identity theft

ADP W-2 data hacked in latest breach

By Bankrate

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!


Identity thieves have their hands on a new batch of personal and tax data after hacking the payroll outsourcing company ADP.

The information is from W-2 forms, the documents workers get from their employers in late January or early February so they can file their annual tax returns with the Internal Revenue Service and state tax departments.

Now crooks have all they need to beat those filers to the punch and submit fake 1040s claiming fraudulent tax refunds.

Personal data used to get into ADP

Krebs on Security website, which first reported the ADP breach, also obtained a copy of a letter that affected U.S. Bank employees received regarding the security issue.

Unauthorized access to the workers’ tax and employment data occurred, according to the U.S. Bank letter, “because ADP offered an external online portal that has been exploited.”

Basically, the crooks didn’t break into the payroll service provider’s site, but rather used workers’ confidential personal information that they had obtained from other sources to register as the workers at one of the firms using the ADP customer portal. Once connected, they simply viewed or downloaded the W-2s.

That same tactic of getting individuals’ information — names, birth dates and Social Security numbers — elsewhere and then breaking into a site with additional data was used by identity thieves who hacked the IRS’ Get Transcript online application. Around 724,000 taxpayer accounts ultimately were compromised.

Small, but possibly costly, breach

Both U.S. Bank and ADP said the actual number of affected employees was limited, but did not reveal exact numbers. ADP also told Krebs that the same fraud was used against “a very small subset” of ADP’s total customers this year.

Of course, the minuscule possibility means nothing if you’re in that small group that was hacked. Once your identity is stolen, you could face big problems.

Tax moves to combat ID theft

On the tax side, if you know or even just suspect that your ID has been stolen, the IRS recommends you send it Form 14039, Identity Theft Affidavit. This puts the agency on alert for your Social Security number and other information that could show up on a fake return.

If a criminal does file a fake return pretending to be you, file your real tax return on paper, attaching a copy of the Form 14039 with your legitimate filing. Also watch for any follow-up correspondence from the IRS about your real or possible fake returns and respond immediately.

Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.


Congressman shares tax ID theft story


Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Bankrate

No one is safe from tax identity theft, not even the lawmakers who help write the country’s tax laws.

Another member of the House Ways and Means Committee has become a victim. During a hearing of the committee’s Oversight Subcommittee on April 19, Rep. Jim Renacci, R-Ohio, told his colleagues about having his identity stolen and a fake tax return filed in his name.

Rep. Jason Chaffetz, R-Utah, a former chair of the Ways and Means Oversight panel, also was a tax identity theft victim.

Fake return seeking ‘significant’ refund

This week Renacci shared his tax identity theft experience as part of a hearing on the just-completed filing season.

“Last May, I received a notice from the IRS stating that they had some questions for me about my 2014 tax return,” Renacci testified. “I found this troubling because I had not yet filed.”

Renacci contacted the IRS and learned that his personal information had been stolen and was used to e-file a fraudulent tax return. The filing, said Renacci, included a fake W-2 from the U.S. House of Representatives and claimed a significant refund.

The false return instructed the fraudulent refund be sent to a bank account outside the United States. Fortunately, the IRS spotted some red flags on the filing and didn’t issue the refund check.

E-filing makes ID theft easier

“As a taxpayer and tax preparer for almost 30 years, it is apparent to me that identity theft is real,” Renacci said.

And one of the conveniences of filing — submitting a return electronically — can also cause significant issues related to identify theft, he told the subcommittee.

“Let me be clear, I don’t want to return to paper returns and checks, but the ease of electronic filing and payments have exacerbated the problem. I know, now more than ever, we need additional safeguards to protect taxpayers,” said Renacci.

To address his and other tax identity theft victims’ concerns, Renacci has introduced the Stolen Identity Refund Fraud Prevention Act of 2015. During his testimony, he urged his fellow Ways and Means members to act on the bill.

IRS making progress against identity theft

IRS Commissioner John Koskinen also testified at the hearing, telling subcommittee members that his agency is making progress against tax identity theft and refund fraud.

