30, 2009. IRS identifies many refund fraud cases after the filing 
season is over, so this figure represents only a portion of the cases 
that will likely be identified in 2009. 

[End of table] 

Further, according to TAS officials, the number of TAS cases that 
involved identity theft issues in the first half of fiscal year 2009 
was more than twice as high as it was in the same period in fiscal year 
2008. Based on analyzing Taxpayer Advocate data, 8,880 taxpayers for 
whom TAS opened cases with identity theft issues in the first half of 
fiscal year 2009, 943 (about 11 percent) contacted TAS on their own 
initiative after another IRS activity had already placed a 501 or 506 
indicator on their accounts. The presence of the indicator means that 
IRS was already working to resolve the taxpayer's tax problems before 
the taxpayer contacted TAS. As with our analysis of the screening 
process, these results need to be interpreted with caution. TAS policy 
is to always note identity theft problems in the TAS database, even 
when the taxpayer contacted TAS about a different problem. In addition, 
because the indicators were so new we cannot be sure that the TAS data 
reflect their long-term effects. Also, some of the communication with 
taxpayers about their identity theft issues included TAS contact 
information, and PIPDS officials noted that some taxpayers may have 
contacted TAS thinking that it was the IRS office to which they should 
direct their questions. 

Our analysis of screening program results and TAS data suggests that 
IRS's identity theft initiatives could be having a positive effect, but 
the evidence is not at all conclusive. The results do show that the 
initiatives have had some glitches; for example, some fraudulent refund 
payments were made despite the presence of an indicator. Overall, our 
analysis highlights the importance of IRS developing performance 
measures that will provide a basis for monitoring the effectiveness of 
the initiatives over time. 

IRS Processes to Prevent Identity Theft through Phishing or Security 
Breaches: 

IRS provides taxpayers with targeted information to increase their 
awareness of identity theft, tips and suggestions for safeguarding 
taxpayers' personal information, and information to help them better 
understand tax administration issues related to identity theft. A new 
segment of the IRS home page, [hyperlink, http://www.irs.gov], provides 
taxpayers with identity theft information including emerging trends, 
phishing sites, fraud schemes, and prevention strategies. According to 
IRS officials, they receive information on potential phishing schemes 
primarily from citizens sending IRS the information via 
phishing@irs.gov]. These officials said IRS is directing victims to the 
most up-to-date identity theft information to ensure that they know how 
to report identity theft crimes and have the necessary resources and 
support to recover their identities. Additionally, IRS has worked to 
revise its most widely used documents, such as Form 1040, to include 
information about identity theft. To raise awareness with paid 
preparers, IRS officials are making identity theft and phishing 
presentations at the annual nationwide tax forums held for preparers. 

In 2007, IRS created the Online Fraud Detection and Prevention (OFDP) 
office to reduce online fraud against IRS and taxpayers and provide a 
rapid response capability to detect and respond to such fraud. OFDP 
relies on tips from the public sent to phishing@irs.gov and other 
information sources. Once a fake electronic filing site is found, the 
team gathers information, such as screen shots of the site, and then 
passes it to CI and TIGTA for investigation. IRS sends a taxpayer 
identified as a possible victim a notification letter and a request 
asking the taxpayer to report the incident to FTC, contact the fraud 
departments of major credit bureaus, close any accounts that have been 
tampered with, and contact IPSU for further information. Additionally, 
officials stated that OFDP is currently investigating processes to 
securely transmit compromised credit card information to banks. In 
addition, OFDP contacts the Web site's hosting provider to notify them 
that one of their customers is hosting a phishing site, and asks the 
hosting provider to voluntarily take down the site or remove the 
fraudulent content. According to the OFDP Director, the number of 
fraudulent Web sites taken down increased to 3,030 in 2008, as shown in 
figure 3. 

Figure 3: Number of Fraudulent Web Sites Taken Down, 2006-2009: 

[Refer to PDF for image: vertical bar graph] 

Tax year: 2006; 
Number of websites: 245. 

Tax year: 2007; 
Number of websites: 889. 

Tax year: 2008; 
Number of websites: 3,030. 

