FILING AND PAYING taxes can be frustrating enough without the looming threat of identity theft and refund fraud. But tax scams have become so prevalent, you’ve likely received a bogus call, text message, or email in the last few years. As painful as it is to add another item on the tax to-do list this year, working to protect yourself from cons and digital attacks could really save you money and time.
The scams work a few ways. Some criminals impersonate the Internal Revenue Service, threatening people into wiring money or sharing financial information. Others collect leaked Social Security numbers and other personal information from large data breaches, and use it to file people’s tax returns early and claim the rebate. Some use leaked passwords from old breaches to break into digital tax filing systems that users have protected with a reused password. And this year one hot trend seems to be hacking tax preparers who store many people’s financial information in one place.
This isn’t small stuff. Tax fraud is a multi-million dollar industry in the US alone. During the 2016 US tax filing period, the IRS reported a 400 percent increase in tax-related phishing and malware attacks. In all, the IRS’s scanning systems stopped more than $6.5 billion in fraudulent refunds from being paid out in 2016 for 969,000 tax returns filed by identity thieves. This year, the agency has so far flagged 631,000 potentially fraudulent tax returns, claiming about $4.7 billion total in refunds. And that’s just the ones that got caught.
“As the IRS enhances return-processing filters and catches more fraudulent returns at the time of filing, criminals attempt to become more sophisticated at faking taxpayers’ identities, so they can evade those filters and successfully obtain fraudulent refunds,” IRS Commissioner John Koskinen told the Senate Finance Committee on Thursday.
Experts say that while the agency has made some protective inroads, to be truly effective it needs funding to upgrade its aging infrastructure. (The IRS itself was even breached in 2015, compromising 100,000 taxpayer records.) The agency could implement more anti-fraud authentication measures, like offering each person a tax ID filing PIN that changes each year. That’s a standard in countries like the UK, Canada, and Australia, but so far the IRS has only added it for people who have been victims of identity theft in the past. “The antiquity of the IRS’s system makes it very easy to commit fraud,” says Chet Wisniewski, senior security advisor at the threat management firm Sophos.
Not all tax fraud is preventable. Your tax preparer—or another organization that has your personal information—could be breached. For example, recently scammers have been using family data from the federal student financial aid and loan repayment systems to fuel refund fraud. “Do not underestimate the value of your personal data,” says Ebba Blitz, CEO of the disk encryption company Alertsec. “There is a market for your information.”
Still, many cons can be avoided, and staying informed can significantly improve your defense. As can keeping the following in mind.
Communicating with the IRS
You can thwart all the scams trying to scare you about tax mistakes or what you owe the IRS by understanding the ways the agency does and, crucially, does not contact people as a rule. For example, the agency doesn’t demand payment in a specific way. If someone is telling you that you have to pay off your tax debt with a wire transfer or gift card you can be sure they are a fraud. Additionally, the IRS never asks for credit or debit numbers over the phone. And the agency will never demand payment without giving you time to review the amount it says you owe. It does not make random threats about involving the police or arresting you.
The easiest way to know for sure that you are interacting with the IRS is to contact the agency directly through its site, or its toll free phone numbers.
In addition to impersonating the IRS, fraud phishing can take many other forms. Hackers may create phony tax advice, inviting you to click an email link. You could be prompted to download fake tax preparation services that claims to offer perks like free filing. Or you could receive phishing emails at work that pretend to be communications from someone in your company about forms like a W-2.
“Usually it looks like the same organized groups every year,” says Wisniewski, who researches phishing using Sophos’s spam collection database. “They kind of rotate through different ways to phish people and make profit throughout the year. So at Christmas time it’s the email saying you’ve got a package that can’t be delivered to your house, or on Valentine’s Day it’s the e-cards, and then in April it’s always tax fraud.”
You’ve probably gotten tons of advice, including from WIRED, to use strong, unique passwords on all of your online accounts. But people often forget about the password for your tax preparation service. Yes, you probably only use digital tax accounts a few times per year, but creating a robust password and changing it every time you go to file makes sense. Your most valuable personal and financial information is in that account.
If you do try to file your taxes and discover that someone else has already done it and claimed your rebate, contact the IRS immediately, and then check your credit report. “It’s a good idea at this time of year to get your free credit report to see if anybody’s been abusing your Social Security number, because a lot of these scams we’ve seen in the past—first they file the fake tax return to get your refund, and then the next month you see that you’ve taken a loan out for a boat,” Wisniewski says.
There’s a lot of crime in the world, but don’t let anyone get between you and your tax refund.