Skip to main content

Firm Management

How Professionals Can Handle Client Tax ID Theft

Every firm will likely have to deal with a client whose identity has been compromised at some time, so it helps to remind staff of the warning signs of tax ID fraud as well as how to work with clients that may have been flagged by the IRS.

Tax ID Theft 1  54d6d07eafd9c

By Roman H. Kepczyk, CPA.CITP.

The IRS has stated that Taxpayer Identity Theft continues to be a growing problem and by this time last year, they had flagged over 1.1 million returns for potential identity theft.  This has serious consequences for tax filers as it can delay their refund for months, if not years.

The Taxpayer Advocate Service noted that as of September 2023 it takes on average 19 months for the IRS to resolve an ID theft issue and they had a backload of 484,000 returns at that time. Every firm will likely have to deal with a client whose identity has been a compromised at some time, so it helps to remind staff of the warning signs of tax ID fraud as well as how to work with clients that may have been flagged by the IRS.

Warning Signs of Tax ID Theft/Fraud: While we are in the heat of busy season it is good to remind staff of red flags that indicate a client’s identity may have been compromised:

  • Electronic Filing Rejections: E-Filed returns can be rejected for a number of reasons (often clerical/math errors), but when it is due to a duplicate social security number, the firm should investigate immediately as a fraudulent return most likely has already been filed.
  • Unmatched E-File Acknowledgements: A few years ago, a firm noted that the number of e-file acknowledgments was much higher than the amount of submissions indicated in their workflow tool.  Only when they matched returns did they discover that some of those filed had not been put into process yet, leading the firm to recognize their network had been breached.
  • Unusual IRS Letters/Transcripts: If a client brings you an IRS letter or transcript regarding a tax return which you have not yet filed, it is most likely a scammer has already filed a return. Similarly, if they have been notified that an online account has been setup in their name or they have been assigned an EIN that they are not aware of, this should immediately raise suspicion (particularly if they have an account that is now blocked or find out that someone else has accessed it).
  • Unrecognized Wage Reporting: Another sign that a taxpayer’s ID may have been compromised is when IRS records list wages from an organization your client did not do work for. Clients may come to you with their own (or their children’s) Social Security earnings statement showing unrecognized wages.
  • Unexpected Refunds: The IRS also sent out a notice this past summer that some scammers are utilizing courier services to notify clients that they have an unclaimed refund.  These letters request the client provide personally identifiable information (PII) including images of the client’s driver’s license and to contact them via fake phone numbers and fake physical/email addresses. Again, it is important to remind clients to not click on email links or provide PII over the phone and to verify communications via a secondary means such as calling them back on a valid phone number.

Please note that if one of your clients notifies you that they have reason to believe they are a victim of identity theft and you cannot E-file their return, the IRS should be notified via completion of an Identity Theft Affidavit (IRS form 14039) either online or by mailing a physical copy with the client’s paper tax return. It is also important to verify clients that only one ID Theft Affidavit is filled as multiple submissions will delay processing.

Working with Clients Flagged by the IRS: When a client receives a notice that their return has been flagged by the IRS its important to verify the validity of that claim as criminals are using AI to generate increasingly sophisticated social engineering attacks.

  • US Mail Notification: Remind employees to tell clients that the IRS will only contact clients via US mail (and not via phone or email which should also signify “red flags.”). Scammers may also utilize courier services to appear official.
  • Verify IRS Letter: When a client contacts the firm about receiving an IRS letter, have them provide it to the firm to validate the information. The IRS normally responds with the following ID fraud letters:
    • Potential ID Theft (4883C): Request for taxpayer to call the IRS to verify their identity and tax data within 30 days. Confirm the phone number is valid and if they did not file, direct the client to contact the Taxpayer Protection Program hotline.  Having a copy of the previous year’s return will help verify their identity.
    • Potential ID Theft-Online Option (5071C): This letter requests the client utilize an online tool to verify their identity and tax data; verify the link is to the actual IRS Identity and Tax Return Verification Service (from the website).
    • Potential ID Theft-In Person Appointment (5747C): This letter requests an in-person meeting with the taxpayer which the firm should provide the client with the number to the Taxpayer Protection Program hotline if they did not file that return.  If the client did file the return, verify the number in the letter is to the Taxpayer Assistance center to schedule an appointment and advise them to bring aa government ID and their previous year’s tax return.
  • ID Protection PIN (IP PIN): To minimize tax fraud risk it is advisable to get all your clients into the IP PIN program, particularly those that have been the victim of tax ID fraud.  This way they will annually receive a six-digit authentication number to provide their accountant to authorize the filing of future tax returns.

The reality today is that criminals will pursue any fraudulent path to provides high reward with low risk and identity theft continues to be lucrative for tax fraud along with other methods of financial fraud.  Reminding both your personnel and your clients of the warning signs of ID theft and how to safely respond will help minimize the risk as well as potential consequences.


Roman H. Kepczyk, CPA.CITP, CGMA is director of Firm Technology Strategy for Rightworks and partners exclusively with accounting firms on production automation, application optimization and practice transformation. He has been consistently listed as one of INSIDE Public Accounting’s Most Recommended Consultants, Accounting Today’s Top 100 Most Influential People, and CPA Practice Advisor’s Top Thought Leaders.