January 29, 2018

Today, Jan. 29, is officially the first day of the 2018 tax-filing season, also known as the day fraudsters start requesting phony tax refunds in the names of identity theft victims. Want to minimize the chances of getting hit by tax refund fraud this year? File your taxes before the bad guys can!

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

According to the IRS, consumer complaints over tax refund fraud have been declining steadily over the years as the IRS and states enact more stringent measures for screening potentially fraudulent applications.

If you file your taxes electronically and the return is rejected, and if you were the victim of identity theft (e.g., if your Social Security number and other information was leaked in the Equifax breach last year), you should submit an Identity Theft Affidavit (Form 14039). The IRS advises that if you suspect you are a victim of identity theft, continue to pay your taxes and file your tax return, even if you must do so by paper.

If the IRS believes you were likely the victim of tax refund fraud in the previous tax year they will likely send you a special filing PIN that needs to be entered along with this year’s return before the filing will be accepted by the IRS electronically. This year marks the third out of the last five that I’ve received one of these PINs from the IRS.

Of course, filing your taxes early to beat the fraudsters requires one to have all of the tax forms needed to do so. As a sole proprietor, this is a great challenge because many companies take their sweet time sending out 1099 forms and such (even though they’re required to do so by Jan. 31).

A great many companies are now turning to online services to deliver tax forms to contractors, employees and others. For example, I have received several notices via email regarding the availability of 1099 forms online; most say they are sending the forms in snail mail, but that if I need them sooner I can get them online if I just create an account or enter some personal information at some third-party site.

Having seen how so many of these sites handle personal information, I’m not terribly interested in volunteering more of it. According to Bankrate, taxpayers can still file their returns even if they don’t yet have all of their 1099s — as long as you have the correct information about how much you earned.

“Unlike a W-2, you generally don’t have to attach 1099s to your tax return,” Bankrate explains. “They are just issued so you’ll know how much to report, with copies going to the IRS so return processors can double-check your entries. As long as you have the correct information, you can put it on your tax form without having the statement in hand.”

In past tax years, identity thieves have used data gleaned from a variety of third-party and government Web sites to file phony tax refund requests — including from the IRS itself! One of their perennial favorites was the IRS’s Get Transcript service, which previously had fairly lax authentication measures.

After hundreds of thousands of taxpayers had their tax data accessed through the online tool, the IRS took it offline for a bit and then brought it back online but requiring a host of new data elements.

But many of those elements — such as your personal account number from a credit card, mortgage, home equity loan, home equity line of credit or car loan — can be gathered from multiple locations online with almost no authentication. For example, earlier this week I heard from Jason, a longtime reader who was shocked at how little information was required to get a copy of his 2017 mortgage interest statement from his former lender.

“I called our old mortgage company (Chase) to retrieve our 1098 from an old loan today,” Jason wrote. “After I provided the last four digits of the social security # to their IVR [interactive voice response system] that was enough to validate me to request a fax of the tax form, which would have included sensitive information. I asked for a supervisor who explained to me that it was sufficient to check the SSN last 4 + the caller id phone number to validate the account.”

If you’ve taken my advice and placed a security freeze on your credit file with the major credit bureaus, you don’t have to worry about thieves somehow bypassing the security on the IRS’s Get Transcript site. That’s because the IRS uses Experian to ask a series of knowledge-based authentication questions before an online account can even be created at the IRS’s site to access the transcript.

Now, anyone who reads this site regularly should know I’ve been highly critical of these KBA questions as a means of authentication. But the upshot here is that if you have a freeze in place at Experian (and I sincerely hope you do), Experian won’t even be able to ask those questions. Thus, thieves should not be able to create an account in your name at the IRS’s site (unless of course thieves manage to successfully request your freeze PIN from Experian’s site, in which case all bets are off).

While you’re getting your taxes in order this filing season, be on guard against fake emails or Web sites that may try to phish your personal or tax data. The IRS stresses that it will never initiate contact with taxpayers about a bill or refund. If you receive a phishing email that spoofs the IRS, consider forwarding it to phishing@irs.gov.