“We have improved the filters that help us spot suspicious returns before they can be processed,” Koskinen said. “Using those filters, we stopped 1.4 million returns last year that were confirmed to have been filed by identity thieves.”

The filters helped the IRS prevent issuance of around $8.7 billion in fraudulent refunds, according to the commissioner.

The IRS also is working with tax ID theft victims. Last year, said Koskinen, the agency worked with affected taxpayers to close more than 700,000 fraud cases.

$119 million in fake refunds stopped

Koskinen also reiterated the efforts of the Security Summit, created last year to coordinate tax identity theft and fraud prevention efforts across state governments and the tax services industry.

“Our collaborative efforts are already showing concrete results this filing season,” Koskinen said. “Through mid-March, leads from industry partners directly resulted in the suspension of 27,000 returns on which a total of $119 million in refunds was claimed, up from 8,000 returns claiming $57 million during the same period last year.”

If you find yourself in the same situation as Renacci and other identity theft victims, don’t rely on just the efforts of the IRS and its tax industry partners. Secure your personal data as soon as you suspect or discover it’s been compromised.

Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.

‘False’ fraud filters delay IRS tax refunds

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Bankrate

taxes-blog-False-fraud-filters-delay-IRS-tax-refundsThe Internal Revenue Service is walking a thin line in trying to simultaneously screen for potentially fraudulent tax returns and issue refunds to rightful taxpayers. Sometimes, says the National Taxpayer Advocate, the tax agency crosses that line, forcing hundreds of thousands of legitimate taxpayers to wait for their refunds.

The problem, according to National Taxpayer Advocate Nina E. Olson in her 2015 annual report to Congress issued Jan. 6, is a growing rate of false positives in a key tax fraud filter used by the IRS in processing returns.The Pre-Refund Wage Verification Program, referred to as “income wage verification,” or IWV, in Olson’s report, allows the IRS to temporarily freeze an individual’s refund when it detects possible false wages and withholding. That in itself is not bad. But these refund holds, says Olson, are snaring more honest filers, whose legitimate refunds are substantially delayed.

18-week wait for refund

The Taxpayer Advocate Service’s analysis of 2014 tax year filings found that nearly 180,000 legitimate filers who had their returns flagged under the IRS’ Electronic Fraud Detection System had to wait on average nearly 18 weeks before they got their refunds.

Things got worse for filers in 2015, when the IRS moved potential identity theft returns identified by the electronic detection system to the Taxpayer Protection Program, or TPP, for processing. The TPP’s false positive rate jumped from 19.8% in calendar year 2014 to 36.2% in 2015.

Making matters worse, says Olson, is that many of the affected taxpayers were unable to contact the IRS to verify their identity. At one point during the peak of the 2015 filing season, only 1 out of 10 calls got through to an IRS representative, says Olson.

The IRS also increased the testing of another application to detect identity theft or fraud, the Return Review Program. This system experienced an increase of more than 500% in erroneous refund holds.

Taxpayer Advocate helps, but still takes time

Almost 37,000 taxpayers contacted the Taxpayer Advocate Service for help in resolving the holds on their refunds in the first 9 months of 2015, according to the report. That’s a nearly 15% increase over the prior year, making it the 2nd most common reason taxpayers came to the IRS’ internal watchdog office for help.

Even with the Advocate’s help, it took an average of more than 8 weeks for these wrongful refund holds to be resolved.

Olson acknowledges that any effective tax identity theft and refund fraud screening method will result in false positives, no matter how well designed. However, she says, the high false positive rates in all of the IRS’ fraud detection programs “are unnecessarily high.”

IRS not tracking false fraud positives

More worrisome, according to the report, is that the IRS does not track the false positive rates for the IWV program, meaning it cannot determine exactly which fraud filters are stopping legitimate refunds.

Also, says Olson, “The IRS doesn’t have adequate procedures to promptly review and adjust its fraud detection filters, rules and models.”

And taxpayers whose refunds are frozen cannot reach a real person to help them resolve the problem. If a taxpayer tries to get information from the agency’s automated online Where’s My Refund? program, the filer receives a generic message prompting a call to the IRS. Even if the taxpayer does reach an IRA representative, that agent doesn’t have access to the fraud detection histories and cannot give specific responses to taxpayer inquiries.