Tax year: 2009, through April; 
Number of websites: 949. 

Source: GAO analysis of IRS data. 

[End of figure] 

IRS faces challenges combating fraudulent Web sites. OFDP officials 
stated that schemes and Web sites that originate outside the United 
States are particularly challenging because of jurisdictional issues. 
However, the officials also said that IRS is working with TIGTA, 
[Footnote 13] DOJ, and other organizations to use existing authorities 
and relationships to assist with combating such fraud. Another 
challenge is the ability of fraudulent parties to use multiple computer 
IP addresses that change frequently, making it difficult to trace the 
perpetrator's actual IP address. Finally, according to officials, some 
institutions are reluctant to share specific information about online 
fraud perpetrated against them. To help overcome this, officials stated 
that they are working with organizations such as the National Cyber 
Forensics and Training Alliance, Anti-Phishing Working Group, and 
others, to facilitate and improve information sharing about fraud 
schemes. 

IRS has considered additional steps to help combat phishing and similar 
identity theft schemes such as providing a list of legitimate Web 
sites. However, such a list would be almost impossible to keep current. 

IRS Information Security Weaknesses: 

Although IRS does not know of any cases where information security 
weaknesses have led to actual identity theft, as was noted earlier in 
table 4 IRS had 149 incidents of lost data affecting 911 taxpayers in 
2008. Perhaps more importantly, IRS has information security weaknesses 
that increase the likelihood of IRS employees committing identify 
theft.[Footnote 14] Specifically, in January 2009 we reported that IRS 
did not consistently implement controls that were intended to prevent, 
limit, and detect unauthorized access to its systems and information. 
[Footnote 15] We noted that IRS did not always (1) enforce strong 
password management for properly identifying and authenticating users 
and (2) authorize user access, including access to personally 
identifiable information, to permit only the access needed to perform 
job functions. For example, the agency allowed authenticated users on 
its network access to shared drives containing taxpayer information as 
well as performance appraisal information for IRS employees including 
their SSNs. We made recommendations to IRS regarding ways to strengthen 
its information security practices. IRS agreed with the recommendations 
and stated that the agency is working to improve its security posture, 
and will develop a detailed corrective action plan addressing each of 
our recommendations. Until IRS addresses these weaknesses, there is an 
increased risk that someone could use his or her access to steal 
personally identifiable information and commit identity theft-related 
crimes. 

Privacy and Other Laws Limit IRS's Coordination with Other Agencies on 
Identity Theft Cases: 

Figure 20: Section 6103 of the Internal Revenue Code (I.R.C.) limits 
the types of information IRS can share with external parties, including 
identity theft victims, employers who may have workers using stolen 
identity information, or other government agencies, including law 
enforcement agencies. Under section 6103, tax returns and other 
information submitted to and, in some cases, generated by, IRS, are 
confidential and protected from disclosure, except as specifically 
authorized by statute. 

IRS can disclose identity theft-related events that occur on a 
taxpayer's account to the taxpayer, such as the fact that an 
unauthorized return was filed using the taxpayer's information or that 
the taxpayer's SSN was used on another return. However, IRS may only 
disclose to the taxpayer the taxpayer's own return information. 
Therefore, IRS cannot disclose any other information about a fictitious 
Form 1040 or an incorrect Form W-2 submitted to IRS, or any information 
about IRS's investigation into the civil or criminal tax liability of 
the perpetrator (whether refund fraud or employment fraud) to the 
victim. In addition, IRS cannot disclose information about the 
perpetrator's identity to the taxpayer. 

