← Complete study path

P3-U13 · Part 3 · Source cycle 2026-2027

Identity Theft and Protection of Taxpayer Data

Identity Theft & Taxpayer Data Protection

Rule

Protecting taxpayer information is an IRS top priority. Federal law now requires every paid tax preparer to create and implement a Written Information Security Plan (WISP). Failure can trigger investigation, and negligent unauthorized access to client data can result in penalties. Stolen Identity Refund Fraud (SIRF) costs the Treasury >$2 billion/year.

Written Information Security Plan (WISP)

  • Required by federal law for all paid preparers (Gramm-Leach-Bliley Act "Safeguards Rule" applies to those offering financial products/services including tax prep)
  • Publication 5708 provides a detailed sample plan to use as a template
  • Must be reviewed and updated as business practices, technology, and threats evolve
  • The WISP obligation is separate from annual PTIN eligibility and renewal requirements

If a Taxpayer Suspects Identity Theft

  1. File Form 14039 only when an IRS notice or the current form directs it and the facts fit a listed tax-related scenario, such as a fraudulent federal return, dependent claim, or employment use of an SSN/ITIN. Use IdentityTheft.gov for unrelated identity theft and do not duplicate an affidavit for the same incident.
  2. File Form 14039-B (Business Identity Theft Affidavit) — for businesses/estates/trusts/exempt orgs
  3. Apply for an IP PIN for the taxpayer and any affected family members
  4. Continue to pay tax and file returns (even if by paper) while IRS investigates
  5. If unresolved after contacting IRS, contact the Taxpayer Advocate Service

Identity Protection PIN (IP PIN)

  • A 6-digit PIN that helps prevent misuse of a taxpayer's SSN
  • Available to ALL taxpayers (apply via IRS online account)
  • Taxpayers without an online account who can't create one may use Form 15227 if AGI ≤ $84,000 (single) or ≤ $168,000 (MFJ)
  • Valid for one year only — a new IP PIN is issued each year
  • Losing the IP PIN and filing on paper will delay processing while IRS verifies identity
  • Once opted in, the IP PIN is required to e-file

Employment-Related Identity Theft

Occurs when someone other than the SSN's rightful owner uses the SSN/personal info to obtain employment (often due to lack of work authorization or to evade child support/offsets). Victims include minor children, dependents, and non-filers. A GAO report identified >2.9 million SSNs with "identity-theft-related risk characteristics."

Warning Signs — Individual Clients

  • E-file rejection because the client's SSN was already used, or a dependent was already claimed
  • Unexpected IRS notice after all tax matters were resolved/refund paid/account settled
  • IRS inquiry about a business the client does not own
  • Refund or tax bill the client never requested/received a return for
  • IRS notice showing wages from an unknown employer
  • Reduction/cancellation of state/federal benefits due to unreported income attributed to the client

Warning Signs — Business Clients

  • A business return is processed as an amended return, but the business never filed an original return for that year
  • IRS notice about fictitious contractors or non-existent employees
  • IRS notice about a business that has been closed/dissolved

If a representative helps with an identity-theft matter, the practitioner must have a valid Form 2848, and IRS must verify the taxpayer's identity before releasing information.

How to Avoid Victimization

  • Be wary of unsolicited calls/visits/emails asking for internal info
  • Never give personal/financial info in emails; do not click links in suspicious emails
  • Check website URLs for misspellings/look-alike domains
  • Verify email requests by phone using contact info from prior statements (not from the request itself)
  • Install/maintain antivirus, firewalls, email filters; keep software auto-updated
  • Report suspicious tax-related phishing emails to [email protected]
  • IRS NEVER initiates contact by email to request personal/financial info (also not by text or social media)

Social Engineering Attacks

Attackers use social skills/interpersonal interaction to gather organizational info — the most common method of gaining network access. They may pose as new employees, maintenance, or researchers (with fake credentials). If one source doesn't yield enough, they contact another source in the same organization, using info from the first to build credibility. Business email compromise (BEC) — impersonating an executive (e.g., a forged "CEO" email asking a bookkeeper to send all W-2s) is a hallmark.

Phishing Attacks

A form of social engineering using emails/malicious websites to impersonate trusted persons/orgs. Phishing emails cast a wide net; "spear phishing" targets specific individuals. Common lures: account "invalid login" alerts, IRS imitations, tax-software-provider imitations, disaster/charity/current-events themes. Most phishing emails use a "call to action" urging the recipient to click a link or open an attachment. IRS-impersonation phone calls (robocalls, fake grants, tech support, sweepstakes) also persist.

