The U.S. federal government is now in the process of sending Economic Impact Payments by direct deposit to millions of Americans. Most who are eligible for payments can expect to have funds direct-deposited into the same bank accounts listed on previous years’ tax filings sometime next week. Today, the Internal Revenue Service (IRS) stood up a site to collect bank account information from the many Americans who don’t usually file a tax return. The question is, will those non-filers have a chance to claim their payments before fraudsters do?
The IRS says the Economic Impact Payment will be $1,200 for individual or head of household filers, and $2,400 for married filing jointly if they are not a dependent of another taxpayer and have a work eligible Social Security number with adjusted gross income up to:
- $75,000 for individuals
- $112,500 for head of household filers and
- $150,000 for married couples filing joint returns
Taxpayers with higher incomes will receive more modest payments (reduced by $5 for each $100 above the $75,000/$112,500/$150,000 thresholds). Most people who who filed a tax return in 2018 and/or 2019 and provided their bank account information for a debit or credit should soon see an Economic Impact Payment direct-deposited into their bank accounts. Likewise, people drawing Social Security payments from the government will receive stimulus payments the same way.
But there are millions of U.S. residents — including low-income workers and certain veterans and individuals with disabilities — who aren’t required to file a tax return but who are still eligible to receive at least a $1,200 stimulus payment. And earlier today, the IRS unveiled a Web site where it is asking those non-filers to provide their bank account information for direct deposits.
However, the possibility that fraudsters may intercept payments to these individuals seems very real, given the relatively lax identification requirements of this non-filer portal and the high incidence of tax refund fraud in years past. Each year, scam artists file phony tax refund requests on millions of Americans, regardless of whether or not the impersonated taxpayer is actually due a refund. In most cases, the victim only finds out when he or she goes to file their taxes and has the return rejected because it has already been filed by scammers.
In this case, fraudsters would simply need to identify the personal information for a pool of Americans who don’t normally file tax returns, which may well include a large number of people who are disabled, poor or simply do not have easy access to a computer or the Internet. Armed with this information, the scammers need only provide the target’s name, address, date of birth and Social Security number, and then supply their own bank account information to claim at least $1,200 in electronic payments.
Page 1 of 2 in the IRS stimulus payment application page for non-filers.
Unfortunately, SSN and DOB data is not secret, nor is it hard to come by. As noted in countless stories here, there are multiple shops in the cybercrime underground that sell SSN and DOB data on tens of millions of Americans for a few dollars per record.
A review of the Web site set up to accept bank account information for the stimulus payments reveals few other mandatory identity checks to complete the filing process. It appears that all applicants need to provide a mobile phone number and verify they can receive text messages at that number, but beyond that the rest of the identity checks seem to be optional.
For example, Step 2 in the application process requests a number of data points under the “personal verification” heading,” and for verification purposes demands either the amount of the applicant’s Adjusted Gross Income (AGI) or last year’s “self-selected signature PIN.” The instructions say if you do not have or do not remember your PIN, skip this step and follow the instructions in step A above.
More importantly, it appears one doesn’t really need to supply one’s AGI in 2018. “If you didn’t file a return last year, enter 0,” the site explains.
Step 2 in the application for non-filers.
In the “electronic signature,” section at the end of the filing, applicants are asked to provide a cell phone number, to choose a PIN, and provide their date of birth. To check the filer’s identity, the site asks for a state-issued driver’s license ID number, and the ID’s issuance and expiration dates. However, the instructions say “if you don’t have a driver’s license or state issued ID, you can leave the following fields blank.”
Alas, much may depend on how good the IRS is at spotting phony applications, and whether the IRS has access to and bothers to check state driver’s license records. But given the enormous pressure the agency is under to disburse these payments as rapidly as possible, it seems likely that at least some Americans will get scammed out of their stimulus payments.
The site built to collect payment data from non-filers is a slight variation on the “Free File Fillable Forms” product, which is a free tax filing service maintained by Intuit — a private company that also processes a huge percentage of tax returns each year through its paid TurboTax platform. According to a recent report from the Treasury Inspector General for Tax Administration, more than 14 million Americans paid for tax preparation services in 2019 when they could have filed them for free using the free-file site.
In any case, perhaps Intuit can help the IRS identify fraudulent applications sent through the non-filers site (such as by flagging users who attempt to file multiple applications from the same Internet address, browser or computer).