Finally, tax season also is when the phone-based tax scams kick into high gear, with fraudsters threatening taxpayers with arrest, deportation and other penalties if they don’t make an immediate payment over the phone. If you care for older parents or relatives, this may be a good time to remind them about these and other phone-based scams.


51 thoughts on “File Your Taxes Before Scammers Do It For You

  1. KARL

    Whatever happened to the Equifax mail notification. Has anyone received notification by mail about the Equifax breach? I thought they were obligated by law to notify people by MAIL. I am not talking about their messed up attempt at online notifications which had multiple problems.

    1. Orties

      I got a notification from AT&T (strangely) saying they were handling the investigation on behalf of Equifax, and that my data may have been compromised.

      1. G.Scott H.

        I remember receiving a notification from AT&T regarding the Equifax data breach. It seemed to me to be courtesy notification of an AT&T customer, not as a third party investigator notifying an Experian data breach victim.

    2. Ken

      I received multiple notifications about the breach but not from Equifax itself. I could be wrong, but I believe the law is that a breached entity must notify its customers of a breach. You are not Equifax’s customer. You are its product. The banks are its customers.

  2. Keith

    I froze my credit reports months ago, so hopefully i have made it harder to be a victim of identity theft. It seems like everyday we hear of another way the fraudsters try to rob us.

    1. BrianKrebs Post author

      Thanks, you’re right I forgot it was Experian now. They’re basically the same. Will fix the copy. But they do still ask questions. It says so right on the form you linked to.

        1. Louis

          From that page: “If you have a “credit freeze” on your credit records through Experian, it must be temporarily lifted before you can successfully complete this process.”

  3. Paul T

    What I find truly infuriating is that the IRS refuses to give taxpayers PINs unless they’ve already a victim of identity theft.

    So there is literally NOTHING WE CAN DO TO PROTECT OURSELVES.

    If your tax return hasn’t been stolen yet, that just means you got lucky. Millions of victims to choose from and they just didn’t happen to pick yours. And there’s nothing you can do about it except wait to be victimized.

    1. Anon242

      Couldn’t have said it better myself. What nonsense.

    2. Johann

      Yes. This is the dumbest thing. Security would be increased by an enormous amount if they issued PIN numbers to everyone.

      1. Paul T

        I wouldn’t have them issue PINs by default, largely because you’re talking about Joe Public here. People will lose them and the resulting service costs to reset lost PINs would be staggeringly huge.

        But there should be some way for sophisticated taxpayers concerned about their security to _request_ a PIN without having to prove their identity had already been stolen. Maybe charge ten bucks for it, I’d even pay!

    3. Matt

      Actually, there is one solution that some folks have as an option. Calculate your yearly taxes, and pay just under the amount so that you owe the IRS during tax season. This way, you are not entitled to a refund, but instead owe the balance of taxes.
      This also gives you the advantage of using those monies throughout the year.
      This is a great option for those that can.

      1. Reader

        Bad guy pretends to be you and files for $100,000 income in your name, claims to have paid $50,000 tax already and requests $10,000 reund.
        The IRS will pay what is requested in 2-4 weeks *without question* *by law*, then possibly initiate an audit. The audit comes later, not before the IRS pays.
        What you claim is irrelevant.
        What you pay is irrelevant.
        All the bad guy needs to do is file a false tax forms before you.
        Whoever is first gets money, even if you have no legitimate right to a refund.

        1. Tim

          Worse than that, until it is cleared up, YOU owe the money back plus the penalties.

    4. Reader

      Imagine the IRS sent out millions of PIN notices. They all look the same, so it would be simple for a gang of thieves to steal them from mailboxes.
      It would be easy to identify.
      And so many notices would end up at old addresses.
      Or delivered to the wrong address.
      People living in shelters would never get their PIN notices.
      And people might just lose their PINs from year to year.

      Do you want to pay for those PIN notices from your pocket?

      Grand ideas always sound good when you’re not willing to be responsible for paying for the consequences.

      Currently, there is no legal way the IRS can delay refunds to verify eligibility prior to sending money out. It speeds up getting refunds from 6-8 weeks to 2-4 weeks, but fuels this type of fraud.

      So does refund to prepaid credit cards, like the Green Dot cards.

      To solve the problem, we need legislation to slow the refund process and require only checks or direct deposit to FDIC bank accounts.

