The scammer pilfering your tax return data may very well be sitting in front of a computer in Eastern Europe.
An analysis from 2015 to 2017 by cybersecurity consultancy Kroll revealed that two-thirds of U.S. tax forms on the dark web — a corner of the internet that's only accessible through a special browser — came from computer users outside of the U.S., namely in Romania and Russia.
Only a third of the tax forms, which included workers' W-2s, could be sourced back to computers in the U.S.
"The W-2 has that holy trinity of personally identifiable information – your name, Social Security number and date of birth," said Brian Lapidus, a practice leader at Kroll.
"They can be used to steal and replicate your identity, get credit in your name and do other things with your information," he said.
Here's how your W-2 winds up on the dark web.
Scammers gather information on companies before they strike and then attack employees through phishing emails. Click the image below for a breakdown from the FBI.
In this case, the thief may impersonate a high-ranking executive and send a request for workers' W-2s, said Lapidus.
In the first three months of 2017, there were 4,268 U.S. tax forms on the dark web, according to Kroll. The time frame syncs with when employers send workers their W-2s and individuals prepare to file their taxes.
The number of forms on the dark web dropped off to 3,533 during the second quarter of 2017.
Once scammers have your information, they can commit a whole range of attacks, including obtaining credit with your data or sending in a phony tax return and stealing your refund.
Sometimes, thieves take a roundabout way to snag your cash: They file a fake return with your data and allow you to receive the refund.
"We've seen the refund go to the right person, but then the criminals will call that person and say that they're a collection agency that's asking for the money," said Lapidus.
By going with this tactic, scammers avoid detection by the IRS because the victim — and not the taxman — is the one sending the refund proceeds.
The IRS has flagged this practice, which is known as the "erroneous refund" scam. If you received a refund for a return you didn't submit, you need to send the money back to the IRS.
Use common sense as you prepare your tax return. Lapidus recommends the following steps.
Keep your data to yourself: If anyone asks for your Social Security number, ask them why they need it and how they secure their records. On social media, don't share your full name, birthday, email address and phone number.
If it's fishy, don't click: Avoid clicking links on emails and text messages. The IRS would never contact you this way.
Review your bank account regularly: Head off fraudulent charges before they clear on your credit card or checking account.
Watch your mail: You just might find identity theft red flags in your mailbox, including collection notices and credit cards you didn't apply for.
Monitor your credit reports: Check your credit report at all three credit reporting companies least annually.
Review your Social Security earning and benefits statements: Watch for discrepancies in what's recorded as your annual income versus what you earned.
More from Personal Finance:
Here are the highest and lowest state and local tax rates
Cut your tax bill with these four quirky tax deductions
Forget a data breach: Consumers give their information away on social media