Olson’s conclusion: Despite certain improvements in balancing fraud detection and taxpayer rights, the IRS has a ways to go.

To avoid finding yourself facing a possible tax identity theft/fraudulent refund situation that puts your real refund on hold, keep an eye on your personal data.

Read more:
Follow us: @Bankrate on Twitter | Bankrate on Facebook

IRS Acknowledges Identity Protection PIN Blunder

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Tax-News


The US Internal Revenue Service (IRS) has admitted that, due to an error, individual taxpayers are receiving Identity Protection Personal Identification Number (IP PIN) letters with an incorrect tax year listed.

The CP 01A Notice dated January 4, 2016, being sent by the IRS incorrectly indicates that the IP PIN being issued is to be used for filing the 2014 tax return, when the number is actually to be used for the 2015 tax return. Taxpayers and tax professionals are being advised that the IP PIN is valid for use on all individual tax returns filed in 2016.

The letters were mailed in late December, and taxpayers will be receiving them until mid-January. The IRS has apologized for the confusion and any inconvenience, and confirmed that it will begin accepting returns from taxpayers from January 19, 2016.

The IP PIN is a unique, six-digit number that is assigned annually to victims of identity theft with resolved cases, for use when filing their federal tax return. The IP PIN allows these individuals to avoid delays in filing returns and receiving refunds. When a taxpayer has an IP PIN, it prevents someone else from filing a fraudulent tax return with his or her Social Security number (SSN).

If a return is e-filed with the SSN and an incorrect or missing IP PIN, the agency’s system will reject it until it is submitted with the correct IP PIN or a paper return is filed. If the same conditions occur on a paper-filed return, the IRS will delay its processing and withhold any refund until it is determined if it is due to the proper taxpayer.

Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.

IRS will share tax-filing info to fight identity theft

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Bankrate


When taxpayers hear that their tax information will be shared, they generally freak out, and with good reason. Almost daily we learn of some hacking incident in which personal data is obtained and then used to steal the victims’ financial identities.

The IRS has not been immune from such security breaches. Its own online transcript tool was compromised last spring. Tax-related identity theft topped the Federal Trade Commission’s consumer complaint list in 2014 and continues to grow.

Now, however, the IRS, along with state tax administrators and tax industry partners that make up the so-called Security Summit, say that sharing of taxpayer filing data will help stem tax identity theft and tax-return fraud.

The group, which was formed in March, has announced new security practices that will take effect with the 2016 filing season.

Share and share alike

One security move is ensuring that federal and state tax agencies, along with the tax industry that helps millions of individuals file their returns each year, have all the information they need to fight identity thieves.

In its work over the past 7 months, the Security Summit identified 20 new pieces of information that can be shared at tax-filing time with the IRS and states to help authenticate a taxpayer and detect identity theft refund fraud.

This information includes such things as repetitive use of Internet Protocol, or IP, numbers to transmit returns; identification data from computers from which returns originate; and the time it takes to complete a tax return, a potential indicator of computer-mechanized fraud.

States, tax industry responsibilities

Among those sharing this data will be e-file providers who submit 2,000 or more returns a year. These e-filing agents now will be required to research and analyze returns and then provide any potential identity-theft data to the IRS and the states.

State operating agreements also will include like-kind requirements for data-sharing and identity theft lead reporting to the IRS.

The goal here is to catch patterns of fraud and stop them before they become full-blown identity theft catastrophes.

The IRS, at the request of tax industry representatives and state tax offices, will act as the conduit for sharing the information with states via a secure data transfer process for the 2016 filing season. So far, 34 state departments of revenue and 20 tax industry members have signed on to part of the new information-sharing system, with more expected to sign later.

Regardless of what tax info is shared among preparers and tax agencies, you need to keep track of who’s looking at your personal data. You can do so through myBankrate.

Do you agree with the IRS and its tax-filing partners that the sharing of filer data will help stop tax identity theft? Or do you think it provides another avenue for private information to be hacked?