      1. Paul T

        Like I said above, the fix isn’t to send PINs to everybody, largely because they’d lose them, although your point about stealing postal mail is a minor concern. That’s a felony right there.

        The fix is to allow clueful taxpayers to request a PIN. And maybe charge ten bucks.

    5. Keith Glass

      Well, at least in Virginia, they ALSO require your Driver’s License #, its’ expiration date AND date of issue.

      Awaiting word on whether accepted: my Federal return already was. . .

  4. goodbye

    The IRS won’t let you register with just a static element like a credit card or mortgage number. They also verify your phone number registration somehow – and if (when?) they can’t do that, they send you a letter in the mail that you need before you can access the transcript. It’s annoying & slow, but I guess it’s more secure?

  5. Jonathan

    Don’t experian and equifax have basically very similar data about people? People have loan and store accounts which will be reported to all credit reference bureaus, which are used to compile (similar) credit reports. #JustAThought.

  6. Ollie Jones

    About IRS phone scams: Brian, please consider revising the last few lines of your article to reiterate that the US IRS Never, Never, places outbound telephone calls to taxpayers demanding payment. Never. If you get a call claiming to be the IRS, it IS a scam.

    I’ve had elders ask me about this. The line that works is the clearest one: “The IRS Never makes calls like that, to anybody. Never.”

    1. vb

      I would add “The IRS never sends emails like that, to anybody. Never.”

      No phone calls and no emails. If the IRS wants to communicate with a taxpayer, they send a snail mail letter.

  7. steve lee

    Easy government solution: MAKE IDENTITY THEFT A CAPITAL OFFENSE PUNISHABLE BY DEATH

    1. Q

      Yeah, great idea…………

      Too bad most cases of identity theft go unsolved or are perpetrated by individuals outside of the U.S. so yeah, good luck arresting anyone, let alone prosecuting and convicting anyone

  8. Jon

    One thing I always wondered about the “IRS You Owe Money, Pay Now” phone scams:

    I couldn’t get a merchant account for a legitimate business and had to use Paypal. How do scammers get and keep merchant accounts that let them accept payments?

    1. Darron Wyke

      Easy. They have various world-wide merchants that are known for accepting bad actors as customers. Since they’re outside the US, once the money is charged, there’s nothing more that can be done. The credit card issuer would have to eat the cost of the chargeback, since they can’t get their money back from the merchant account.

    2. Reader

      They steal the credentials of legitimate users, typically. As soon as they’ve got some money come in, they transfer it out to another account.
      Rinse, repeat.
      The money can be laundered through a few stolen accounts before it works its way into prepaid store cards or high end goods, all to end up as cash.

    3. Tony

      you’d be surprised how many of these victims end up paying out with Best Buy gift certificates, or via Western Union.

  9. Patrick

    Having been a victim of tax return fraud a few years ago, my wife and I recently received our CP01A Notices (otherwise known as my Identity Protection Personal Identification Number). The problem is: both envelopes were sent (and received by us) in an unsealed state. So anyone could have opened those envelopes, written down our IP PIN, and sent the letters on their way. When I discussed this with the IRS, and requested that they reissue the PINs, they said that they are aware of the situation (i.e., that some envelopes went unsealed), but that they could do nothing about it. All they did was take note that our envelopes were unsealed. You can’t make this stuff up….

    1. Paul T

      They didn’t even seal the envelope, you mean? Like, they didn’t lick the sticky part to close it?

      Wow, that is amazing.

  10. Dean Marino

    We sort of cheat.

    1) We file QUARTERLY, ZERO withholding.
    2) Every year, we calculate our projected tax so that we OWE the IRS about $100.
    3) We MAIL our tax forms, with payment check.

    Now, IRS may take the money – or not. Our PAPER filing contains our legal signatures.

  11. AllHopeIsLost

    My employer offers W2 via electronic or paper through equifax’s eservice. I elected to receive paper copies.

    But was disappointed to find out that it makes no difference for my information security. If your employer offers electronic W2 via equifax there usually is no way to opt out. Getting paper copies is an inconvenience to your employer but gives no additional security to you as your electronic W2 are still online and most likely poorly secured.

