38 KIPLINGER’S PERSONAL FINANCE^ 05/2019
MONEY
District of Columbia
may request a PIN on
their own for federal
filing. However, if
you’re approved, you
must use the PIN for
all future filings.
The IRS will never
call or e-mail you and
threaten to arrest
or deport you if you
don’t pay up. Nor-
mally, the IRS initi-
ates contact by mail.
But more recently,
the agency started
contracting with pri-
vate debt collectors
who may contact you
on its behalf.
“We used to be able
to say that the IRS
will never call you
to collect a debt, but
now you may be
called if you owe back
taxes,” says Schifferle.
However, you will be
notified by letter first,
and legitimate debt
collectors will not ar-
gue if you want to call
the IRS to verify their
identity.
What to do if you’re a
victim: The IRS is get-
ting better at catching
suspicious returns
and verifying with
the real people behind
those SSNs, says
Velasquez. And al-
though the agency
will help you sort out
the fraud and return
the refund you’re en-
titled to, the process
could take months.
You will need to file
all future taxes with
an IP PIN, and you
may experience other
hiccups, such as an
inability to use the
tool that automati-
cally transfers your
tax return data into a
FAFSA (the Free Ap-
plication for Federal
Student Aid form)
for tax transcripts
affected by fraud.
If you receive a let-
ter from the IRS not-
ing suspicious activ-
ity, call the phone
number provided in
your letter to learn
your next steps. Keep
meticulous records
of your conversations.
Or, if your e-filing
was rejected, report
the incident to the
IRS by filling out and
sending in an IRS
Identity Theft Affida-
vit, or Form 14039, by
mail; if you report
your identity theft at
IdentityTheft.gov
(click “Get Started”
on the homepage),
you can submit the
affidavit electroni-
cally. You will still
need to file your taxes
by the April 15 dead-
line (or request an
extension), even if it
means paper filing.
The IRS estimates
that it will take 120
days to get your re-
fund if one is due, or
more than 180 days
for complex cases.
But Velasquez says
that callers to the
Identity Theft Re-
source Center have
reported resolutions
anywhere from
around a month to
a year later. You will
receive a new IP PIN
each year to include
on your tax return.
Call your state de-
partment of revenue
(find the link at www
.taxadmin.org/state-
tax-agencies) to put
it on notice that your
federal tax return
was compromised,
even if you’re not sure
whether someone is
trying to defraud you
at the state level, says
Velasquez. “A thief
can only use your
data to file one fraud-
ulent federal return,”
she says, “but can
file across multiple
states.”
The Social Security number has been the most im-
portant unique identifier for decades, but a new kind
of ID has emerged in the last decade or so as an alter-
native: your mobile phone number. When a company
wants to verify your identity when you log in to an ac-
count from a new device, for example, it’ll often ask
you to verify a code it texts to the mobile number
they have on file. “But that’s not a piece of informa-
tion that’s designed to be kept secret,” says Jake Wil-
liams, security principal of Rendition Infosec and a
former NSA hacker. “We give it out, put it in our e-mail
signatures.”
Over the past few years, some hackers have taken
advantage of this vulnerability by executing a “SIM
swap” hack, typically by calling a telecom company,
saying they’ve lost their phone and need their num-
ber—your number—to be swapped to a new SIM card
they bought from the store. If they can convince a
customer support agent they’re you with a few bits
of personal information, they’ll have access to any
account you’ve secured with your phone number by
resetting your password.
Most people aren’t prominent enough to be sub-
ject to this kind of attack, Williams says. People in the
public eye or in high-risk positions are more likely to
be targeted. For protection, it’s possible to port your
phone number to a VOIP—an internet-based calling
service—which is much more difficult to SIM swap.
For more information on how to port your phone,
see the resource box on page 45.
THEY’VE GOT YOUR (MOBILE) NUMBER