Skip to main content

Data Breaches Increase Need for Modernized Taxpayer Experiences

The Internal Revenue Service (IRS) has made meaningful progress to modernize taxpayer experiences, according to a July report from the Executive Office of the President of the United States. Headway includes reducing the time-tax burden placed on constituents when filing taxes, calling the IRS or responding to IRS notices. But through these strides, tax and revenue agencies at the federal, state and local levels continue to face large volumes of fraudulent tax schemes. In March, the IRS reported it flagged $6.3 billion worth of tax returns as potentially fraudulent. Widespread availability of stolen identity information is a significant threat to tax and revenue agencies working hard to deliver more safe, secure and seamless interactions for taxpayers. Further, cybercriminals and fraudsters continue to evolve and show increasing sophistication in exploiting multiple channels, including the phone and call centers.

Data breach activity increases the potential for Stolen Identity Refund Fraud

One of the most common tax fraud types, Stolen Identity Refund Fraud, costs taxpayers billions and poses risks for victims who often don't know a tax return has been falsely filed with their Social Security numbers until they try to file themselves.

A recent TransUnion analysis found the number of fraud threats targeting tax and revenue agencies are growing — as is their severity.1 Through the first half of 2023, 19 million Americans saw personal data exposed with a suspected connection to tax refund identity theft.2 This is the highest number of compromised identities in recent quarters, and a notable increase of 25% year over year.3

In addition, the number of total high-risk breaches reported in Q1 2023 was at its highest point in more than two years.4 Through the first half of 2023, there have been 283 data breaches reported with a suspected connection toward enabling tax refund ID theft.5

Many recognize cybercriminals use compromised identities to syphon returns from legitimate taxpayers. However, through our work with public tax organizations, TransUnion has found many bad actors also use tax systems to enable additional schemes by validating stolen identities. Without effective fraud prevention measures, instances of fraud and account takeover result in the loss of refunds, cost of recovery, public scrutiny and constituent dissatisfaction.

Fraudsters taking crimes to call centers

In an analysis of internal data, TransUnion documented the riskiest channel for the call center proved to be non-fixed Voice over Internet Protocol (VoIP), a phone number that isn’t associated with a physical address.6 While that channel represented only 3% of total call volume for financial services customers, 60% of those calls were identified as high risk for fraud, and 62% of all high-risk calls came from non-fixed VoIP last year.7

Public sector agencies should adapt fraud-fighting best practices across sectors. Agency leaders should work with call center teams to implement integrated inbound call authentication technology based on robust phone and device reputation. For call centers, high-risk calls can immediately be routed for additional authentication or to fraud teams. It also allows trusted calls to move through to Interactive Voice Response (IVR) or representatives with less friction.

Data is key to fighting fraud while delivering positive constituent experiences

Tax and revenue agencies need a response to cybercriminals that both understands the volume and severity of modern fraud, as well as provides a strategic solution to balance security, user experience and transparency. To better mitigate fraud risk while driving positive interactions with legitimate taxpayers, agencies can leverage three types of external data:

  • Identity information: Combatting identity fraud requires the ability to distinguish legitimate constituents from suspected fraudsters, even if identity elements are different from a previous filing. Integrating information like name and address from multiple, authoritative data sources — including consumer-provided information and third-party data — with advanced analytics can help reduce tax refund fraud.
  • Digital insights: An understanding of the risk associated with reputational, technical, behavioral and device-based signals can help agencies better authenticate constituents quickly while analyzing patterns of suspicious behavior. And by catching fraudsters early in the user journey, tax agencies can better avoid downstream costs.
  • Phone data: Security measures implemented through phone-based interactions can help separate legitimate constituent experiences from potentially risky ones so good taxpayers get through faster. Therefore, securing the audio channel is as important as digital encryption — which has been in place for years. With more accurate inbound caller identification, fewer legitimate callers will require manual fraud reviews, which increases constituent satisfaction and access.

Government agencies that implement data-driven strategies to understand, verify and authenticate users across digital and phone channels will build trust with constituents. Using complementary layers of data insights, agencies can better block and reduce fraud behind the scenes so authentic constituents can get through faster — and these small gains matter. Studies show a gain in average constituent satisfaction of just one percentage point can result in up to a 1.5% increase in government trust, suggesting that — by focusing on improving the user experience — government agencies can make significant gains in constituent trust while also improving access.8

Learn how TransUnion is helping public agencies protect internal systems and constituents from bad actors while increasing access for good constituents.


1–5 Source: Sontiq, a TransUnion company. This assessment reviewed trends across publicly reported data breaches — which may include those targeted at both the private and public sector. With this information on data breaches, our team then analyzed proprietary scores that indicated when stolen identity credentials had the potential to be used to further tax identity refund theft. All calculations based on the date a breach was reported.

6,7 Source: TransUnion’s call center findings were based on data from more than a half billion transactions in 2022 — from both large and small financial institutions based in the US. The rate or percentage of high-risk calls was determined by the assessment of multiple risk factors.

8 Source: Governments can deliver exceptional customer experiences – here’s how. McKinsey & Company; November 16, 2022.

*High-risk breach: A breach where a given category is in the top five harms associated, as determined by Sontiq BreachIQ™ score. Sontiq’s BreachIQ algorithm evaluates 12 types of identity crimes that could result from stolen personally identifiable information (PII).

Do you have questions? Our team is ready to help.