Direct Deposit Account Restrictions

  • Maximum 3 refunds may be electronically deposited into a single financial account or prepaid debit card; additional attempts are rejected
  • Under the electronic-delivery transition rules, IRS will delay the refund and mail a notice within 30 days requesting updated bank info before issuing a paper check
  • A preparer may NOT charge a separate fee for direct deposit
  • Direct-deposit info cannot be changed after IRS accepts the return
  • Preparers must verify account/routing numbers with the taxpayer each year
  • Routing a client's refund into the preparer's own account violates Circular 230 §10.31 and triggers the $650 IRC §6695(f) penalty (plus potential criminal charges)

Security Controls

Taxpayer data = any information obtained/used in preparing a tax return (income statements, bookkeeping records, information returns, tax organizers, etc.). Examples of required controls:

  • Lock desk drawers/file cabinets; lock doors restricting access to paper/electronic files
  • Require passwords for computer access
  • Use only encrypted flash drives; encrypt electronic transmission of client info (including email)
  • Maintain electronic data backups for recovery
  • Redact/truncate SSNs and other personal info
  • Shred papers containing taxpayer info before discarding
  • Use certified mail to ensure correct delivery
  • Require all outside contractors to maintain the same security standards

Security Incident Reporting

A "security incident" is an adverse event capable of unauthorized disclosure, misuse, alteration, or destruction of taxpayer information. A provider e-filing individual returns must report a confirmed incident to IRS as soon as possible, but no later than the next business day after confirmation.

Enhanced Penalties for Identity Theft (Taxpayer First Act)

IRC §7216 (criminal) and §6713 (civil) penalize improper disclosure/use of taxpayer info. The Taxpayer First Act increased penalties when the disclosure is connected to an identity-theft crime:

Penalty Normal amount Identity-theft-related amount
§6713 (civil, per disclosure) $250 $1,000
§6713 (annual aggregate cap) $10,000 $50,000
§7216 (criminal, max fine) $1,000 $100,000

§7216 is a misdemeanor (max 1 year imprisonment + fine + prosecution costs). §6713 does NOT require the disclosure to be "willful or negligent" — even accidental disclosure of sensitive info can trigger civil penalty.

Authority

  • IRC §7216 — criminal penalty for improper disclosure/use of return info (misdemeanor; enhanced to $100,000 fine if tied to identity theft)
  • IRC §6713 — civil penalty for improper disclosure/use (enhanced to $1,000/disclosure, $50,000/year for identity-theft-related)
  • Gramm-Leach-Bliley Act — Safeguards Rule (WISP requirement)
  • Form 14039 / 14039-B — Identity Theft Affidavit (individual / business)
  • Form 15227 — IP PIN application (low-income taxpayers without online access)
  • Publication 5709 — How to Create a Written Information Security Plan
  • Publication 5199 — Tax Preparer Guide to Identity Theft
  • Publication 4524 — Taxpayer Security Awareness
  • Publication 5027 — Identity Theft Information for Taxpayers
  • Circular 230 §10.31 — negotiating/splitting refund checks prohibited

Edge Cases

  • IP PIN is annual: A new 6-digit PIN is issued each year. Filing on paper without the PIN delays processing while identity is verified.
  • IP PIN income threshold for Form 15227: Only for taxpayers with AGI ≤ $84,000 (single) or ≤ $168,000 (MFJ) who cannot establish an online account. Others must use the online account.
  • Direct deposit to a joint account: Spouses filing separately may each deposit their refund into the same joint account — up to 3 refunds per account total.
  • §6713 vs. §7216: §6713 is civil and does NOT require willfulness — even accidental disclosure can trigger it. §7216 is criminal and requires knowing/reckless disclosure.
  • Business identity theft: Businesses can be victims too — file Form 14039-B. Watch for "amended" returns filed when no original was filed, or IRS notices about dissolved entities.
  • Employment-related ID theft of a minor: A dependent child with earned income attributed to an unknown out-of-state employer is a victim — parents (for a minor) file Form 14039 and consider an IP PIN for the child.

Common Traps

  • 3-refund direct-deposit limit: Candidates often pick 1, 2, or 5. The limit is 3 refunds per account.
  • Next-business-day breach reporting: A confirmed security incident must be reported as soon as possible, but no later than the next business day after confirmation.
  • WISP is legally required: Federal law requires a Written Information Security Plan for paid preparers; this security obligation is separate from PTIN renewal eligibility.
  • IRS never emails first: IRS does not initiate contact by email/text/social media to request personal/financial info. Any such email is phishing — report to [email protected].
  • Form 14039 vs. 14039-B: 14039 is for individuals; 14039-B is for businesses/estates/trusts/exempt organizations. Picking the wrong form is a common error.
  • Enhanced identity-theft penalties: The Taxpayer First Act raised §6713 to $1,000/disclosure and $50,000/year, and §7216 to a $100,000 max fine — when tied to identity theft. The "normal" $250/$10,000/$1,000 amounts are wrong for ID-theft cases.
  • Preparer cannot keep refund for fees: Using Form 8888 to split a client's refund into the preparer's own account is prohibited (§10.31) and carries the $650 §6695(f) penalty — plus criminal exposure.
  • Phishing report address: Suspicious tax-related phishing emails go to [email protected] — not to OPR, not to TIGTA's general line.

Connected Rules

  • irs-efile-procedures — EFIN security, next-business-day incident reporting, e-file ad standards
  • poa-disclosure-privacy — §6103 confidentiality, §7525 privilege, Form 8821, permitted disclosures
  • circular-230-rules — §10.31 negotiating refund checks; §10.30 advertising
  • penalties-refund-professional-responsibility — §6713/§7216 penalties, §6695(f) refund-check penalty
  • irs-authority-practice-requirements — PTIN renewal requires WISP

Scenarios Worked

None yet