IRS can notify an employer whose employee has used a stolen SSN that 
the SSN on the Form W-2 filed for that employee does not belong to that 
individual. IRS can disclose to the employer that there is a mismatch 
between name and SSN and that the number belongs to someone else. 
However, IRS cannot disclose any further information such as the 
identity of the true owner of the SSN, to the employer. The employer is 
required to file a Form W-2 with accurate information and to file a 
corrected form if necessary. If an employer fails to file information 
returns or fails to include complete and correct information on them, 
IRS is authorized to penalize the employer. However, in prior work, we 
have reported that because of limited requirements for employers to 
verify and report accurate employee names and SSNs, few, if any, 
employers are likely to be penalized.[Footnote 16] For example, if 
employers establish reasonable cause for the incorrect Form W-2 
information by showing they solicited an SSN from each employee one to 
three times, depending on the circumstances, and that they used this 
information to complete the wage statements, IRS will waive the 
penalties on the employers.[Footnote 17] 

In 2008, IRS carried out a servicewide analysis of its efforts related 
to notification of identity theft victims and employers and information 
sharing with other federal agencies. IRS sought to determine if it was 
fully utilizing its disclosure authority under section 6103 to address 
the problem of identity theft and assist victims. The working group 
conducting the analysis determined that IRS was appropriately using its 
disclosure authority, though it also identified a few areas where IRS 
had authority to expand victim/employer notification and information 
sharing with federal law enforcement, if doing so was deemed sound 
policy. IRS is in the planning phase of an initiative to notify victims 
of employment fraud. 

Section 6103 also limits the types of information indicating identity 
theft that the IRS can share with other agencies. For example, 
according to officials in IRS's Office of Chief Counsel, IRS can only 
share limited information about employment fraud with the Department of 
Homeland Security (DHS) and the Social Security Administration (SSA). A 
circumstance where IRS can share some information with federal law 
enforcement/immigration agencies is when IRS performs a criminal 
investigation. In these cases IRS can make investigative disclosures, 
i.e., the sharing of specific, limited information necessary for 
receiving information from other agencies that might support or further 
IRS's investigation. Disclosure of taxpayer information to state and 
local law enforcement agencies is even more limited. As mentioned 
previously, officials stated that IRS is currently investigating 
processes to securely transmit compromised credit card information to 
banks. 

IRS officials also noted that tax fraud is not one of the 11 felony 
offenses enumerated in 18 U.S.C. §1028A, the Aggravated Identity Theft 
Statute. This means that in federal identity theft prosecutions, 
identity thieves would not be subject to the enhanced sentencing 
prescribed in the statute, an additional 2-year term of imprisonment. 
They also stated that this may be one factor that deters other federal 
law enforcement agencies and federal prosecutors from referring 
identity theft cases to IRS to look for possible tax fraud or making 
identity theft-related tax fraud a priority when determining which 
cases to pursue. 

According to PIPDS officials, activities that place 501 and 504 
indicators on taxpayer accounts do not routinely accept information 
about identity theft victims from other federal agencies or other 
external parties. IRS does not routinely accept this information 
because it does not meet IRS's substantiation requirements. 

Section 6103 does not limit IRS's ability to share more general 
information about how to manage identity theft. PIPDS has coordinated 
with private industry leaders, tax professionals, and other federal 
agencies on identity theft prevention, detection, and taxpayer 
assistance about how to handle tax-related identity theft issues and to 
share information about the increase in online fraud threats. PIPDS 
officials also meet with officials from other federal agencies such as 
SSA, FTC, and DHS and held a forum in July 2008 to share information on 
the effects of identity theft on victims and to identify best practices 
for preventing and resolving identity theft issues. According to PIPDS, 
one result of the forum was that IRS co-sponsored, along with the FTC, 
DHS, US Postal Inspection Service, Department of Commerce, DOJ, and the 
Securities and Exchange Commission, an educational website, [hyperlink, 
http://www.onguardonline.gov]. IRS is also coordinating with agencies 
to shut down phishing sites and online fraud schemes. According to CI 
and PIPDS, they are members of the Identity Theft Enforcement 
Interagency Working Group which shares information about leading 
identity theft activities, groups, and offenders with federal agencies 
that pursue identity theft cases. 

Conclusion: 

While identity theft is known to cause tax problems for a relatively 
small number of taxpayers, for those affected the problems can be 
severe and include refunds frozen and time wasted. In an effort to more 
efficiently identify refund fraud and employment fraud as well as to 
assist innocent taxpayers, IRS put in place four new initiatives. 
Although IRS management has begun to develop performance measures, it 
is not known how well the measures will assess the effectiveness of the 
four initiatives. 