There is another potential fraud storm brewing with these stimulus payments. An app is set to be released sometime next week called “Get My Payment,” which is designed to be a tool for people who filed tax returns in 2018 and 2019 but who need to update their bank account information, or for those who did not provide direct deposit information in previous years’ returns.
It’s yet not clear how that app will handle verifying the identity of applicants, but KrebsOnSecurity will be taking a look at the Get My Payment app when it launches later this month (the IRS says it should be available in “mid-April”).
How do I ‘pre-emptive strike’ a fraudster? Assume that a person has not filed tax returns, but wants to get the $$$. Should that person fill out the form on the site ASAP to pre-empt any fraudsters?
And it wasn’t clear if a person that *has* filed a 2018 or 2019 needs to worry about fraudsters filling out the form and intercepting the payment.
Or if a person receiving SS payments needs to worry about fraudsters using this form.
Another great report. As you’ve clearly pointed out this is like serving up a huge opportunity on a silver platter for criminals at a time when people are in real financial need. My faith in governmental info-sec is nil. Add to that the fact they got it off the ground so quick lends itself to the belief there’s holes or glitches only to be found once its too late. I hope I’m wrong.
Thanks again Brian!
Was checking my SS online last night and alert was “this site shuts down in 15 minutes for maintenance” I assume they were scrambling to update and debug – but that’s the SS site with decent 2FA, and a bit tricky login. The docs above look very vulnerable for those deserving/expecting a prompt and efficient disbursement and have not otherwise set up anything 0 and wanna bet it gets swamped? It’s probably gonna be a trough for thieves and swindlers (not domestic government ones) all over the planet delivering all over it.
Information Security and our Federal Government are two terms that are diametrically opposed . This is another golden opportunity for the people who really need the help to get fleeced yet again by cyber-thieves.
Brian, Thank you. I only wish we didn’t need a watchdog like you to alert us but certainly appreciated that you are there for us!
Do you think there is the possibility that the info for the recently dead could be used to get checks/money?
Some of the most vulnerable are people in jail and prisons or elderly in nursing homes who can have their identities easily stolen
Could bad information be entered more than once? Could bad information be entered for someone that has already filed 2018 or 2019 taxes? Even if the stimulus doesn’t get redirected to a miscreant, would a delay or denial of service occur?
It’s a very bad sign that so many potential verifiers are optional. How much testing was performed?
How about a “Where’s My Stimulus” site to track when we’ll receive our money?
Otherwise, how would we know if it had been stolen or otherwise misdirected?
A great idea – but is there time to set up and debug? It would be a stretch.
I guess it could have merit, but likely a lot of frustration for repeated display of “Your check is in the mail!” or “Your direct-deposit is trapped in an overloaded server!” messages…
There does appear to be one rather stringent barrier in place. One has to confirm an email address in order to file, yet this confirmation email is never sent regardless of how many times one requests it. No doubt this will impede many a fraudulent claim.
yeah took 45min to receive my email to confirm. then tried to enter it and expired lol … waited an hour then only took couple minutes and worked
So, by that logic NOBODY has EVER filed online, since they NEVER send the email to confirm your address. OK thanks. I didn’t know that. I guess my online filings were bogus.
I saw the term “work eligible social security number”, so I gave up immediately ever hoping for a check. I’m just praying I don’t OWE more money this year!
Make sure your web browser isn’t blocking the code that makes the email verification button work. Adblocker or something similar?
I’ve been expecting this article ever since the stimulus package was announced. I’d say thanks for not letting me down, but I’m too sad that or security is so predictably bad.
Seriously though, thanks for the work you do.
You write “sending Economic Impact Payments by direct deposit to millions of Americans”, but you mean “sending Economic Impact Payments by direct deposit to millions of US residents” — non-citizen fiscal residents are eligible too, and that’s ~15 million people.
I wouldn’t be too worried about security with the free-file form- at least not yet. Although I suppose this should be of no surprise, it is impossible for anyone (legitimate or not) to submit the form electronically.
It is virtually non functional as of this writing. First, the required email address verification process could not be completed, as no verification email was generated.
That email did arrive six hours later.
The major dysfunction is that the completed form cannot be submitted. Clicking “submit” routes to an error screen that says “some important information is missing.” The prompt returns you to the initial info screen (complete and initially accepted by the site.) Click “submit” again and, thus, the circle continues.
