Others are buying and selling identities like baseball cards. (They go for about $10 apiece, judging by the case of an Alabama woman who stole them from the medical records office where she worked. She sold 800 for about $8,000.)
In all, of 109 million returns claiming refunds, the Treasury Department says some 1.5 million are filed under stolen identities. Those are just the detected ones.
Ed Brown, a partner in the Atlanta law office of Burr & Forman, offered these pointers to avoid being among the scammed:
- Never answer emails from the IRS. In all likelihood, such emails are fake and "phishing" for your personal information. If you feel you need to check if one is real (it very probably isn't), call the IRS and ask: (800) 829-1040.
- If you have personal information on your computer, guard it closely. Ideally, a computer with your banking information, Social Security number, etc. is one you shouldn't use for travel or connecting to a public or unprotected network.
- Passwords are important. Invent passwords that are extremely hard to guess ones (not "password," or "1234567," or your birth date). Then change them frequently.
- Use common sense. Check your credit report annually for irregularities at Annualcreditreport.com. Don't toss old tax returns or bank statement in the trash without shredding them. And don't click on suspicious-looking links in your email inbox.
- File early. You can beat a crook whose gotten his hands on your info to the IRS's door.
- Check your withholding: You can not only stop lending the government your money interest-free, you can reduce what's at risk from a stolen-identity return.
Tiffany Washington, owner of Washington Accounting Services in Waldorf, Md., also urged taxpayers to think about the chain of custody of their tax returns.
"If you are sending it by U.S. mail, never leave it in an unlocked home or business mailbox," she said. "Always use registered or certified mail, which not only provides you with a record of who accepted it, but serves as a deterrent to anyone with malicious intent who comes in contact with your materials."
For e-filers, she said: "Don't use a public computer. Make certain you are on a secure network. Check your computer for any viruses or malware prior to filing."
And err on the side of caution when it comes to any links or emails offering assistance, she advised. Use only trusted sources.
Attorney Brown said it's really no different from other forms of identity theft, like credit card fraud. The bad guys are most likely to try to get your digits by persuading you to give them up through "phishing"—that is, masquerading as a trustworthy person or organization online or in an email.
It's not easy to be ever vigilant, but it is necessary.
Brown admitted that after looking over his own list, he realized he had let his own diligence slip. "I changed two passwords last night," he said.
—By CNBC's Matt Twomey; Follow him on Twitter