Criminals are Getting Excited for Tax Filing Season


Cyber criminals are plotting to take advantage of tax season, by fraudulently impersonating consumers and scamming Americans.  For the citizens of the United States, tax season is upon us, where we diligently file our annual tax returns with the US Internal Revenue Service (IRS).  The problem is, in this digital age of electronically filing forms, the checks and balances to protect from fraud have not satisfactorily kept pace.

Tax ID Fraud is a Terrible Problem

FTC ID theft 2015.jpg

Cyber criminals are taking advantage of weak identification validation controls to commit tax fraud. Tax identity theft happens when someone files a fake tax return using your personal information and submits information which results in a refund, to them not you.  They use your name and Social Security number with fictitious data, such as a different employer and address to get a tax refund from the IRS.  The IRS, not knowing better, accepts the information and is compelled to issue the refund in a very timely manner, else they must pay interest.  So the common practice is to accept the information at face-value and issue the refund to the submitter.  Thieves will have the funds placed on a pre-paid debit card or obtain a refund check they will quickly have cashed.  If things are later found to be incorrect, the IRS may move to resolve the problem, but the criminal in most cases is long gone.  The real citizen is then left with a rejection notice stating a filing has already taken place when they file their legitimate tax forms.  It can take a very long time to correct the matter, over a year to receive an earned refund, and many frustrating hours navigating through the crowded process.

Attackers are committing a lot of fraud and both the IRS and Federal Trade Commission (FTC) are concerned as the problem swells in size every year.  Tax or wage ID theft complaints more than doubled from 109k in 2014 to over 221k in 2015.  In the US, ID theft is on the rise.  FTC received over 490 thousand consumer complaints, a 47% increase over 2014, with the biggest contributor to the rise being tax refund fraud.  Bureau of Justice estimates 17.6 million Americans were victims of identity theft in 2014.  That is about 7% of the US population aged 16 years or older.

Most of the IRS efforts to date have been around prevention.  For 2016, the IRS and FTC have rolled out consumer education and incident reporting sites.  Tax identity theft, which can include other forms of tax fraud, has been the most common form of identity theft reported to the Federal Trade Commission (FTC) for the past several years.  The IRS prides itself in quick turnaround for processing electronic filings and issuing a refund, targeting around 10 days.  Within that process is a set of filtering algorithms, which improves every year, to identify fraudulent tax submissions.  In 2015 the US Internal Revenue Service (IRS) flagged about 5 million suspicious returns, protecting $11 billion.

Recently, the federal government targeted south Florida, one of the nation’s hot-spots for ID fraud, and issued a Geographic Targeting Order (GTO) for check cashing companies to take extra steps in verifying customer’s identification before cashing income tax returns.  For refund checks over $1000, customers must provide valid government-issued identification, the check cashing company must take a digital picture of the customer and obtain a clear thumbprint for the transaction to proceed.  Extreme measures to be sure, but one targeted specifically for 2 counties to stem the flow of tax fraud.

Best practices to protect yourself from Tax ID Fraud:

  1. File your taxes as early as possible.  Sadly, it is a race.  The first submission, whether it be you or a fraudster, will likely be the return accepted from the IRS.  So get your tax return into the IRS as fast as possible.  File electronically if you don’t already to expedite the process
  2. Protect you Social Security Number (SSN).  Nowadays, many different organizations from healthcare to utilities may ask for your SSN.  Challenge them and verify how they will use and protect the information.  For every company who has your SSN, the chance of it being lost due to a data breach goes up.  Many companies will use the SSN as a unique identifier or as part of a verification process, but are open to use a different number if asked.  So ask!
  3. Check your credit report.  Unusual activity can be an indicator of trouble.  So get a copy and look for activity which you did not initiate.  By law, these reports are free at least once a year.  Go to the FTC site for more information or directly to to order your free annual report.
  4. Report ID theft quickly, if it occurs.  Visit, the federal government’s one-stop resource to help you report and recover from identity theft. You can report identity theft, get step-by-step advice, sample letters, and your FTC Identity Theft Affidavit. These resources will help you fix problems caused by the theft.  If your SSN has been compromised, contact the IRS ID Theft Protection Specialized Unit at 800-908-4490.
  5. Consider getting an Identity Protection PIN (form 14039).  An IP PIN is a six-digit number assigned to eligible taxpayers to help prevent the misuse of their SSN on fraudulent federal income tax returns. It is important to note you currently can’t opt out once you get an IP PIN. You must use the IP PIN to confirm your identity on all federal tax returns moving forward.

Be wary of IRS scams

This time of year IRS scams are rampant.  Sometimes they come in the form of a phone call, while others arrive via email.  Beware such engagements which state you owe money to the IRS and demand immediate payment.  The IRS only sends mail, not calls or email.  IRS will never: 1) call to demand immediate payment, nor will the agency call about taxes owed without first having mailed you a bill; 2) demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe; 3) require you to use a specific payment method for your taxes, such as a prepaid debit card; 4) ask for credit or debit card numbers over the phone; or 5) threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.  If you receive these IRS imposter scams, report them to the FTC at and to the Treasury Inspector General for Tax Administration (TIGTA) online or at 800-366-4484.

Be prepared and informed

Tax season is upon us and the criminals are busy with fraud and scams.  Be aware and move to protect your tax return.  Early efforts can save you from a long year of frustration.

More information about tax identity theft is available from the FTC and the IRS at:

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.  To see a full listing of blogs, videos, presentations and other thoughts, go to the collection of My Previous Posts

Published on Categories SecurityTags ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.