Tax-refund fraud is expected to soar again this tax season, and hit a whopping $21 billion by 2016, from just $6.5 billion two years ago, according to the Internal Revenue Service.
And the problem—which the agency admits is growing quickly—is compounded by an outdated fraud-detection system that has trouble identifying many attempts to trick it.
"The flaws in [the IRS'] system are so basic," said Akli Adjaoute, founder and CEO of artificial intelligence firm Brighterion.
"The whole system is a disaster," Adjaoute said.
One of the main reasons for the rapid growth is that it takes so little to file a false return—just your your name, date of birth and Social Security number. (Perhaps not coincidentally, this was among the information taken in last week's huge hack on health insurer Anthem. See "What Anthem breach victims need to do now.")
The IRS is well-aware of the magnitude of the problem. But budgetary constraints and legal mandates have created a system where it is often unable to follow up on the red flags that its system throws up until after a refund check has been cut and sent.
The agency does, of course, look for certain signals in filed returns, and for obvious reasons won't discuss specifically what they are, said a spokesperson.
Read More Wave of fake federal and state tax returns filed, experts say
Here's a conspicuous flaw in the system as currently set up: To file a tax return electronically, all someone needs is a name, date of birth and an SSN. The IRS accepts tax filings as soon as Jan. 1, but employers aren't required to submit correct employment information to the agency until March, by which time roughly half of all refunds have been paid out. (For that matter, the IRS doesn't begin matching employer-submitted data to tax returns until the summer.)
By law, the tax-refund system as it is currently constituted amounts to a "pay first, ask questions later" system, said Victor Searcy, director of fraud operations at IDT911, an identity protection and risk services firm in Scottsdale, Arizona.
In other words, an imaginative crook in possession of the three basic items of a person's identity could make up fake W-2 information and submit it, and get the money within 30 days—the amount of time the law says that the agency must refund tax filers.
Some obvious red flags—like multiple checks being sent to one address, or multiple deposits being sent to one account or one debit card—are detected, but often refund checks are mailed to those accounts before they're followed up on within the agency, said Searcy.
Updating the IRS
While the IRS says cuts to its budget in 2015 will slow upgrades to its system—the IT budget is being reduced by $200 million, one of many cuts the agency is contending with—the IRS said in a January release that it will "continue to increase both the number and efficiency of the identity theft models and filters that are used to identify potentially fraudulent returns." It also said that it had halted 19 million suspicious returns as of October 2014.
Probably the most notable step the agency has taken to protect taxpayers has been a rollout of an identity protection (IP) PIN. Essentially, if you've been a victim of tax fraud, the IRS will issue a PIN number to use when filing electronically.
This is designed to address a profound problem inherent to this kind of fraud: Unlike passwords or a credit card, you can't "reset" your SSN—you're stuck with it for life.
The PINs are currently only available to filers with past resolved fraud cases as well as to taxpayers in Georgia, Florida and the District of Columbia—areas with high incidences of fraud. They are also available to an additional 1.7 million taxpayers with suspicious activity on their accounts, said a spokesperson.
Read MoreIntuit halts all state e-filings on fraud concerns
Unfortunately, the IRS enforcement of PIN security has been spotty, said Searcy, as he knows instances where taxpayers who had PINs assigned to them were able to file returns without them. The agency spokesperson said this would be "highly unusual," since the IP PIN essentially works as a lock and key on a taxpayer's account.
Nevertheless, this is the sort of thing the IRS should be investing more effort in, Searcy said.
Expect more
For now, most identity theft is focused on the financial sector, rather than tax-refund fraud, even though experts said the latter is probably easier to pull off, and perpetrators have much lower chances of getting caught.
Both the IRS and law enforcement are investing more in this area, with 748 successful sentencings in 2014, up from 438 in 2013, according to the IRS.
Still, the increased vigilance can't keep pace with criminals, especially since there's rarely negative consequences for an unsuccessful attempt. explained experts. For example, a crook could file a fake return, have it rejected and the chances of authorities coming after them are very slim.
"If I was an identity thief, that's what I'd do," said Searcy.