After the Equifax data breach, year-end tax planning may be even more important.
Social Security numbers were among the data exposed in the Equifax hack, which affects up to 143 million people. Immediate to-dos have focused on fraud alerts, credit freezes and monitoring to curtail thieves' ability to open new accounts in victims' names. But experts say consumers should also start thinking ahead to tax season — when criminals could potentially use those stolen Social Security numbers to file fraudulent tax returns and snare refunds.
"This is going to be an ongoing problem," said Tim Gagnon, an associate teaching professor of accounting at Northeastern University's D'Amore-McKim School of Business.
Having a credit freeze or other monitoring in place doesn't prevent tax-related identity theft, which is among the top scams on the IRS "Dirty Dozen" list. The agency estimates that during the first nine months of 2016, beefed up safeguards helped it stop 787,000 fraudulent returns totaling more than $4 billion — but it still paid out $239 million in "suspect" refunds.
It's still unclear what impact the Equifax breach could have on the 2018 filing season.
"The IRS continues to review and assess this serious situation to determine necessary next steps," an IRS spokesman said to CNBC in an e-mailed statement.
So what can you do?
First, some bad news. IRS protections currently in place — filing an identity-theft affidavit or obtaining a filing PIN (more on that, below) — are specifically for victims of tax-related identity theft. Having your Social Security number exposed in a data breach isn't enough. As the IRS notes in its taxpayer resource, "not every data breach results in identity theft, and not every identity theft is tax-related identity theft."
"Unfortunately, there's no panacea," said Eva Velasquez, chief executive and president of the Identity Theft Resource Center, which helps consumers dealing with such fraud.
But there are still some steps you can take to mitigate the risks ahead of tax time:
"Our motto is, file first and beat the crooks," Velasquez said. "It does have an impact. You are not giving them an open window."
"File early" doesn't mean rush to file (and risk underreporting income or having to file an amended return later), Gagnon said. Some taxpayers can't file right at the start of the season — investment 1099s for dividends and interest can show up in mid-February, and taxpayers with partnership income may still be waiting for their K-1s for last season's returns, he said.
The prep you can do is more about getting organized so that you're ready to go ASAP:
The IRS offers online access that lets taxpayers see details of their tax account, said certified public accountant Andy Mattson, tax partner at Moss Adams in Campbell, California.
"It's a good way to monitor your account, if you're concerned about it," he said. You'd be able to see if someone files a return in your name and take action more quickly.
But signing up is no easy feat. The IRS requires a slew of personal information, and the process is so stringent that less than half of those who try to register actually succeed, Mattson said.
If you're a victim of tax-related identity theft, untangling the problem can take months, said Velasquez — who described the time frame as "wildly inconsistent." That's a tougher wait if you were anticipating a refund windfall. (The average this year was $2,769, according to IRS filing statistics.)
"[Tax-related identity theft] has less of a day-to-day impact for folks who aren't relying on, waiting on or counting on a refund," she said.
Even if you're not a victim, safeguards put in place could delay your refund. In its 2016 report to Congress, the IRS National Taxpayer Advocate estimated that some filters used to detect fraudulent returns and identity theft had false positive rates exceeding 50 percent.
"These incorrect selections delayed approximately 1.2 million tax returns associated with about $9 billion in legitimate refunds for more than an additional 30 days on average," the IRS noted in the report.
Your best defensive move: Revisit your W-4, the form that tells your employer how much federal income tax to withhold from your paycheck, Gagnon said. Changing allocations can keep more in your paycheck now, and even out your tax bill.
"You want as little a refund as possible, so you're least exposed," he said. "It's better to wait for $100 to come in than $1,000."
But be careful with this strategy, Mattson said. It's not always easy to estimate tax liability, and you'll need to have cash set aside in case you end up owing at tax time.
"The cure might do more harm than the disease," he said. "People could end up owing money they weren't expecting to."
The IRS does offer so-called identity protecting PINs, or IP PINs, to prevent someone from filing a fraudulent return with your Social Security number. Participants get a new six-digit number each year, without which your e-filed return will be rejected and a paper return, significantly delayed.
"The PIN makes perfect sense," Mattson said. "But right now you can only get a PIN if you're a victim of tax identity theft, if someone files a return using your Social."
Currently, IRS guidelines only allow you to get an IP PIN if you filed last year's return with a home address in Florida, Georgia or Washington, D.C., where the government is running a pilot program. Or if the IRS invites you to apply — which, as Mattson points out, generally only happens if you have already been a victim of tax-related identity theft.
(Another point for would-be applicants: According to IRS documents, "If you've placed a credit security freeze with Equifax, you must contact Equifax to have the freeze temporarily removed to allow us to verify your identity.")
PIN protection isn't foolproof, Velasquez said. The IRS PIN system has itself been subject to cyberattacks, she said. Earlier this year, the Treasury inspector general for tax administration released a report noting inconsistencies in IRS processes that left some victims without PINs.
Fraudulent tax returns aren't the only tax-time identity theft issue to keep an eye on. The IRS warns that receiving certain tax documents or IRS notices — like a CP2000 to verify unreported income or a 1099 from an employer you haven't worked for — can be a red flag for employment-related identity theft.