Furthermore, it would be desirable to have the new measures in place 
for the 2010 filing season for at least two reasons. First, most refund 
fraud is committed during the filing season and also most employment 
fraud is detected as part of the filing process. Second, IRS is 
expanding the identity theft initiatives for the 2010 filing season. 
Without performance measures in place, neither Congress nor IRS 
management will know whether the 2010 changes are effective or if 
additional changes are needed. 

Recommendation for Executive Action: 

We recommend that the Commissioner of Internal Revenue ensure that 
performance measures suitable for assessing the effectiveness of its 
identity theft initiatives, and associated data collection procedures, 
are in place at the beginning of the 2010 filing season. 

Agency Comments: 

The Commissioner of Internal Revenue provided written comments on a 
draft of this report in an August 31, 2009, letter, which is reprinted 
in appendix IV. The Commissioner agreed with our recommendation. In his 
letter, the Commissioner discussed IRS's commitment to reduce the 
impact of identity theft on taxpayers and said that he has made it a 
priority at IRS to reduce the burden placed on the taxpayer and the tax 
system because of identity theft. IRS provided separate comments on 
technical issues, which we incorporated into this report where 
appropriate. 

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
from its issue date. At that time, we will send copies to the Secretary 
of the Treasury; the Commissioner of Internal Revenue, and other 
interested parties. This report will also be available at no charge on 
GAO's Web site at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-9110 or whitej@gao.gov. Contact points for our 
offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. Key contributors to this report are 
listed in appendix V. 

Signed by: 

James R. White: 
Director, Tax Issues Strategic Issues Team: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of this report were to (1) describe how much identity 
theft-related refund and employment fraud the Internal Revenue Service 
(IRS) faces and whether incidents of identity theft go undetected by 
IRS, (2) assess the actions IRS is taking to prevent and detect 
identity theft-related tax problems and to assist affected taxpayers, 
and (3) describe what IRS is doing to coordinate its identity theft- 
related efforts with other government and nongovernment entities. 

To understand how much identity theft-related refund and employment 
fraud IRS faces, we interviewed IRS officials from the Office of 
Privacy, Information Protection and Data Security (PIPDS), Wage and 
Investment Division (W&I), Small Business/Self-Employed Division (SB/ 
SE), Criminal Investigation Division (CI), and Submission Processing. 
We discussed the processes and systems used to identify identity theft- 
related refund fraud and IRS's use of the identity theft indicators. 
Additionally, we analyzed information from PIPDS on the number and 
characteristics of identity theft-related refund and employment fraud 
by cases and affected taxpayers, including the activity reporting the 
incident and the type of identity theft indicator placed on the 
taxpayer account. Based on the information we collected on the identity 
theft-related incidents and affected taxpayers, we also were able to 
discuss the outcomes of the identity theft-related refund fraud cases 
and identify the reasons which incidents of identity theft go 
undetected. 

To determine the reliability of the PIPDS data sets, we interviewed 
knowledgeable officials to discuss processes followed to upload the 
taxpayer data, collection methods, and the data reported on and for 
what purpose. We also reviewed related documentation to determine the 
accuracy of the 2008 year-end aggregate numbers of taxpayers affected 
and identity indicators placed on accounts. PIPDS provided us with 
monthly reports on the number of taxpayers affected and incidents 
reported as well as an annual report totaling these numbers. We 
compared the monthly reports to the aggregated data to identify any 
obvious errors in accuracy and completeness. We determined that the 
PIPDS data we used for this objective were sufficiently reliable for 
this assessment. 

