Tax-refund fraud has exploded in the past few years. In 2012, the Internal Revenue Service paid out $4 billion in fraudulent refunds to identity thieves. For 2016, that number is projected to hit $21 billion across the federal, state and local levels.
In February 2015, TurboTax maker Intuit suspended online filing for 24 hours following a spike in fraudulent returns. That same year, theIRS itself was hit by a data breach involving tax-refund scammers.
"Tax-return fraud through identity theft has been increasingly costly and damaging in recent years," said Ryan Saltz, Esq., a licensed tax professional at Tax Defense Network, LLC, in Jacksonville, Florida. "Many scammers have been successful in filing false returns in order to obtain inflated tax refunds."
Tax-refund victims usually find out only when their own returns are rejected, as the IRS accepts only one tax return per Social Security number. (That's one reason you should file early.) Victims must undergo a grueling identity-verification process before they can receive their legitimate refunds. Meanwhile, the government ends up paying the refund twice.
Recognizing the increasing numbers of victims of tax-return identity fraud, and the growing sophistication of the attacks and attackers, the IRS has stepped up its game to better protect taxpayers. The agency is also working closely with state tax offices and with tax-industry professionals to make sure these groups strengthen their defenses as well.
In the meantime, however, you might have to provide proof of identity to file your taxes from now on. Your tax refund might come later this year, and as a paper check rather than as an electronic transfer. It's all part of the effort to make things tougher for tax-refund thieves. The downside is that filing taxes must become less convenient for everyone else.
Strengthening tax-filing protections
When my husband and I had our annual appointment with our tax accountant this year, the receptionist requested to see our driver's licenses. She explained this was something new the IRS was asking for. Photocopies of our driver's licenses, she said, would be included with our tax returns to prove we were who we said we were.
The receptionist didn't quite have it right. This isn't a federal requirement, but a number of states are indeed asking taxpayers to supply identification to protect against what the government calls stolen-identity refund fraud.
The IRS is requiring strong passwords for tax-preparation-service accounts such as TurboTax, and requiring several of the bigger services to implement two-factor authentication login procedures. Meanwhile, the agency is taking longer to process returns in order to leave time to verify filers' identities.
The agency has also launched a public-awareness campaign against a different, but sometimes related, scam — one in which crooks pretend to be the IRS and threaten victims with jail time unless they immediately pay "taxes owed."
What is stolen-identity refund fraud?
Stolen-identity tax-refund fraud isn't the same as regular tax fraud, in which you alter your own returns to pay less in taxes. Instead, it's when someone else, usually a complete stranger, gets hold of your personally identifying information and files a return in your name, then collects the tax refund owed to you by the IRS or a state tax-collection agency.
"The ruse takes place when a thief obtains 'fullz' [about] a taxpayer," explained Alex Heid, chief research officer at SecurityScorecard in New York. "'Fullz' is underground slang for full name, address, date of birth, Social Security number and other relevant info."
The identity thief will enter his or her own mailing address when filing "your" return, and may request that the refund be paid on a prepaid debit card, which is difficult to track or block.
How do crooks get your personal information?
"A lot of people discovered that a) Social Security numbers are either easy to steal or find or buy," said IRS Commissioner John Koskinen to CBS News' 60 Minutes program in 2014, "and then, b) you can file a false return."
Medical records generally contain "fullz," and are frequently stolen ininsurance-company data breaches. But crooks can simply buy copies of medical records from crooked employees at doctors' offices, hospitals and medical-insurance claim processors.
"We would approach anyone who worked at, like, a dental office, anybody who worked in a medical field," Corey Williams, a convicted tax-fraud identity thief, told 60 Minutes. "You would just approach them and tell them if they get you 100 names, you would give them $1,000."
It's such a big business that it's becoming professionalized.Richard Weber, chief of the IRS' criminal-investigation unit, toldNetwork World that there has been a shift in the type of criminals committing identity theft, moving from "small-time thieves to multinational criminal enterprises."
Julie Magee of the Alabama Department of Revenue told independent security reporterBrian Krebs that crooks have been registering as tax preparers to be able to file even more fraudulent returns.
Staying ahead of the bad guys
Stopping the thieves means reversing course on the tax-filing process. That process has been made deliberately more convenient for filers in the past decade, but this has also made it much easier for thieves to exploit the system. Now, as with logging into your email, Facebook and online banking accounts, it's going to be harder to file your taxes.
"Tax-software companies have been working with the IRS to improve security protocols for various return-filing platforms," Saltz said.
"Taxpayers will need to provide additional password information when logging into their accounts to file," he added. "These added features are intended to reduce the likelihood that fraudsters will be able to defeat software security in order to complete phony returns."
Saltz said there's now more data-sharing among the IRS and state tax agencies, and with the big commercial tax preparers.
Some online tax-preparation services are requiringtwo-factor authentication, in which the user first enters a password, then has to type in a PIN texted to his or her mobile phone by the tax-prep company.
In Georgia and North Carolina, tax agencies are working with a company called MorphoTrust USA to test eID, a secure online identification-verification system.
There's also a second, scarier kind of tax scam that makes you, not the government, pay a scammer. Someone purporting to represent the IRS calls or emails you to say you owe back taxes and need to turn over personal information, or pay large "fines," on threat of arrest.
Sometimes such scams seek your cash, instructing you to pay the "taxes" or "fines" using a prepaid card. In other cases, the goal for the thieves is to gain the taxpayer’s financial credentials in order to wipe out bank accounts — or file fraudulent tax returns.
To combat these scams,that the IRS has launched a public-awareness campaign called "Taxes. Security. Together." It's designed to educate taxpayers on maintaining security online and recognizing fraudulent schemes.
As part of this initiative, the IRS is providing publications, and even putting videos online, to help taxpayers learn how to recognize phishing attempts and how to best protect their personally identifiable information at all times.
To avoid being hit by phone or email scammers, remember that the IRS initiates contact only by snail mail — the agency will never call or email you out of the blue.
To protect your tax refund, you should file your returns early,protect your Social Security number and your date of birth by keeping them secret (sorry, Facebook users), and make sure your tax accountant has a good reputation and has been in business a long time.
"Prevention and knowledge go a long way in avoiding falling for fraudulent schemes," Saltz said. "It's always a good idea to visit IRS.gov for updates on scam tactics and how to protect yourself."