According to the Pew Research Center, more people than not hold an unfavorable perception of the Internal Revenue Service.¹ Despite this, the IRS serves many good purposes. As this country’s enforcement agency for tax revenue collection, it investigates many illegal activities where cyber scammers attempt (and sometimes succeed) to abscond with taxpayers’ funds and information. This illegal cyber activity is referred to as “phishing”.² More and more, these emboldened scammers pose as IRS representatives (or as representatives of some other legitimate agency or private company). In a recently published report, the IRS alerts practitioners to advise their clients about recent phishing e-mails.³
The IRS’ report provides very sensible advice about keeping your clients’ sensitive information private in the hopes that they won’t become future victims. Additionally, should a client fall prey and, as a result, sustain losses, this article advises about the tax implications regarding such losses.
Four Telltale Signs
Cyber fraud is rampant, accounting for over $1 trillion⁴ in losses (and millions of wasted hours to remedy the losses).5 However, cyber fraud is easier to detect than you may think. There are at least four telltale signs in the wording of the scammer’s e-mail that can alert your client that the notice is fraudulent:
1. The IRS and legitimate companies don’t send e-mails asking for usernames, passwords or PINs.
2. The IRS and legitimate companies don’t reach out in this manner if there’s a problem. The IRS, by example often waits for you to reach out to them, or they send you written correspondence in the mail, providing you with detailed information about the persons to contact (including the name of the person, the phone number(s) and sometimes the employee’s IRS badge number). When the largest companies have had a breach or failure, you generally don’t receive an e-mail, rather you generally find out about this in the news before the company comes to you. And, in those cases they generally have you create new passwords, usernames, etc.
3. The IRS and legitimate companies don’t ask for scanned photograph identification cards (for example, passports and driver’s licenses) to be sent over the Internet.
4. The IRS and legitimate companies don’t ever ask in an email the types of information that are in their “Secret Questions” (for example, mother’s maiden name, the first car you drove, your favorite pet, your father’s middle name, etc.). Those questions are reserved for their websites, when you’re seeking to establish an online account.
When in Doubt, Don’t
Clients should always remember when reading unsolicited e-mails:
1. The IRS and most (if not all) legitimate businesses don’t initiate contact with taxpayers by e-mail, text messages or social medial channels to request personal and financial information. This includes PIN numbers, passwords or similar access information for credit cards, banks or financial accounts.
2. The adage, “When in doubt … DON’T!” If something doesn’t seem right, then don’t respond; in fact, don’t even open a suspicious e-mail (if you can preview it).
Scanning the Scammers
Scammers are getting smarter and make thing appear legitimate. However, here are three quick ways clients can check to see if the document is potentially a fraud:
1. Use your mouse and run the cursor to scan the logo in the e-mail. Usually logos are a “hot link” to the institution’s website. When you run the cursor over the logo, the website address should appear. If it’s not the institution’s website address, the e-mail is a scam.
2. Check the email address of the sender. Often the name will, at first glance, appear to be legitimate, but go back and look a second or third time. The spelling may be slightly off, or the domain name may not end in “.com” (for most companies), “.gov” for federal agencies (such as the IRS) and “.org” for public charities (such as your favorite university or charitable organization). If the address doesn’t end in “.com”, “.gov” or “.org”, it may not be legitimate.
3.Scan the email or the web address. If it’s in another country’s code, that’s a telltale sign of potential fraud.
Haste Makes Waste
In the digital age, often we’re in a rush to open and/or respond to e-mails. And, more and more, we’re opening them on our smart phones. Often, it’s difficult to read the screen because it’s so small. Sometimes, we simply click to respond (by accident or intentionally), without reading the entire message. Clients should be advised to remember the adage, “Haste makes waste!” This is ever so true in the digital age. If clients are on their smart phone and sense the e-mail is suspicious, they shouldn’t open it! Advise them to wait until they get home and “preview” it on their home computer. If it looks suspicious, they should report it.⁶ They should never open the e-mail, and never, ever respond to the e-mail, if they believe it’s suspicious!
Responding to an unsolicited, phishing e-mail is like giving a signed blank check to a stranger. They wouldn’t have given the blank check away in a non-digital age (or even today in this digital age) … so they should be sensible and keep sensitive information private.
If a client is an individual trustee of a trust and falls victim to this type of fraud, he must remember the old adage, “A stitch in time saves nine!” It’s critical to act promptly to attempt to stop the harm. Today, in this digital age, things are measured in seconds (and parts of seconds) and not hours and days. It’s the client’s duty to act quickly to address the issue and to notify the beneficiaries of the potential loss and his remedial course of action. Additionally, it’s recommended that he keeps the beneficiaries apprised as the issue is being resolved. Acting in a prudent and immediate manner is best for all, including the fiduciary. Further, once a client has discovered the fraud, he should consider notifying his professional carrier of the issue to advise them of this potential loss.
A client may also want to check his errors and omissions policy if he obtained such a policy to protect him from liability for serving the capacity as trustee. The policy may have an exception for coverage based on transmitting personal information over the Internet without using security. Remind clients to always use security when sending their own personal information and that of others.