Holly, I had same issue. I reread all of my info..found I had not put my date of birth (directly above where the other info goes) ITS SUPER EASY TO MISS! Look at every question every line every box ..even if you do not think it applies to you. I promise you will find the mistake. Oh, I also accidentally put in my state abbreviation again ( on line across from mine – like I had 2 people to fill in license info- which i did not) it took forever to get it out of there..gotta look for a blank circle above all states.
I kept trying..finally it was above AA..whatever that meant..not sure how I got there. You will find what you missed or messed up with!
Brian – Thanks for that headsup!
Went & applied just now. Created an account with a somewhat short password (13 character) & was informed that my password is ‘strong’! Only major glitch was not verifying my email address before filling out the final form. Had to do the 2nd part over. Used a text based verification to begin with, took 15 seconds to receive the text. Secondary verification email took about 3 minutes. Needed to disable AdBlock Plus & Privacy Badger to get the final submit button to load properly. 20 seconds after that I got a confirmation email stating I’ll receive a final approval in 1 or 2 days
I filled out a form or tried to APRIL 10, 2020. IT WOULDN’T LET ME COMPKETE OR MOVE ON TO NEXT STEP. I TRIED A FEW TIMES. SOMETHING NOT RIGHT. CONCERNED WITH THE VALIDITY OF IT AND WHAT TO DO NOW !!!
I THINK YOU NEED TO FIX YOUR CAPS LOCK KEY!!!
I had no problems submitting the form or getting the verification email (I use gmail). However on many sites when you leave out a required field it gets highlighted for you, on this site you have to figure it out yourself what is missing when it won’t go through (in my case I had forgotten to put in my zip code). Took awhile to find the mistake though. I was surprised I had to put down drivers license number AND date of issue AND date of birth. Won’t this prevent fraud? Yes it says if you have neither one you can leave that blank. Maybe any application in which the applicant claims to have neither a D.L. nor a State I.D. should be flagged? To be an adult and have neither one of these–no state issued identification at all — is rare, isn’t it? How can you function without any I.D. Shouldn’t this D.L./State I.D. requirement prevent fraud? I assume they must use this info to cross check though article implies that is not assured. Won’t requiring direct deposit also prevent fraud? At least it will mean any fraud will be connected to a real person unless a bank is violating anti money laundering requirements. Can they limit acceptable routing numbers to US banks so the money can’t go to a black hole jurisdiction? Thank you for raising the issues.
I saw a train wreck in the making as soon as I heard the IRS consider doing this.
When one scammer’s bank account is found to have received payment for, say, nine hundred different SSNs, the White House will respond, “Nobody could have predicted something like this.”
>D that is their response to many things. Still have not gotten my deposit, don’t expect them to fix it anytime soon
Never fear. I AM the government and I am here to help. God save my Queen.
Nothing to see here, please move along
So, how to people without cell phones who don’t need to file tax returns get their payment?
So, my wife and I are confused.
We filed taxes both 2018 & 2019 (and have since the early 80s), but the last two years we were not required to supply our bank account number. So that was left blank.
According to this article, should we go right now to this site Brian highlighted and “plant our flag”, so to speak?
Or should we wait for for this “Get My Payment” app and try that?
Or do both??
Also, anyone (Brian?) know what the U.S. Gov’t is telling those members of Americans living around the world working either for the U.S government and/or in the military? They have no U.S. Stateside cell phone and/or house phone number. No one knows anything over here.
One overseas servicemember relative emailed and quipped: “how is it when the IRS decides you made a mistake and owe them money….they can immediately find you via multiple letters demanding payment despite you being in a forward camp trying not to get sniped…yet they now can’t manage to send a paper check with the same info they have on file?!”
Thanks for any replies about whether to wait for the supposed app to come, or go the site Brian highlighted, or do both. And what should overseas U.S. people do if they’ve no Stateside cell and/or landline phone number (s).
Belli, this site that is the subject of the story is only for people who didn’t file taxes in 2018 or 2019. You should wait for the Get My Payment app to update your payment information.
Thanks, Brian, for the heads up and the link to the website.
I pre-emptively filled it the form for my college-age daughter; I hope I’m ahead of the scammers.
USA is wealthy with dollars!
