Graphic: Nine Months Tax Refund Delay While IRS INvestigates Tax Refund FraudSECURITY

So what if you file your taxes and find out that someone else already claimed your refund?

In 2016, income tax fraud will cost Americans about $21 billionaccording to the IRS. Tax refund fraud accounts for the biggest - and fastest growing - share.  Up from roughly $6.5 billion in 2014, that’s a growth rate of more than 84 percent per year.  

Last year, tax refunds claimed in someone else’s name were behind a whopping 45 percent of all reported identity theft cases, according to a recent Federal Trade Commission report.

Individual taxpayers who fall victim to tax refund fraud can find themselves in a world of pain, the more so if they’ve already planned to spend that expected windfall from the IRS.

It’s true that the victim will not be held liable for the stolen refund. But it takes the IRS an average of nine months to investigate - which means nine months more to wait for your money.  And who ends up shouldering the cost of the investigation, and carries the amount lost through the fraudulent claim? You guessed it - you, I, we all do - as taxpayers.

Why the spike?

Tax refund fraud has always been easy to pull off. This type of crime doesn’t demand big up-front investment by the fraudster, just some readily accessible personal information on the victim.  

They don’t have resort to dumpster diving or physical mail theft anymore, like in the old days. To collect the information they need - to pass themselves off to the IRS as you - all they need is a computer.

Personal Identifiable Information (PII) is easy enough to collect online. As a byproduct of the digital advertising age, our information and activities are tracked in marketing databases, and these data feeds are available for a subscription fee. And in the aftermath of massive data security breaches at large corporations and government agencies, underground communities are trafficking PII for pennies per record.

Another factor that favors the criminals: the lack of computer security at the IRS and its approved online tax filing (“e-filing”) services.

Security around these systems is so bad that one of the Internal Revenue Service’s “preventive” measures, intended to protect likely victims, ended up aiding criminals.

Graphic: 490,000 reported cases of identity theft in 2015 (FTC) - Authentic8 Blog 

Tax refund fraudsters know that the IRS systems aren’t sophisticated enough to recognize erroneous filings.  Especially if they beat you to the punch and file before you do.  And with the law stating that the IRS must send the refund check within 6 weeks of filing, they have a real incentive to move faster than you do.

Perhaps the biggest reason behind the growth is that the risk of getting caught is low.  Only a fraction of cases ever successfully investigated or prosecuted.

As a  result of these factors, criminals have been emboldened to the point of hitting the same victims twice - almost to a year after the initial refund fraud had been detected. [Krebs link]

As long as tax refund fraud remains a simple to execute and low-risk proposition, the trends will continue.   Here’s how and why they get away with it, and what you should do to protect yourself.

How tax refund fraud works

Tax refund fraud schemes depend on identity theft. For tax refund fraudsters, a name and social security number from one of those security breaches is a good start. More than 100 million Social Security numbers were leaked in 2015, according to the American Institute of Certified Public Accountants.

460,000 stolen SSNs were used by fraudsters in a successful February 2016 scheme to obtain e-PINs for fraudulent tax refund filing from the IRS.  By co-opting the IRS’s accounts, they’re in a better position to file the fraudulent claim.


Source: FTC / Krebs on Security             

In order to file without raising suspicion, the fraudsters need a bit more PII to create a sufficient taxpayer profile.  One proven way is to pose as the CEO or CFO of a company and send a targeted email to an unsuspecting employee requesting employee data. Employees want to be helpful, so an  “urgent” email requesting the W-2 information is probably going to get results.

This isn't a theoretical risk. It happens. Your HR and accounting departments have played into the hands of criminals. In March of this year, the IRS issued a nationwide alert to payroll and human resources departments.

Once successful, the criminals gain access to essential personal data that can be used in a variety of ways. To file a tax return, to open a line of credit, or to get past knowledge-based authentication schemes, like the security questions asked by financial firms before disclosing a person's financial information.

Criminals Prefer Online Tax Filing Services

Online tax filing helps us all get through the first two weeks of April with a lot less stress. E-filing services like TurboTax not only give us electronic forms, but they also provide helpful guidance for completing and properly submitting the forms.