If your client is a representative for a corporate trustee, the same advice applies. The corporation should act with haste to address the issue and notify beneficiaries. However, it should do so in the manner consistent with the institution’s internal policies and procedures, which include escalating the issue to management and the appropriate business units designed to handle these matters. All trust departments have policies and procedures designed to protect their beneficiaries and the institution, so remind your client to be mindful and review the corporation’s policies and procedures regularly.⁷ Importantly, and to be repetitive, acting quickly and informing beneficiaries is the best way to mitigate losses and to minimize liability.
Are These Losses Tax Deductible?
So, what happens if your client suffers losses from cyber theft? Are they tax deductible? The short answer is probably “yes,” but the losses may be limited.⁸ For income tax purposes, these types of losses (for individuals) are generally characterized as “non-business casualty losses.” In general, to the extent that this casualty loss isn’t covered by insurance, your client is entitled to take the loss as a deduction.⁹ Assuming that your client is eligible to deduct the loss, the deduction may be limited. The loss is limited to the adjusted basis (and not the fair market value) of the property.¹⁰ The loss is only deductible in the year in which the client discovers the loss (and believes that it isn’t recoverable), even if the loss happened in an earlier year.¹¹ The first $100 of an individual’s non-business casualty loss is not deductible, and deductible losses are only allowed to the extent that they exceed 10 percent of one’s adjusted gross income (AGI).¹² Regardless of whether your client itemized his deductions, there are no further limitations.¹³
Note, if the loss is claimed on a decedent’s estate tax return, the loss will not also be deductible on the decedent’s (or the estate’s) income tax return.¹⁴
Being Prudent is Key
Securing one’s digital information is critical! What matters most is being prudent and avoiding the temptation to simply reply to an e-mail, because it may look official. If your client is caught in a scam, acting quickly and prudently will work in his favor. If your client is a fiduciary protecting someone else’s information, it’s his duty to keep the information safe, and if there is a lapse, to act immediately and inform the beneficiary. Should you suffer a loss, the loss may be deductible, subject to a number of income tax rules.
DISCLAIMER: This material isn’t intended to constitute a complete analysis of all tax or legal considerations. This material isn’t intended to provide financial, tax, legal, accounting, or other professional advice. Consult with your professional adviser to obtain counsel based on your individual circumstances.
* This article originally appeared on Franklin, Karibjanian & Law PLLC's website.
1. 5 Facts on How Americans View Taxes, Pew Research Center (April 10, 2015).
2. The term “phishing,” a variant of the word “fishing,” means to ‘lure’ unsuspecting, innocent individuals by using sophisticated cyber ‘baits’ in an attempt to ‘catch’ sensitive information to be used by cyber con artists.
3. Just in the past six months, more than a half dozen such notices were sent by the IRS notifying the public about these scams: See, e.g., IR-2017-112 (June 26, 2017), IR-2017-111 (June 23, 2107), IR-2017-71 (March 31, 2017), IR-2017-64 (March 17, 2017), IR-2017-68 (March 23, 2017), IR-2017-39 (Feb 17, 2017), IR-2017-10 (Jan. 25, 2017), IR 2017-3 (Jan 11, 2017), IR-2016-163 (Dec 7, 2016), and IR-2016-145 (Nov 4, 2016).
4. See Steve Morgan, “Cyber Crime Costs Projected to Reach $2 Trillion in 2019” (Jan. 17, 2016), https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#426f536d3a91.
5. According to the latest data from the Bureau of Justice Statistics, roughly 7 percent (or 17.6 million) of individuals older than 16 years of age were victims of identity theft in 2014, of them 38 percent involved banking and 42 percent involved credit card transactions. Of most concern was that the elderly victims increased from 2.1 million in 2012 (the prior report) to 2.6 million in 2014 (the latest report). Of some interest is that about one third of the victims spent more than a month resolving the issue! See, http://www.bjs.gov/content/pub/pdf/vit14.pdf.
6. To know more about reporting phishing, visit the Federal Trade Commission’s Phishing website,https://www.consumer.ftc.gov/articles/0003-phishing.
7. If your client is a beneficiary of a trust, advise them to consult with the trustee to determine the policies and procedures that are in place to protect him in the event of this contingency.
8. If your client had a tax liability and was scammed out of the funds that he thought he was paying the IRS, he will still owe the IRS the tax funds. Though the IRS may be sympathetic, they will not relieve an individual of the liability. However, he may be able to deduct the loss for the funds that he lost as a result of the scam.
9. Internal Revenue Code Section 165(a). Note, these are losses that result from cyber scams, which should be distinguished from thefts that arise from Ponzi-type schemes (like the Madoff case). There are special rules about the deductibility of those losses that are slightly different. See IRC Section 165(l).
10. IRC Section 165(b). In most cyber fraud cases, the loss will be the loss of cash, so this is generally not an issue.
11. IRC Section 165(e); Treasury Regulations Section 1.165-8(a)(2). Losses are not allowed, if there is a possibility of recovery. Thus, your client can only deduct the loss in the year that he is fairly certain that he will not recover the loss. Rainbow Inn. Inc. v. Comm’r, 433 F2d 640 (3rd Cir. 1970). Note, if your client later recovers the loss, he must report the recovery as income in the year that he received the same.
12. IRC Sections 165(c)(3) and (h).
13. Stated otherwise, if your client doesn’t itemize, he can deduct the non-business casualty loss (that’s in excess of $100 and 10 percent of his AGI), along with his standard deduction.
14. IRC Section 165(h)(4)(D).