    If I happen to visit the site for the electronic W2, it has the traditionally horrible security with prepopulated credentials from my employer and all my W2’s are right there on the screen. So electing to receive my W2 in paper form does nothing to protect me.

    All the information is there on-line on equifax services page and is a couple of good guesses and a couple of clicks away.

  12. Brian C.

    My W2 included a 16 character Verification Code (Box 9). The number is requested on the tax form. I am using Turbo Tax. Presumably, this will prevent fraudulent filings.

    1. James Beatty

      “Taxpayers and tax professionals are urged to enter the verification code when prompted by software, as it can speed the processing of the return and the issuance of the refund. However, omitted and incorrect verification codes will not delay the processing of a tax return.”

      https://www.irs.gov/individuals/w-2-verification-code

      In other words, the code does nothing to prevent the kind of fraud we’re discussing.

  13. Spanky

    If a fraudster can file a return without all the paperwork, so can you.

    File ASAP with whatever you have, and apply any estimated refund to next year’s taxes. Now you have blocked the fraudsters.

    When you have all your documents, file an amended return and take your refund.

  14. Tammy

    You yanks need only this to be set up, and join the 21st century but sadly it will not happen (vested interest and all that), i am 62 and in the UK, and have never seen a tax form, the employer does the paper work at source for their staff and government, simple really.

    https://en.wikipedia.org/wiki/Pay-as-you-earn_tax

  15. Jim

    My simple solution (but requires a statute change):
    If the government can’t take care of my money properly, they don’t get it. Translates to zero withholding and I’ll pay at filing time. Won’t ever happen, but if it were real the government would be properly incented to fix this.

    It’s sad to see that the only solution is a big boy version of musical chairs which just encourages inaccurate tax filings.

  16. taxCPA

    Keep the big picture in mind, and follow the money. The crooks go where the money is. Please don’t complain about the IRS if you are voting for those who want less government. The IRS budget is down 15-20% and 20,000 employees from 5 years ago. So far, the Congress is not adding any budget or employees to help the IRS implement the tax cuts just enacted. I suspect this does not improve fraud detection.

    It is also interesting to note that the IRS rules require kba for tax professionals when their clients use electronic signatures on the efile authorization forms. Also, tax professionals, as of Jan, 1, have to provide personal information such as date of birth, etc. to authenticate themselves when they call the IRS with regard to their clients.

    The IRS response seems to me to be typical of most large businesses. In other words, management believes what they are doing is a reasonable response given the environment.

    1. James Beatty

      Perhaps if the IRS had allocated their $11M of spending on firearms over the last nine years – (most of them of the variety that mere commoners can’t own without a tax stamp) – toward more relevant security needs, those of us who want a less-intrusive government would have less to complain about.

  17. irsSally

    online facility option from irs becomes handy:)
    and im love it,haters gona hate:)

  18. Ex Castillo

    IRS imposters and identity theft are the two main phone scams reported by victims in the US. This is why it’s highly recommended that consumers consider protecting their phone lines with a call blocker device. Check details at https://www.hqtelecom.com — this company has many call blockers available and has helped many elders protect their phones against scams. I purchased a T-Lock version for ~ $39 last year and Im so happy I did — So far I have have 1,000+ scam numbers blocked!

    1. taxCPA

      There is a timing problem with the your suggestion. W-2 are first submitted to the Social Security Administration for processing. Social Security then sends the data to the IRS. Although the W-2 filing deadline for employers has been moved back to January 31, it still takes some time to process the electronically submitted W-2 forms. These are likely the majority of all W-2s, but some, mostly smaller employers still mail paper W-2 filings to Social Security.

      Not sure if it’s been done yet, but a fraudster could file fake w-2 forms and then file tax returns.

  19. Tom

    Should people with $0 taxable income and $0 tax liability and otherwise not required to file a Federal return, do so anyway just to prevent fraudsters from filing one in their name? I’ve not seen anything from the IRS about using that strategy. Not sure if they consider that OK.

    1. darlon

      Nonfilers are the bestest news to thieves. Millions of Puerto Ricans apparently file taxes, and always have. We in IRS cant use the tools that could see these thieves, so its happy times for them.

Comments are closed.