Employment Identity Theft: When Someone Works Under Your Name

Employment identity theft occurs when a person uses another individual's personal information — most commonly a Social Security number — to obtain employment, establish payroll records, or satisfy federal work-authorization requirements. This form of fraud creates cascading consequences across tax records, Social Security earnings histories, and background check systems, often remaining undetected for years. The identity theft types and definitions taxonomy classifies employment identity theft as a distinct fraud category with unique remediation pathways separate from financial or medical identity theft.

Definition and scope

Employment identity theft is defined by the Internal Revenue Service (IRS) as the fraudulent use of a taxpayer's Social Security number (SSN) by another person to report wages or self-employment income (IRS Identity Theft Central). The scope of the problem is documented in part through IRS Identity Protection Specialized Unit (IPSU) case data: the IRS identified approximately 664,000 taxpayers affected by employment-related identity fraud in a single reporting cycle, as noted in IRS Taxpayer Advocate Service annual reports (Taxpayer Advocate Service).

The Federal Trade Commission classifies employment or tax-related identity theft as one of the top three identity theft subtypes reported through its IdentityTheft.gov platform (FTC Consumer Sentinel Network Data Book). Unlike financial identity theft, which targets credit and bank accounts, employment identity theft targets payroll and tax infrastructure — systems that cross federal, state, and employer-level records simultaneously.

The scope extends beyond income reporting. When fraudulent wages are assigned to a victim's SSN, the Social Security Administration (SSA) records those earnings under the victim's account, potentially affecting future benefit calculations. The SSA maintains a My Social Security portal where individuals can audit their earnings record (Social Security Administration).

How it works

Employment identity theft follows a structured operational pattern:

1. SSN acquisition — The perpetrator obtains the victim's SSN through data breaches, phishing attacks, theft of physical documents, or purchase of stolen credentials on dark web marketplaces. The SSN is the foundational identifier because it satisfies IRS Form W-4 and Form I-9 requirements simultaneously.

2. Employment application — The perpetrator applies for work using the victim's SSN combined with their own name or a fabricated alias. Employers are not universally required to verify that the name on a document matches the SSN holder; E-Verify enrollment is mandatory only for federal contractors and participating states under the Department of Homeland Security's E-Verify program (USCIS E-Verify).

3. Wage reporting — Employers issue W-2 forms and submit payroll tax data to the IRS under the victim's SSN. The IRS processes these filings and attributes the income to the SSN on record.

4. Tax discrepancy trigger — The victim files a tax return reporting their actual income. The IRS detects a mismatch between employer-reported wages and the victim's filed return, triggering notices such as IRS Notice CP2000 or a direct audit flag.

5. Downstream propagation — Fraudulent earnings appear in SSA earnings records, state unemployment systems, and potentially in background check databases, depending on how the fraud was structured.

Social Security number protection is the primary preventive control at Step 1 — limiting SSN exposure reduces entry points for this fraud type.

Common scenarios

Employment identity theft presents in three structurally distinct scenarios:

Unauthorized worker fraud — The most common pattern involves undocumented workers or individuals otherwise ineligible to work legally who use a victim's SSN to pass Form I-9 employment eligibility verification. The victim may be entirely unaware until they receive an IRS notice of unreported income or a state unemployment claim filed against wages they never earned.

Payroll diversion fraud — A perpetrator uses a victim's SSN to enroll in payroll systems with the intent of redirecting refundable tax credits or government benefit claims. This variant intersects with tax identity theft when fraudulent refunds are claimed on the basis of fabricated wage income.

Synthetic employment fraud — A fabricated or partially fabricated identity is constructed using a real victim's SSN combined with different personal identifiers. This intersects with synthetic identity fraud and may persist longer because the SSN-to-name mismatch does not immediately trigger victim notification.

The distinction between unauthorized worker fraud and synthetic employment fraud matters for remediation: unauthorized worker fraud leaves an employment paper trail that can be challenged directly with the IRS and SSA, while synthetic fraud may require more extensive identity verification proceedings.

Decision boundaries

Determining whether a case constitutes employment identity theft — versus a payroll error, SSN transposition, or unrelated tax discrepancy — requires examining specific record-level evidence. The following boundaries govern classification and remediation routing:

IRS mismatch notice present vs. absent — An IRS CP2000 notice or Letter 4883C citing wages the victim did not earn is the primary documentation trigger. Without a tax-record discrepancy, the case may not be actionable through IRS channels and requires SSA earnings record review instead.

Employer identifiable vs. unknown — If the fraudulent employer is named in IRS records, the victim can submit IRS Form 14039 (Identity Theft Affidavit) and request the employer's W-2 data through IRS disclosure channels (IRS Form 14039). The identity theft affidavit process initiates the IRS Identity Protection PIN (IP PIN) program, which prevents future fraudulent filings.

SSA earnings record impacted vs. clean — If fraudulent wages appear in the SSA earnings history, remediation requires a separate process through the SSA's Earnings Record Correction procedure, distinct from IRS remediation. Both tracks must be pursued independently; resolution with the IRS does not automatically correct the SSA record.

E-Verify participation by employer — If the employing entity participated in E-Verify and the system generated a mismatch, DHS records may document the fraud attempt. E-Verify tentative non-confirmation notices are relevant to any law enforcement referral under the identity theft reporting process.

Criminal identity theft overlap — In cases where the perpetrator was arrested or charged while using the victim's SSN, the victim's record may contain criminal court entries, which requires engagement with the criminal identity theft remediation pathway in addition to tax and SSA correction.

The identity restoration process for employment identity theft is distinct from financial fraud recovery in one structural respect: the primary corrective institutions are the IRS, SSA, and DHS rather than credit bureaus, which means credit freeze tools have limited effect on this fraud type as a standalone remedy.

References

• IRS Identity Theft Central
• IRS Taxpayer Advocate Service – Annual Reports to Congress
• FTC Consumer Sentinel Network Data Book
• Social Security Administration – My Social Security
• USCIS E-Verify Program
• IRS Form 14039 – Identity Theft Affidavit
• FTC IdentityTheft.gov
• IRS Identity Protection PIN Program