The New York Times recently reported a data breach of the Internal Revenue Service (IRS) websites that taxpayers can use to auto populate student loan application forms with relevant income tax data. The two sites, FAFSA.gov and studentloans.gov are in addition to a previous IRS breach in 2015 with the “get transcript” feature of the site.
In this incident, the IRS is estimating that up to 100,000 parents and students who applied for loans were affected. The cyberthieves can use the information that is auto-populated into the FAFSA (Federal Application For Student Aid) to file fraudulent returns with the IRS and get victims’ refunds. At this time, the IRS believes that fewer than 8,000 fraudulent returns have been filed and refunds paid to thieves as a result of this.
All who have been victims of this or any incident in which social security numbers were accessed should take some steps to protect themselves from additional fraud and identity theft.
File income tax returns early every single year. This will prevent someone who may have saved your details from doing it first. A payment card number can be changed relatively easily, but a social security number remains with you and can only be changed under extreme circumstances and with extreme effort.
If you haven’t filed this year, contact the IRS proactively to find out if you are on the list of those affected in this. So far, they have notified 35,000 victims and will continue to send out letters.
Monitor your credit reports regularly. Everyone with credit in the U.S. is entitled to one free credit report each year from each one of the three major credit reporting agencies (CRA). You can get it from their sites, but watch for the fine print where it asks for payment. If so, they might be trying to sneak in extra services and products that you are not required to purchase to get your free report. There is also a website, annualcreditreport.com where you can order them all. Report any suspicious accounts you see on them to the CRAs and get it resolved. Sometimes they are honest reporting mistakes, but sometimes they are fraud.
Add fraud alerts to your credit reports. These won’t prevent someone from opening an account in your name, but they will let you know if someone does.
If you have no need to apply for credit of any kind for a while, consider putting a credit freeze on your reports. This will prevent anyone, including you from opening accounts. If you need to apply for something, you can take the freeze off temporarily. Be aware that this service usually costs a small fee and there may be lead times to remove a freeze.
If you do find fraudulent charges on any payment card accounts or otherwise, be sure to change passwords for those accounts immediately.
Report fraud and Identity theft to the Federal Trade Commission (FTC) and to your local law enforcement agencies. Sometimes, the CRAs will provide services free of charge to fraud victims with a police report number.
The IRS noticed an increase in FAFSA applications that were not finished in the fall. This was a possible indicator that hackers may have been at work. In addition, IRS Commissioner, John Koskinen reported in a Senate Finance Committee hearing about this that the agency had concerns several months ago about the security of the site. However, they chose to leave the Data Retrieval Tool up as there was no evidence of foul play. And parents and students rely heavily on the tool so they don’t have to manually re-enter all the information.
The tool has been taken down now and will not be put back into place until October as new security is being put into place. Anyone needing tax return information from 2015 (the filing year needed for the current term application period) will need to manually enter the information into the FAFSA. If you don’t have your returns, you can order a transcript from the IRS at its website.
© Copyright 2017 Stickley on Security