Its like a Dream Land a lot hustlings You can Get Rich in USA a lot money there Easy ways to Get it
Wouldn’t the routing info trigger an alarm if used more than once?
I’ve filed out the forms and it keeps giving me an error for my banking information. It won’t take my checking or savings, maybe even routing? But I bank With Wells Fargo and am so confused on what’s going on.
Anyone have any idea??
Use the Turbo Tax website.
I’ve filed out the forms and it keeps giving me an error for my banking information. It won’t take my checking or savings, maybe even routing? But I bank With Wells Fargo and am so confused on what’s going on.
Anyone have any idea??
I’m left behind because my girth was rejected due to a required identity pin. Without this i can’t receive a check. And without a credit card (not debit) i cannot get this identity pin. Unbelievable. So if toy didn’t come in 18 or 19 and have no CREDIT card you get no stimulus payment
man , Ive have had the same problem, and without anyones help, im just stuck waiting day by day, trying to figure this out. It says identity pin error , basically exactly like you said.
“Here is your error(s):
Issue : Business Rule IND-181-01 – The Primary Taxpayer did not enter a valid Identity Protection Personal Identification Number (IP PIN). Please visit http://www.irs.gov/getanippin for further information and resubmit your return with the correct number.
The following information may help you determine the form at issue:
Field/Xpath: /efile:Return/efile:ReturnHeader/efile:Filer[1]/efile:PrimarySSN
my SSN is exactly correct, DOB correct, I didnt know that I had a pin, but when i go to try to receive idpin , it says I have to create an account, and doing that it asks me to enter
-my name
-email address
-Last address used on tax return
And then it pops up that It cannot verify, or error etc. . I mean what am i to do???? Anyone????
My *FORM* was rejected…..
Forgive my errors above.
My *FORM* was rejected
“She lusted after her lovers, whose genitals were like those of donkeys and whose emission was like that of horses.” Ezekiel 23:20 NIV
My concern was the same as one that was pointed out earlier in the thread..
IF a scammer were to try and fill out the information of an individual that has already filed their taxes will that application be flagged??
Another concern I was having was if someone who HAS filed their taxes for ’18 and ’19 and their refund was direct deposited into a family members bank account due to not having one at the time, will they get rejected the ability to receive that deposit? And if that were to happen will that person still be able to update account info later on this week?
I guess what I’m asking is, will that account get flagged for fraud and will the person who is receiving that deposit be blocked from attempting further updates?
I haven’t had to file a tax return in several years and my form has been rejected twice for a “Ip pin” that I’ve never received from the IRS….what do I do. The IRS is not open for calls,so that means I’m stuck and don’t get a much needed Stimulus check? I’ve moved and divorced since the last time I filed a tax return, so I’m not sure where the pin was sent or if it was sent???
Having exact same problem here Ana. Rejected for lack of IP PIN for BOTH E-file and at the new portal which claims IP PIN is not necessary. However, the exact same thing is happening at the new portal—rejection for lack of IP PIN!!!
Any folks experiencing this let’s update everyone about solutions as they emerge thanks.
I’m dealing with the same issue, suddenly I’m required to enter a Taxpayer Protection PIN (if applicable) well it’s not because I’ve never received anything like that & it says if I did I could search for it on site I click the link it sends me to and it displays a system error, I get sent in a circle just to hit a wall.
The IRS doesn’t mail you a PIN #…you get those when you file a tax return online. I have been filing online for years and I use the same PIN # year after year. I also have direct deposit into my account from IRS but the last three years I have owed them. I have allowed them to direct debit the funds from my account. So, I’m hoping I won’t have a problem. They do make it difficult when they don’t give you all the info. When they launch their “Where is my stimulus” tool next week maybe it will be helpful to you.
You are talking about the _signature_ PIN (self-select or practitioner) while the posts you are replying to are talking about the Identity Protection PIN (IP PIN) chosen by the IRS and mailed out each year. These are separate, different, and unrelated. See https://www.irs.gov/instructions/i1040gi#idm139798481155872 .
Huh? “Identity Protection PIN (IP PIN)”??
I’ve been filing federal tax returns for decades, and IRS has never mailed me any “Identity Protection Pins”. Never even HEARD of that until reading this? Why do some people get them and others not?
Hello, I am also having the same issue, Can you please help me with the solution. Thank You in advance!