Greg Schlichter, Director, Research and Consulting, Public Sector
The Internal Revenue Service (IRS) has made meaningful progress to modernize taxpayer experiences, according to a July report from the Executive Office of the President of the United States. Headway includes reducing the time-tax burden placed on constituents when filing taxes, calling the IRS or responding to IRS notices. But through these strides, tax and revenue agencies at the federal, state and local levels continue to face large volumes of fraudulent tax schemes. In March, the IRS reported it flagged $6.3 billion worth of tax returns as potentially fraudulent. Widespread availability of stolen identity information is a significant threat to tax and revenue agencies working hard to deliver more safe, secure and seamless interactions for taxpayers. Further, cybercriminals and fraudsters continue to evolve and show increasing sophistication in exploiting multiple channels, including the phone and call centers.
One of the most common tax fraud types, Stolen Identity Refund Fraud, costs taxpayers billions and poses risks for victims who often don't know a tax return has been falsely filed with their Social Security numbers until they try to file themselves.
A recent TransUnion analysis found the number of fraud threats targeting tax and revenue agencies are growing — as is their severity.1 Through the first half of 2023, 19 million Americans saw personal data exposed with a suspected connection to tax refund identity theft.2 This is the highest number of compromised identities in recent quarters, and a notable increase of 25% year over year.3
In addition, the number of total high-risk breaches reported in Q1 2023 was at its highest point in more than two years.4 Through the first half of 2023, there have been 283 data breaches reported with a suspected connection toward enabling tax refund ID theft.5
Many recognize cybercriminals use compromised identities to syphon returns from legitimate taxpayers. However, through our work with public tax organizations, TransUnion has found many bad actors also use tax systems to enable additional schemes by validating stolen identities. Without effective fraud prevention measures, instances of fraud and account takeover result in the loss of refunds, cost of recovery, public scrutiny and constituent dissatisfaction.
In an analysis of internal data, TransUnion documented the riskiest channel for the call center proved to be non-fixed Voice over Internet Protocol (VoIP), a phone number that isn’t associated with a physical address.6 While that channel represented only 3% of total call volume for financial services customers, 60% of those calls were identified as high risk for fraud, and 62% of all high-risk calls came from non-fixed VoIP last year.7
Public sector agencies should adapt fraud-fighting best practices across sectors. Agency leaders should work with call center teams to implement integrated inbound call authentication technology based on robust phone and device reputation. For call centers, high-risk calls can immediately be routed for additional authentication or to fraud teams. It also allows trusted calls to move through to Interactive Voice Response (IVR) or representatives with less friction.
Tax and revenue agencies need a response to cybercriminals that both understands the volume and severity of modern fraud, as well as provides a strategic solution to balance security, user experience and transparency. To better mitigate fraud risk while driving positive interactions with legitimate taxpayers, agencies can leverage three types of external data:
Government agencies that implement data-driven strategies to understand, verify and authenticate users across digital and phone channels will build trust with constituents. Using complementary layers of data insights, agencies can better block and reduce fraud behind the scenes so authentic constituents can get through faster — and these small gains matter. Studies show a gain in average constituent satisfaction of just one percentage point can result in up to a 1.5% increase in government trust, suggesting that — by focusing on improving the user experience — government agencies can make significant gains in constituent trust while also improving access.8
Learn how TransUnion is helping public agencies protect internal systems and constituents from bad actors while increasing access for good constituents.
1–5 Source: Sontiq, a TransUnion company. This assessment reviewed trends across publicly reported data breaches — which may include those targeted at both the private and public sector. With this information on data breaches, our team then analyzed proprietary scores that indicated when stolen identity credentials had the potential to be used to further tax identity refund theft. All calculations based on the date a breach was reported.
6,7 Source: TransUnion’s call center findings were based on data from more than a half billion transactions in 2022 — from both large and small financial institutions based in the US. The rate or percentage of high-risk calls was determined by the assessment of multiple risk factors.
8 Source: Governments can deliver exceptional customer experiences – here’s how. McKinsey & Company; November 16, 2022.
*High-risk breach: A breach where a given category is in the top five harms associated, as determined by Sontiq BreachIQ™ score. Sontiq’s BreachIQ algorithm evaluates 12 types of identity crimes that could result from stolen personally identifiable information (PII).