Employment Identity Theft: I-9 Fraud, Wage Records, and Remediation

Employment identity theft occurs when a fraudster uses another person's Social Security number, government-issued documents, or fabricated credentials to obtain employment, establish payroll accounts, or accumulate wage records under a false identity. The consequences extend well beyond the individual victim — affecting tax filings, Social Security earnings history, unemployment insurance, and federal employment eligibility verification systems. This page describes the service and regulatory landscape surrounding I-9 fraud, wage record manipulation, and the formal remediation pathways available through federal agencies.

Definition and Scope

Employment identity theft is a distinct subcategory of identity fraud defined by its intersection with federal employment verification law and payroll reporting infrastructure. The harm manifests on at least two axes: the fraudster gains lawful-appearing employment access, and the victim accumulates false wage records that distort tax liability, benefit eligibility, and credit standing.

The primary federal instrument governing employment eligibility verification is Form I-9, administered by U.S. Citizenship and Immigration Services (USCIS) under the Immigration Reform and Control Act of 1986 (8 U.S.C. § 1324a). Every employer in the United States is required to complete an I-9 for each hired employee, verifying identity and work authorization through verified documents. When a fraudster presents stolen or fabricated identity documents during this process, I-9 fraud is the mechanism of entry.

The Internal Revenue Service (IRS) and the Social Security Administration (SSA) are the two agencies most directly burdened by the downstream effects. The SSA maintains the Master Earnings File (MEF), which records wages reported under each Social Security number. When wages are reported under a victim's SSN without their knowledge, the SSA's records reflect earnings the victim never received — a condition that can affect retirement benefit calculations and trigger IRS discrepancies. Victims can review their earnings record through the SSA's my Social Security portal.

The scope of this fraud category is reflected in the IRS statistic that the agency identified over 1 million taxpayers each year affected by employment-related identity theft through its Identity Theft Victims Assistance program (IRS Identity Theft Central), though the figure fluctuates annually based on detection rates and reporting changes.

How It Works

Employment identity theft typically follows a structured sequence that exploits gaps between the document-verification requirements of I-9 compliance and the real-time identity authentication capabilities most employers lack.

1. Identity acquisition — The fraudster obtains a victim's SSN, name, and date of birth through data breaches, dark-web markets, or physical document theft. Synthetic identity fraud, in which a real SSN is paired with a fabricated name, is a variant that can evade SSA cross-checks because no single real person is fully impersonated.

2. Document fabrication or misuse — I-9 List A documents (e.g., U.S. passport, Employment Authorization Document) or a List B/C combination are forged, altered, or borrowed. USCIS maintains Lists of Acceptable Documents defining what employers must inspect.

3. Employment and payroll enrollment — The fraudster completes onboarding, is assigned a payroll account, and begins accumulating W-2 wage records under the victim's SSN. Payroll processors transmit these earnings to the IRS and SSA through standard W-2 reporting (IRS Form W-2, governed by 26 U.S.C. § 6051).

4. Detection lag — Victims frequently discover the fraud only when the IRS issues a notice of unreported income, when the SSA earnings record shows unexpected wage entries, or when an unemployment insurance claim is denied because wages were already reported in a different state.

5. Remediation initiation — Victims must engage multiple agencies simultaneously: the IRS (Identity Protection Specialized Unit), the SSA (to correct the MEF), and potentially the Department of Homeland Security (DHS) if immigration-related document fraud is involved.

The E-Verify system, operated by USCIS and the SSA, provides an additional verification layer by cross-checking I-9 data against SSA and DHS databases. However, E-Verify participation is mandatory only for federal contractors under the Federal Acquisition Regulation (FAR 52.222-54) and employers in states with mandatory E-Verify laws — it is not universally required across private-sector employment (E-Verify overview, USCIS).

Common Scenarios

Three principal scenarios account for the majority of employment identity theft cases reaching federal agency remediation channels.

Unauthorized work authorization fraud targets immigrants or individuals without legal work status who use a U.S. citizen's or lawful permanent resident's SSN to pass I-9 and E-Verify checks. The victim's SSN generates wage records in states or industries where the victim has never worked. This is the scenario most directly implicating USCIS enforcement and, where document forgery is involved, the Department of Justice's (DOJ) Civil Rights Division, which enforces anti-discrimination provisions under 8 U.S.C. § 1324b.

Tax-motivated employment fraud involves using a victim's SSN to establish payroll records that generate fraudulent tax refund claims, particularly the Earned Income Tax Credit (EITC). The IRS flags this when two W-2s are filed under the same SSN from unrelated employers in the same tax year. Victims must file IRS Form 14039 (Identity Theft Affidavit) to initiate resolution.

Benefits fraud through false wage history uses fabricated employment records to qualify for unemployment insurance, workers' compensation, or SSA disability benefits. This implicates the Department of Labor (DOL) and state workforce agencies, which cross-reference wage data through the National Provider Network of New Hires (NDNH), maintained by the Office of Child Support Services (OCSS) under the Administration for Children and Families (ACF).

Decision Boundaries

Determining the correct remediation pathway depends on which records have been corrupted and which agency holds jurisdiction over those records.

The distinction between full identity impersonation and synthetic identity fraud is operationally significant. In full impersonation, all stolen data points belong to a real individual, and SSA earnings corrections directly benefit that person. In synthetic fraud, a real SSN is paired with a false name; the SSA may not flag the discrepancy automatically because the number, not the person, triggers the wage record. The IRS Identity Protection PIN (IP PIN) program (IRS IP PIN) provides a 6-digit annual code that prevents unauthorized return filing but does not directly block wage-record submission by employers.

Victims who discover employment fraud involving multiple states face a jurisdictional complexity: each state's unemployment insurance system maintains independent wage records, and corrections must be initiated with each state agency separately. The identity-theft-providers section of this reference provides structured pathways to locate state-level and federal remediation services. For context on how this topic fits within the broader identity theft service landscape, see the identity-theft-provider network-purpose-and-scope reference page. Professionals and researchers navigating this sector's structure can consult the guidance at how-to-use-this-identity-theft-resource.

Federal criminal statutes relevant to perpetrators include 18 U.S.C. § 1028 (fraud and related activity in connection with identification documents), 18 U.S.C. § 1028A (aggravated identity theft, carrying a mandatory 2-year consecutive sentence), and 18 U.S.C. § 1546 (fraud and misuse of visas, permits, and other documents). Prosecution authority rests with the DOJ, often in coordination with DHS Homeland Security Investigations (HSI).