For tax fraud criminals, e-filing services have been a productivity boon as well, allowing them to automate their scams and run them on a large scale.

Software company Intuit, maker of the tax preparation program TurboTax, faces a nationwide class action lawsuit on behalf of identity theft victims.  The lawsuit alleges that Intuit knew about the widespread abuse of TurboTax by criminals, but chose not to prevent the tax fraud to not endanger its own bottom line.

Lieff Cabraser, who brought the suit, also accuses Intuit of failing to adopt basic cyber security policies to protect its customers’ sensitive and private information from hackers, thereby exposing TurboTax users and their families to identity theft and other risks.

How to detect tax refund fraud?

You may not know that someone has filed on your behalf until it is too late. There isn’t a reliable and real-time notification system to tell you that a filing has been submitted.


Here are the most common warning signs:

  • You don’t  receive the W-2 or 1099 form that you were expecting.
  • You file your taxes online and find that your filed return is automatically rejected (because a fraudster using your Social Security number was faster).
  • You receive a notice - or even a bill - from a tax preparation service like H&R Block because someone has filed for a tax return (but you know it wasn’t you).
  • You are expecting your tax refund check in the mail or a deposit in your bank account,  but nothing arrives.
  • You receive a postal letter from the IRS claiming you under-reported your income from a job you never had.

If you receive an email from the IRS stating that you owe back taxes, do not respond or click on links or attachments. It’s a safe bet that this is another fraud scheme - a Back Tax scam.  The IRS is a popular target for email phishing, and they list some of the known phishing campaigns here.

Five steps to take right away:

If you have reason to believe that you’ve become a victim of tax refund fraud, take the following steps to ensure that you receive your refund:

  1. Your e-filed federal tax return was rejected? File an Identity Theft Affidavit (PDF) with the IRS. Mail it or fax the form to the IRS with copies of identification like your driver's license.
  2. If you don’t hear back within 24 hours, call the Identity Theft hotline of the IRS toll free at 800-908-4490.
  3. Report ID theft with the Federal Trade Commission hotline at 877-438-4338.
  4. Put a fraud alert on your credit records with one of the credit bureaus,  Experian (Fraud Center), TransUnion (Fraud Alert), or Equifax (Fraud Alert).
  5. File a police report with your local law enforcement agency.

Minimize your exposure to tax refund fraud:

While there is no way you can prevent others from leaking your data, you can challenge those who hold it and keep track of how your accounts are being used. 

  • Ask your organization’s HR / payroll department how they keep your Personal Identifiable Information secure, and if they access the web from secure browsers.
  • If you walk into your CPA’s office and computer screens aren’t locked or files are left unattended, perhaps you should consider taking your business elsewhere.
  • Keep track of your tax forms.
  • File your taxes as early as possible.
  • Always be careful what you share online. Facebook or LinkedIn profiles, for example, are a favorite source for identity thieves when assembling victim’s profiles.  You might think a wedding anniversary post is just another entry on the timeline. But to those scouring your profile for PII, it can be just the last piece of the puzzle.
  • You’re entitled to free credit monitoring. It’s pretty easy to set up alerts - for details, check out my blog post: Your Data Has Been Leaked - Now What?
  • Whatever online accounts you use - whether email or e-filing, use complex passwords that cannot be guessed, and don’t use the same password for more than one service or website.
  • And if you’re feeling generous, ask your tax preparer if they use Silo, the secure virtual browser that protects local computers from ALL web-based threats. Try it for free here. 

My accounting firm is a customer. Yours should be too. 


About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.


Additional useful resources:

Check out the IRS Taxpayer Guide to Identity Theft

The Federal Deposit Insurance Corporation (FDIC) has published a new online manual with strategies for preventing online fraud and theft for bank customers: A Bank Customer's Guide to Cybersecurity

Find many important more tips on how to prevent identity theft and tax refund fraud on the FTC’s Consumer Information: Identity Theft