Herman and Company CPA’s proudly serves Bedford Hills NY, Chappaqua NY, Harrison NY, Scarsdale NY, White Plains NY, Mt. Kisco NY, Pound Ridge NY, Greenwich CT and beyond.

Tax-Related Identity Theft Is Exploding – What Is The IRS Doing And What Can You Do?

While identity theft continues to present a great burden to businesses, organizations and governments including the IRS, it’s individual victims are left to bear the lions share.  In the past few years tax-related identity theft has become rampant.  Tax-related identity theft occurs when someone uses your personal information including your social security number to file a tax return and claim a refund.  The IRS paid out 5.8 billion in falsely claimed refunds in 2013.

For what it’s worth, the IRS has ramped up its efforts to combat identity theft.  Some of the steps the IRS is taking include:

  • Identify new steps to validate taxpayer and the tax return information at the time of filing, such as reviewing transmission of the tax return including improper and repetitive use of internet protocol numbers, internet address from where the return originated, computer device identification data tied to the return’s origin.
  • Sharing of suspected identity fraud information and analytics from the tax industry to identify fraud schemes and locate indicators of fraud patterns
  • Increased taxpayer communication regarding identity theft

But is this enough to protect against potential tax-related identity theft?   I don’t think so. Remember that in a tax-related identity theft typically the perpetrator has already obtained, from other sources, your social security number, birth date, address, etc.

This past filing season we have had the unhappy task of telling a handful of clients that they likely have become an identity theft victim.  When we electronically submit a return and the IRS rejects it because a return for the taxpayer has already been filed, this is a case of identity theft.

So here are some of the things you should do to protect yourself against identity theft.

Know the warning signs

  • You do not receive your refund within 20-30 days after filing your tax return.
  • You receive an IRS letter or notice in the mail that indicates that
    • You owe additional tax,
    • Your refund has been offset to pay for additional tax,
    • You have collection action taken against you for a year you did not file a tax return,
    • More than one tax return was filed for you,
  • You receive a call from someone claiming to be an IRS agent or officer.

Note that the IRS will never make contact with you via phone or e-mail.  The IRS only sends mail correspondence in order to communicate with taxpayers.


Reduce your risks

  • Don’t carry your social security card or any document with your social security number on it.
  • Do not give your social security number to someone just because they ask – unless it is absolutely necessary and you know who is asking and know they have a valid reason for asking.
  • Regularly check your credit report – possibly annually. A credit report can be obtained from, or call toll-free 1-877-322-8228, or by completing an Annual Credit Report request form and mail to: Annual Credit Report, Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
  • Review your bank and credit card statements regularly.
  • Protect your personal computers by using firewalls, anti-spam/virus software, update security patches and change passwords for internet accounts frequently.
  • Don’t give personal information over the phone or via mail unless you have initiated the call/correspondence or are sure you know who is asking.
  • Protect your personal financial information at home and on your computer, especially if you have roommates, employ outside help, or are having work done in your home.
  • Do not ever respond to any phone call, e-mail, text message, social media channels, or any type of electronic communication, from anyone claiming to be an IRS agent/officer. The IRS initiates contact with taxpayers by mail only. Contact us before you share any information with any individual claiming to be from the IRS or any other tax authorities.
  • If you are not currently affected by identity theft, but you may be at risk because your wallet/purse was stolen, or you have questionable credit card activity, contact the IRS Identity Theft Hotline at 1-800-908-4490.

Steps you should take if you do become a victim of identity theft

  • Contact us if you believe you have become a victim of identity theft.
  • Respond immediately to any IRS notice that you have received by regular mail (assuming you have received one).  Call only the number provided in the notice.
  • Contact IRS Identity Theft Hotline at 1-800-908-4490.
  • Complete and submit to the IRS, Form 14039, Identity Theft Affidavit.
  • Continue to pay your taxes and file your tax return even if you must do so on paper.
  • Contact your state tax authorities to see if identity theft has impacted your state tax filings.
  • Contact one of the three major credit bureaus to place a “fraud alert’ on your credit records:

Don’t become a victim of identity theft. Be aware that this is an exploding problem.  Protect yourself to avoid becoming an identity theft victim.

