Is Your Tax Return Safe?

Identity thieves collect billions of dollars in refunds every year. How can you protect yourself?

Five Figures to Consider

$1.68 - $2.31 billion in tax refunds paid to identity thieves in 2016
652,119 returns with stolen identities caught by the IRS in 2017
900 reported W-2 phishing schemes in 2017
18% drop in IRS inflation-adjusted funding since 2010
154 outstanding security recommendations to the IRS by the GAO not implemented

Ashish, a 42-year-old information technology professional, opened his mail this February to discover a prepaid debit card with a $1,000 advance on a tax refund for the year 2018. Funny thing was, Ashish hadn’t filed his taxes yet. Turns out an identity thief had. Someone had nabbed Ashish’s 2017 return and refiled it as a 2018 return with the online service TaxSlayer, hoping to steal the $1,000 refund advance from TaxSlayer along with a refund from the IRS. Tax refund identity thieves usually arrange electronic payments or deliveries to accomplices’ addresses, but they also steal expected refunds straight out of mailboxes and, in at least one case, paid a U.S. postal worker to divert expected IRS refunds to the crooks who had filed the fake returns. In Ashish’s case, he got to the rebate first, alerting TaxSlayer and the IRS that a fake 2018 return had been filed in his name. Now Ashish is dealing with the aftermath, including a police investigation and, most distressingly, efforts to protect the credit and identities of himself, his wife and two children, who were all listed on his 2017 return.

The irony of identity theft occurring to someone who has worked in IT security for two decades is not lost on Ashish. “If it can happen to me, it can happen to anybody,” he says. And, indeed, it has happened to millions of Americans. Using new electronic filters the IRS identified 652,119 returns in 2017 that were filed using stolen identities. In 2016 the IRS estimates it erroneously paid out refunds totalling $1.68 billion to $2.31 billion to identity thieves. At the same time it prevented attempts by identity thieves to collect an additional $10.6 billion. The good news is that the IRS is getting better at detecting the fraud. (In 2013, a year when five million fake returns were filed, it paid out $6 billion to identity thieves.) The bad news is that hacking of employer and tax preparation firm databases, a Dark Web marketplace of personal information and a grossly underfunded IRS mean that the opportunity to steal an identity and file for a refund will continue to attract criminals and cost taxpayers.

In 2017 the IRS launched the Security Summit, a public-private partnership to fight identity theft refund fraud. Group members, which include state tax administrators, tax software companies, tax preparers and financial institutions, now share information and strategies to identify fraudulent claims in real-time. It’s working. In the Security Summit’s first year, tax returns with confirmed identity theft fell 30%. Yet, vulnerabilities remain. According to the Taxpayer Advocate, data thefts at tax practitioners’ offices continue to rise and result in fraudulent tax returns that can be especially difficult to detect. Ashish believes his information was stolen from the firm that prepared his 2017 tax return. “They moved offices,” he says, “and likely didn’t shred the paperwork properly.” Or, as is more often the case, were hacked.

Employer databases and tax preparation firms are a rich source for identity thieves. The cybercrooks send phishing emails to HR departments and other employees, hoping that someone opens an attachment that will give the hackers the opportunity to access a company’s W-2s or tax return files. According to the GAO, 900 W-2 phishing schemes were reported in 2017. Overall in 2017 Javelin Strategy & Research estimates that 16.7 million U.S. consumers had their identities compromised, an 8% increase from 2016. Each of those compromised identities is a potential identity theft refund fraud. The IRS’s own databases aren’t even safe.  In 2017, there were 730 external data breaches at the IRS.

In this environment of proliferating cybercrime, Congress is squeezing the IRS budget. Since 2010, IRS funding after adjusting for inflation has fallen 18%. Funding for the IRS’s business management systems was slashed by 62% from 2017 to 2018.  Last month, Nina Olson, the U.S. Taxpayer Advocate, reported to Congress that the IRS faces “profound information technology issues” and its IT spending should be in the billions, not the millions. For 2019 the Senate proposed keeping the IRS systems management budget flat at $110 million. The House proposed an increase to $200 million. Meanwhile, the GAO reported that 154 of its security recommendations to the IRS were not implemented.

How can taxpayers protect themselves? The most important thing you can do is to file your taxes early, before a fraudster using your Social Security Number beats you to it. If you use an online service to file your refund, use an exceptionally strong password. Protect your Social Security Number. Do not carry your card with you. Be sure to shred documents with personal information. (Check out this review of home paper shredders.) Say no when medical offices ask for your Social Security Number. If you suspect you are a victim of tax identity fraud, take immediate action. Contact the IRS and the FTC, issue a “fraud alert” through one of the three credit reporting agencies (Equifax, Experian or TransUnion) and file a police report. Finally, you can lobby Congress to allocate more funds to the IRS so that it can upgrade its databases – the oldest in the federal government – and continue to improve security across the entire tax payment system.


Center of Budget and Policy Priorities, Experian, Federal Trade Commission, Internal Revenue Service, Taxpayer Advocate Service, Treasury Secretary General For Tax Administration, U.S. Government Accountability Office, U.S. Department of Justice