Your Money, Your Future

Here’s where scammers are grabbing your tax data

Hacked at home

Taxpayers receiving refunds aren't the only ones celebrating this spring — so are the hackers who've scooped up your data and your cash.

Nearly six out of 10 people say that they aren't worried about tax fraud, according to a recent survey from CyberScout.

The cyber security firm conducted an online survey of more than 1,500 U.S. adults in January and February.

If there's one data breach worth losing sleep over, it's a leak that involves your tax return, said Matt Cullina, CEO of CyberScout.

Over the first nine months of 2016, the IRS estimated that it stopped more than $4 billion in ill-gotten refunds that were claimed by scammers on 787,000 tax returns.

AndreyPopov | Getty Images

"There is so much rich data in a tax filing," Cullina said. "It's not just your date of birth and your Social Security number, but also where you live, your charities, and your dependents' sensitive information."

Hacking, simplified

To some extent, taxpayers make it easy for hackers to snatch up their private information.

More than half of the participants in CyberScout's survey were unsure whether their tax preparer used two-factor authentication to access relevant documents. Thirteen percent said the service they use to file doesn't require this extra security measure at all.

Two-factor authentication calls for a password and username, plus a code given via text message or an additional question.

Data storage is also iffy for many. Fewer than one in five participants use an encrypted USB drive to store sensitive documents, including W-2s, 1040s and 1099s.

Nearly 40 percent either store tax documents to their hard drive or on the cloud — and both are vulnerable to fraudsters. Remember that a number of celebrities had their data compromised last year when hackers attacked Apple's iCloud.

Encrypted USB drives aren't necessarily invulnerable, either. You can lose them, and they can store and transmit malicious software.

You've also put yourself at risk if you take your time filing your returns.

Fifty-seven percent of those polled said they would file in March, April, or even later, which gives scammers an opportunity to file a phony return early and snag a refund.

"As soon as you get that W-2 from your employer, get going on your taxes," Cullina said. "It's a foot race: Whoever gets their return in first is seen as the legit filer, and the IRS will reject the second filing."

Vulnerabilities at work

Hackers have developed a taste for W-2 information pilfered directly through employers, said Cullina.

In this case, fraudsters impersonate senior leadership at a given company and demand W-2 data via email from human resources personnel or other employees.

"There is a sense of immediacy because the email comes from a person of authority or someone who might ask for this data during tax season," Cullina said.

Even large financial services firms aren't immune to these kinds of breaches.

Protect your info

There are steps you can take to safeguard your personal information and ensure your refund doesn't end up in thieves' clutches.

File early: Remember that you're in a race against scammers to see who can get a tax return over to the IRS. If you file as early as possible, you'll help head off fraudsters who've snagged your W-2 data.

Monitor your data: Track your earnings records with the Social Security Administration online to ensure your reported earnings are all yours. Also, stay on top of your credit score. Be on the lookout for irregularities.

Secure your personal information: Encrypt the data you use for filing your returns. Use dual-factor authentication, and be sure that your passwords are lengthy and strong.

Question your tax preparer: Be wary if your tax preparer keeps a mess of paper files and uses antiquated technology. You should not send your data via email attachment or fax, which others can intercept. Instead, ask about a secure file-transfer service or a secure client-access portal.

"If they ask you to exchange personal information that's sensitive, demand that they deliver it in an encrypted way," Cullina said.