If you have any questions or concerns about identity theft, please contact us.

Herman & Company CPA’s proudly serves Bedford Hills NY, Chappaqua NY, Harrison NY, Larchmont NY, Rye NY, Scarsdale NY, White Plains NY, Mt. Kisco NY, Pound Ridge NY, Bronx, Manhattan, Greenwich CT and beyond.


Thieves Access IRS Get Transcript App, 100,000 Accounts Compromised

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!



The IRS announced on Tuesday that criminals have used taxpayer-specific information to gain access to approximately 100,000 taxpayers’ accounts through the IRS’s Get Transcript online application and steal those taxpayers’ data. The Get Transcript app has been shut down temporarily.

The IRS says the criminals obtained enough taxpayer-specific information from outside sources that they were able to get through the Get Transcript authentication process. The IRS became aware of the problem late last week when it noticed unusual activity taking place in the application. The hacking apparently started in February and involved approximately 200,000 attempts to access the Get Transcript app. The Get Transcript app is not hosted on the IRS computer system that handles tax return filing submissions, and the IRS says that the filing submission system remains secure.

Both the Treasury Inspector General for Tax Administration (TIGTA) and the IRS’s Criminal Investigation unit are investigating the matter. As for a motive, the IRS said in its announcement of the breach, “It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season.”

The IRS says it will provide a free credit monitoring service for those taxpayers whose accounts were hacked. It is also notifying all 200,000 taxpayers whose accounts were the targets of the unauthorized access attempts. Those letters will start going out this week.

Herman and Company CPA’s proudly serves Bedford Hills NY, Chappaqua NY, Harrison NY, Scarsdale NY, White Plains NY, Mt. Kisco NY, Pound Ridge NY, Greenwich CT and beyond.

IRS Seeking Taxpayer ID Verification

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!


Some people are getting an Internal Revenue Service notice asking them to confirm they are who they say they are on their tax returns.


Don’t freak out. Letter 5071C is not a scam.

It’s the latest effort by the tax agency when it encounters tax returns that have indications of being identity theft, but which contain a real taxpayer’s name and/or Social Security number.

In these cases, the IRS instructs the letter recipients to go to its Identity Verification Service website,, to let the agency know that the tax return in question is valid or fraudulent.

Look for .gov

Note the .gov extension. Always look for that at the end of a tax-related URL. Web addresses ending with .com, .org, or .net are not official governmental URLs and could be the creations of con artists.

But again, Letter 5071C is the real deal.

And it’s going out to taxpayers whose identities may have been stolen via the U.S. Postal Service to the address on the suspicious return.

The IRS does not request taxpayer information via email. Neither do IRS representatives call taxpayers directly to ask this information unless they have first received a written, mailed notice.

Online ID confirmation

If you get the letter, the fastest way to resolve questions about the return is go to There you’ll be asked a series of questions that only you, the real taxpayer, can answer.

Once you do that, you can confirm whether you filed the return in question. If you did, then your 1040 will go back into the system for processing, which the IRS says should take about six weeks.

If, however, you tell the IRS via the ID verification website that you did not file the suspicious return, the agency will halt the filing and help you initiate steps to file your correct tax return.

Phone verification OK, too

Folks who are uncomfortable with the online identification verification process can call the toll-free number that’s listed in the letter. Note, however, that high call volumes mean you’ll probably be on hold for a while.

Before calling the IRS or clicking over to the online ID verification site, gather your prior year tax return and, if you’ve filed it, your current tax return, along with supporting documents, such as Forms W-2 and 1099 and Schedules A and C.

The information on these, as well as personal data such as your name, date of birth, and Social Security or taxpayer identification number will make the process go more smoothly.

If you have any questions, please give us a call.

Herman and Company CPA’s proudly serves Bedford Hills NY, Chappaqua NY, Harrison NY, Scarsdale NY, White Plains NY, Mt. Kisco NY, Pound Ridge NY, Greenwich CT and beyond.


Any U.S. tax advice contained in the body of this website is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.