To assess what actions IRS is taking to prevent and detect identity 
theft-related problems and to assist affected taxpayers, we interviewed 
officials from PIPDS, W&I, SB/SE, CI, the Online Fraud Detection and 
Prevention office (OFDP), and the Taxpayer Advocate Service (TAS). We 
discussed new initiatives IRS has implemented to detect and resolve 
identity theft as well as assist affected taxpayers and educate 
taxpayers about identity theft. We also reviewed prior GAO work to 
obtain information on identity theft-related issues in the federal 
government and on systems used to safeguard IRS data and to identify 
identity theft-related incidents, as well as Treasury Inspector General 
for Tax Administration (TIGTA) reports to obtain information on the 
identity theft-related processes and procedures used by IRS. 
Additionally, we collected and analyzed IRS's Identity Protection 
Strategy, policies and procedures related to identity theft prevention 
and detection and assistance, relevant sections of the Internal Revenue 
Manual and Internal Revenue Code, and governmentwide guidance on 
performance measures. To understand how IRS implemented some of the new 
initiatives, we visited the Andover, Massachusetts campus and reviewed 
processes followed by the Identity Protection Specialized Unit (IPSU) 
and the Baltimore call center to listen to calls taken by customer 
service representatives on the identity theft hotline. Additionally, we 
met with and reviewed the software used by the OFDP staff when taking 
down a fraudulent Web site. For these new initiatives, we collected 
data on the number of affected taxpayers whose records had identity 
theft indicators, the number of cases worked by the IPSU, information 
on calls received by the dedicated identity theft call-in number, and 
the number of fraudulent Web sites taken down by OFDP. We reviewed the 
data and documents provided by IRS in conjunction with discussions with 
IRS officials in order to describe these new initiatives as well as to 
understand the extent to which IRS had performance measures to 
determine the effectiveness of the new initiatives. We used previous 
GAO work and recommendations to describe systems and information 
security weaknesses and assessed how these weaknesses may translate to 
identity theft-related issues for IRS and taxpayers. 

To assess whether IRS's initiatives were working as intended, we 
interviewed PIPDS and TAS officials and used IRS and TAS data to 
identify (1) the frequency with which suspected identity theft-related 
refund fraud reoccurred for taxpayers known to have had identity theft 
issues in the past and (2) how often taxpayers took identity theft- 
related tax problems to TAS after other IRS functions had determined 
that their issues were related to identity theft. To assess whether the 
business rules were working as intended, we tested suspected identity 
theft-related refunds that were identified by CI to determine how many 
of the corresponding taxpayers had indicators on their accounts before 
the refunds were stopped or issued by IRS. To perform this assessment 
we received from PIPDS taxpayer data on all taxpayer accounts that had 
indicators on them. We also received from CI taxpayer data on all 
suspected identity theft-related refunds that were identified, stopped, 
and issued by IRS from January 1, 2009, through April 30, 2009. To 
assess how often taxpayers took their issues to TAS after an identity 
theft indicator had been placed on their accounts, we compared taxpayer 
data from TAS with identity theft as a primary or secondary issue code 
to data from PIPDS identifying all taxpayer accounts with identity 
theft indicators. We compared the dates the identity theft indicator 
was placed on the accounts to the dates when TAS received the cases. 
Additionally, we reviewed the reason why the cases came to TAS based on 
each identity theft indicator. We requested TAS cases received from 
October 1, 2008, through May 18, 2009, and PIPDS indicator data from 
calendar year 2008. 

We received taxpayer data from PIPDS, CI, and TAS. To ensure the 
reliability of the data, we performed an analysis using Statistical 
Analysis Software (SAS) to test for obvious errors in accuracy and 
completeness. Additionally, we reviewed related reports to determine if 
there were any discrepancies in the data we received. Any questions we 
had about the data were answered by knowledgeable officials with whom 
we also discussed the processes followed to upload the taxpayer data, 
collection methods, and the data reported on and for what purpose. We 
determined that the PIPDS, CI, and TAS data we used for this analysis 
were sufficiently reliable to use for this assessment. 

To identify what IRS is doing to coordinate its identity theft-related 
efforts with those of other government agencies and other entities as 
well as to identify any lessons learned, we interviewed officials from 
IRS's PIPDS, Office of General Counsel, OFDP, and W&I. We also reviewed 
documentation provided by IRS officials, a recorded version of the IRS 
identity protection forum held in July 2008, and previous GAO work. We 
also reviewed an IRS general counsel analysis and discussion of Section 
6103 of the Internal Revenue Code to determine the circumstances in 
which IRS can share information with other federal agencies, law 
enforcement employers, and the taxpayers for identity theft-related 
refund and employment fraud issues. 

