×

This is how scammers snatch your tax refund

No scrap of data is safe

If you're counting on a tax refund coming, better make sure scammers haven't beaten you to your cash.

As of March 3, the IRS has issued more than 49 million refunds, delivering an average refund of $3,016.

A man holds a sign advertising income tax services in San Francisco, California.
Getty Images
A man holds a sign advertising income tax services in San Francisco, California.

If a fraudster snatched up your refund, it may be because they snagged your private information and filed a phony return early.

Over the first nine months of 2016, the IRS estimated that it stopped more than $4 billion in ill-gotten refunds that were claimed by scammers on 787,000 tax returns.

"There is so much rich data in a tax filing," said Matt Cullina, CEO of CyberScout. "It's not just your date of birth and your Social Security number, but also where you live, your charities and your dependents' sensitive information."

Hacking, simplified

To some extent, taxpayers make it easy for hackers to snatch up their private information, according to CyberScout's recent survey of more than 1,500 adults.

More than half of the participants were unsure whether their tax preparer used two-factor authentication to access relevant documents. In fact, 13 percent said the tax service they use to file doesn't require this extra security measure at all.

Two-factor authentication calls for a password and username, plus a code given via text message or an additional question.

Data storage is also iffy for many. Fewer than one in five participants use an encrypted USB drive to store sensitive documents, including W-2s, 1040s and 1099s.

Nearly 40 percent either store tax documents to their hard drive or on the cloud — and both are vulnerable to fraudsters. Remember that a number of celebrities had their data compromised last year when hackers attacked Apple's iCloud.

Encrypted USB drives aren't necessarily invulnerable, either. You can lose them, and they can store and transmit malicious software.

You've also put yourself at risk if you take your time filing your returns. To that point, 57 percent of those polled said they would file in March, April or even later, which gives scammers an opportunity to file a phony return early and snag a refund.

"As soon as you get that W-2 from your employer, get going on your taxes," Cullina said. "It's a foot race: Whoever gets their return in first is seen as the legit filer, and the IRS will reject the second filing."

Vulnerabilities at work

Hackers have developed a taste for W-2 information pilfered directly through employers, said Cullina.

In this case, fraudsters impersonate senior leadership at a given company and demand W-2 data via email from human resources personnel or other employees.

"There is a sense of immediacy because the email comes from a person of authority or someone who might ask for this data during tax season," Cullina said.

Even large financial services firms aren't immune to these kinds of breaches.

Protect your info

There are steps you can take to safeguard your personal information and ensure your refund doesn't end up in thieves' clutches.

File early: Remember that you're in a race against scammers to see who can get a tax return over to the IRS. If you file as early as possible, you'll help head off fraudsters who may have snagged your W-2 data.

Monitor your data: Track your earnings records with the Social Security Administration online to ensure your reported earnings are all yours. Also, stay on top of your credit score. Be on the lookout for irregularities.

Secure your personal information: Encrypt the data you use for filing your returns. Use dual-factor authentication, and be sure that your passwords are lengthy and strong.

Question your tax preparer: Be wary if your tax preparer keeps a mess of paper files and uses antiquated technology. You should not send your data via email attachment or fax, which others can intercept. Instead, ask about a secure file-transfer service or a secure client-access portal.

"If they ask you to exchange personal information that's sensitive, demand that they deliver it in an encrypted way," Cullina said.