For this taxpayer, a crash course on identity theft

Oh, look: a letter from the IRS. My electronically filed tax return has been received . . . and rejected.

This March 22, 2013 file photo shows the exterior of the Internal Revenue Service building in Washington. Here’s a little secret for all you procrastinators on Tax Day: The Internal Revenue Service doesn’t like to talk about it, but as long as you don’t owe any additional taxes, there is no penalty for filing a few days late. The late filing penalty is usually 5 percent of the unpaid taxes for each month _ or part of a month _ a return is late. That can add up quickly if you owe additional taxes. But what if the unpaid taxes are zero? Five percent of zero is ... Zero! (AP Photo/Susan Walsh, File)Read more

by By John Timpane, Inquirer Staff Writer

Published Apr. 15, 2013, 5:57 p.m. ET

Oh, look: a letter from the IRS. My electronically filed tax return has been received . . . and rejected.

Some crook filed a tax return via my Social Security number (stolen).

Hello, identity theft. Hello, faceless cyber-burglars beyond reach. It's a multibillion-dollar industry, according to the U.S. Treasury inspector general for tax administration, who pegs the cost at $21 billion over the next five years.

I'm but one of millions who have had their IDs stolen. Like them, I'm now scurrying to restore my info and shore up protection against these slimy genius hacker-creeps.

Monday, the American Public Media radio show Marketplace reminded us that atop the IRS's annual "Dirty Dozen" frauds list sits ID theft. Lisa Schifferle, a lawyer in the division of privacy and identity protection of the Federal Trade Commission, says, "Identity theft in general has been our number-one complaint for at least the last decade, and tax-fraud ID theft, which was 15 percent of all cases in 2010, is now at 46 percent." The IRS says it blocked five million stinky returns last year, $20 billion worth, up from three million and $14 billion in 2011.

As a newbie victim, I'm now dealing with the IRS (to get an explanation, mail my real return, and file an Affidavit of Identity Theft, Form 14039), the Social Security Administration, the FTC (another affidavit), credit agencies (to put an alert on my credit accounts), my bank (ditto, and to make sure no one has tried to withdraw or charge anything), my local police (yet another affidavit), everyone but my priest and my vet.

I don't want to overstate anything or make anyone needlessly afraid. Crooks looking to steal via a filched Social Security number face a tough time. Last year, the IRS more than doubled, to about 3,000, the number of people working on ID theft. The recent Obama budget proposal seeks tougher sentences and fines for ID theft. In my case, the IRS stopped the bad guys in time. My return, my credit, everything is likely to be cleared up. (If your ID is stolen, it can take up to 180 days to get your rightful refund.)

How can crooks even get your Social? Put your name, address, and birthday into a teraflop computer and troll for all the documents available, quite legally, over the many-tentacled Internet. Some doc might have all or part of the number. Anything found (info on children, relatives, schools, places of residence) goes back through the program, drilling down and down. What I'm describing, this high-powered, Big Data stalking, has a name: doxxing.

Once the crooks have the number, they can (as they just did to me) file a phony e-return, hope it gets by the IRS, get a quick direct-deposit refund, and run like heck.

A nice woman at the IRS mentioned another scam: "If they have your Social and your birth date, which is easy to find, and your mother's maiden name" - a popular security question when people open new credit-card or online banking accounts - "they could conceivably open a fake credit account."

My mother's maiden name? Gettable. You could search her married name, drill backward in the public record, find her maiden name, plug it in. Maybe it won't work. But if you're doing, say, 40,000 of these criminal fishing expeditions at a time, something might come up golden pineapples.

And need I mention the burgeoning field of child-identity theft, in which sly burglars leverage info about a person's children to hack into adult accounts, get scholarships and child-care grants, and so on?

There can be a lag time of 30 to 45 days between a charge and that charge showing up, time enough to charge a whole bunch of stuff. In the 1990s, my ID was stolen (at a gas station someplace in North Carolina, when I charged a tank of gas), and you would not believe the garbage those guys bought, at stores I would never go to. Bad people, bad taste.

How to protect yourself? Schifferle says, "Be careful who you give your Social Security number to. And shred all documents with the number on it once you don't need them any more." Filing online? Use a secure connection. Mailing? Don't leave your tax forms in your mailbox; go to a postbox or post office. You can also gatekeep all your credit accounts and see who seeks access to them. Various credit agencies offer these services.

Did I make a mistake somewhere? What was it? An unguarded 1993 e-mail? Does an old car loan, mortgage refinance, student loan for my kids, or wayward W-9 tell the world those fatal nine digits?

Schifferle is nice about it: "There's no ironclad way to protect yourself. You can take all the right steps and still be a victim."

Maybe. But the experience leaves me feeling, for the rest of my adult life, a lot less socially secure.