We conducted this performance audit from October 2008 through August 
2009 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: Description of Indicator Codes Used to Identify Tax and 
Non-Tax Related Issues: 

In January 2008, the Internal Revenue Service (IRS) began using 
indicator codes to identify taxpayers with identity theft-related 
issues. How the identity theft-related issue comes to IRS and the type 
of incident will dictate the indicator that will be placed on 
taxpayers' accounts. Based on the incidents, IRS can require additional 
documentation to substantiate the identity theft and run certain 
flagged accounts through additional screenings in subsequent years. See 
table 6 for a more detailed description of the indicators. 

Table 6: Indicator Codes Used by IRS to Flag Taxpayer Accounts for Tax- 
and Non-Tax-Related Identity Theft Issues: 

Indicator codes: Indication of identity theft; 
501: Taxpayer receives indication from IRS program about potential 
problems on his or her account and believes that he or she may be a 
victim of identity theft; 
504: Taxpayer's personal identifying information is stolen outside of 
IRS, but taxpayer wants to take precautionary measures on his or her 
account; 
505: IRS loses taxpayer's personal identifying information, which could 
potentially cause identity theft issues for the taxpayer in the future; 
506: CI determines that a taxpayer is a victim of identity theft based 
on review of taxpayer's account. 

Indicator codes: Tax related/Non-tax related; 
501: Tax related; 
504: Non-tax related; 
505: Non-tax related; 
506: Tax related. 

Indicator codes: Required documentation from taxpayer; 
501: Substantiation of; identity theft; 
504: Substantiation of; identity theft; 
505: None; 
506: None. 

Indicator codes: Business units placing indicator on the account; 
501: Primarily W&I, SB/SE, TAS, and PIPDS; 
504: W&I (through IPSU); 
505: PIPDS; 
506: Primarily CI. 

Indicator codes: Run through business rules; 
501: Yes; 
504: No; 
505: No; 
506: Yes. 

Indicator codes: Assistance to taxpayer; 
501: Indicator will stay on taxpayer account for 3 years and account 
will go through additional screening procedures for 3 years; 
504: Indicator will stay on taxpayer account for 3 years; 
505: Indicator will stay on taxpayer account for 3 years and taxpayer 
can receive free credit monitoring, which includes insurance to cover 
damages resulting from identity theft; 
506: Indicator will stay on taxpayer account for 3 years and account 
will go through additional screening procedures for 3 years. 

Source: GAO analysis of IRS information. 

[End of table] 

[End of section] 

Appendix III: Procedures Followed for Additional Screening of Certain 
Indicator Accounts: 

Taxpayer accounts with a 501 or 506 indicator are run through 
additional screenings in subsequent years to determine the legitimacy 
of the return filed. The Internal Revenue Service (IRS) initially 
decided to run the 501 and 506 indicators through additional screenings 
because IRS processes determined those accounts to have identity theft 
directly impacting IRS. 

Returns that pass the additional screening are sent through for regular 
processing. If a return fails the screening, the Unpostable Unit in 
Submission Processing will attempt to determine if the return was filed 
by the legitimate taxpayer or an identity thief. If the Unpostable Unit 
cannot resolve the problem, Accounts Management will conduct a more 
detailed analysis, which may include contacting the taxpayer. Once 
Accounts Management determines the owner of the return, they will 
forward the information back to the Unpostable Unit who will send the 
legitimate returns through for regular processing and mark any returns 
filed by identity thieves as bad. 

Figure 4: Process Followed to Run Tax-Related Accounts with Indicator 
Codes through Additional Screening Procedures: 

[Refer to PDF for image: illustration] 

[End of figure] 

[End of section] 

Appendix IV: Comments from the Internal Revenue Service: 

Commissioner: 
Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224: 

August 31, 2009: 

Mr. James R. White: 
Director, Tax Issues: 
Strategic Issues Team: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. White: 

Thank you for the opportunity to comment on the draft report, Tax 
Administration: IRS Has Implemented Initiatives to Prevent, Detect, and 
Resolve Identity Theft-Related Problems, but Needs to Assess Their 
Effectiveness (Government Accountability Office09-882). We appreciate 
that your draft report recognizes the progress that the Internal 
Revenue Service has made to prevent and detect identity theft-related 
problems and to assist affected taxpayers. 

