Are you looking forward to a tax refund this year? How would you feel if the IRS told you that it had already paid out your refund to someone else?
It happens all too often. The hundreds of billions paid out annually by the Internal Revenue Service in tax refunds remains one of the prime targets for cybercriminals looking to make money from stolen personal identities. They get their information by hacking personal computers and the networks of credit card companies, retailers and tax practitioners, among others, and use the data to file refund claims before you do.
The good news is the number of tax refund fraud incidents is way down in the last several years. The IRS has made a variety of changes to their processing of tax returns and their communications with taxpayers and practitioners that have dramatically reduced the amount of refund fraud. According to the agency, the number of victims of tax-related identity theft fell by almost two-thirds between the 2015 and 2017 tax years.
The bad news is, refund fraud still happens to thousands of Americans annually, delaying the disbursement of billions of dollars in refunds, often for long periods.
"We've made a lot of progress on tax return fraud but it's a game of whack-a-mole in terms of dealing with the issue," said Eric Smith, a spokesman for the IRS. "The problems never really go away.
"We make a move, and the bad guys make another move."
While the IRS has had recent success combating tax return fraud, the responsibility to protect personal information begins with taxpayers. Here are four ways to help make sure you don't become a victim.
One of the most common ways criminals gather information on taxpayers is through so-called phishing expeditions. Often posing as the IRS or as taxpayers' employers, they send email messages or make phone calls soliciting sensitive information such as W-2 forms or other personal information from targets. Smith said the IRS saw a 60 percent increase in the number of phishing schemes last year.
Those schemes may offer fat refunds or threaten penalties for taxes owed. The IRS has flagged phishing as the first of a "dirty dozen" tax scams that taxpayers need to be aware of this filing season. In some cases, criminals are looking for personal information for identity theft purposes.
In others, they attempt to convince people to pay money to avoid legal troubles. "Many people are contacted by email or by phone and led to believe they have a tax debt that they have to pay in a specific way," said Smith.
The solution is simple: Ignore the solicitations. The IRS does not generally operate by email or phone and will never solicit sensitive information through those channels. "Don't bite on phishing attempts," said Smith. "The IRS might call you but never to demand personal information or that you pay taxes in a particular way."
Contact the IRS about any such attempts to gather personal information or to demand payment for tax debts.
Last year, 87 percent of tax returns were filed electronically. That makes life a lot easier for both the government and for taxpayers, but it also exposes people to potential cybercrime. The strongest defense against identity theft is to practice safe computing when it comes to storing sensitive data, filing a return and sharing personal information with others.
That means using a firewall that keeps computers secure and security software that updates automatically to protect against viruses and malware. Use strong passwords — even pass-phrases — to protect personal accounts and sensitive files.
"People have to be vigilant about their personal financial security," said Ryan Losi, executive vice-president at CPA firm Piascik. "They have to be mindful of who they give access to their information."
That includes your Social Security number and full legal name as well as facts about your yourself such as your age, addresses and even the names of your spouse and children. Social media networks provide vast troves of data for potential criminals to access. "You just can't blindly share that information," said Losi.
As important as what information you share with others is how you share it. Under no circumstances should you send tax return and/or personal information over public wifi networks, and only provide such data through encrypted and trusted websites.
When it comes to sharing tax returns or sensitive information to banks or other entities that require it, Losi even suggests faxing the information rather than sending it by email. "Emails may bounce around six or seven servers all over the globe," he said. "It's a risk."
His firm keeps client tax returns on a secure in-house network and never sends them directly to clients. "We tell them they have files waiting for their attention and provide a secure link to access them," Losi said.
You can't just hand off the risk of identity theft and tax return fraud to someone else. "If you use a tax preparer to file your return, make sure you know who you're dealing with," said Smith, who noted that the IRS does not regulate tax preparers. "You have to ask about their security practices."
Tax preparers have increasingly become targets for cybercriminals looking for data on hundreds of potential victims. Ask your tax preparer how they protect client information, what they use the data for and what their policies are for physical and electronic file retention. They should have tight policies for the storage of client data and the deletion of files after their use.
Also ask your tax preparer if they have insurance to make you whole if the firm is breached by cybercriminals. "I never thought I would have to buy cyber-security insurance, but this has become a major area of identity theft fraud," said Losi. "As a practitioner, I have to take steps to protect myself and my client base."