The security and privacy of taxpayer information is of the utmost 
importance to the IRS. We are committed to reduce the impact of 
identity theft on taxpayers, I have made it a priority of this agency 
to reduce the burden placed on the taxpayer and the tax system because 
of identity theft. 

We appreciate GAO's continued work and focus on this issue. I agree 
that strong performance measures are critical for the long-term success 
of the program and the IRS will have them in place for the 2010 filing 
season. 

If you have any questions or would like to discuss our response 
further, please contact Deborah Wolf, Director, Privacy, Information 
Protection and Data Security, at (609) 2787732. 

Sincerely, 

Signed by: 

Douglas H. Shulman: 

[End of section] 

Appendix V: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

James R. White, (202) 512-9110 or whitej@gao.gov: 

Acknowledgments: 

In addition to the individual named above, David Lewis, Assistant 
Director; Sabine Paul, Assistant Director; Mary Fike; Suzanne Heimbach; 
Sairah Ijaz; Laurie King; Sabrina Streagle; and James Ungvarsky made 
key contributions to this report. 

[End of section] 

Footnotes: 

[1] Malware (malicious software) is defined as programs that are 
designed to carry out annoying or harmful actions. They often 
masquerade as useful programs or are embedded into useful programs so 
that users are induced into activating them. 

[2] Pub. L. No. 105-318, 112 Stat. 3007 (1998). 

[3] Exec. Order No. 13,402 (May 10, 2006), 71 Fed. Reg. 27,945 (May 15, 
2006). 

[4] We are defining activities to include IRS business operating 
divisions, functions, or programs. 

[5] Another reason a catalog of identity theft incidents is incomplete 
is because not all victims decide to substantiate the identity theft; 
IRS only catalogs a case if the victim is able to substantiate the 
theft. 

[6] CI provided data on fraudulent refunds stopped and issued from 
January 1, 2009, to April 30, 2009, and about $3,400 is the median 
amount from these data. 

[7] The number of refund fraud cases in table 3 is greater than the 
number of cases listed in tables 1 and 2 because the earlier tables 
list cases where the identity of the legitimate taxpayer had been 
determined. Table 3 includes cases where IRS was in the process of 
making those determinations. 

[8] IRS intends to develop additional indicators for the 2010 filing 
season, including indicators for SSN-related and employment fraud 
problems. 

[9] Substantiation documentation includes copies of photo 
identification and a police report or an FTC identity theft affidavit. 

[10] More information about which IRS activities assign which action 
codes can be found in table 6 in appendix II. 

[11] National Taxpayer Advocate, 2008 Annual Report to Congress 
(Washington, D.C: Dec 31, 2008). 

[12] IRS officials told us that they have not received any negative 
feedback from taxpayers; however, they have not specifically asked for 
feedback, for example, through surveys. 

[13] TIGTA audits and investigates IRS's operations to (1) promote 
economy and efficiency and detect and prevent fraud and abuse and (2) 
recommend actions for improvement. 

[14] GAO has not determined if an IRS employee has committed any 
identity theft as a result of these weaknesses. 

[15] GAO, Information Security: Continued Efforts Needed to Address 
Significant Weaknesses at IRS, [hyperlink, 
http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 
2009). 

[16] GAO, Tax Administration: IRS Needs to Consider Options for 
Revising Regulations to Increase the Accuracy of Social Security 
Numbers on Wage Statements, [hyperlink, 
http://www.gao.gov/products/GAO-04-712] (Washington, D.C.: Aug., 31, 
2004). 

[17] Under Treas. Reg. § 301.6724-1; Publication 1586, Reasonable Cause 
Regulations and Requirements for Missing and Incorrect Name/TINs, 
establishing reasonable cause consists of making an initial request for 
the employee's name and SSN and, depending upon the circumstances, an 
annual solicitation thereafter. Employers must then show they have used 
this solicited information when submitting the information return(s) in 
question. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: