So I get a letter from the IRS in the mail. “This can’t be good.” I muttered to myself. And, sure enough, it wasn’t. The first lines of the letter read as follows.
We received an income tax return, Form 1040, for the tax year above (2019) using your name and Social Security number (SSN) or individual taxpayer identification number (ITIN). To protect you from identity theft, we need to verify your identity before we process the income tax return, issue a refund, or apply the overpayment to next year’s estimated tax.
This information raised more questions than it answered. My first question was: Is it possible to file for a tax refund for a year you already filed for? I had filed a 2019 return and did not qualify for a refund. Would it have been possible for me to change my mind and ask for a refund now? I can’t imagine a scammer filing a fake return unless they hoped to get some money out of it.
The answer to the first question is, yes. Apparently, you can file for a tax refund up to three years after the filing date. Some taxpayers don’t file at all because they feel their income is too low. However, they may not realize that they qualify for a refund. In this case, they may learn of their mistake and try to get a refund by refilling for the year they did not file for. Hackers may try to take advantage of this situation. They may file as the taxpayer and have the money sent to their own account or address. They’ve really got nothing to lose. They give the IRS their own bank account number and hope for the best.
There is a variation on the refund scam in which the hackers file for a refund and get it sent to the scammed taxpayer’s bank account. That account may be matched with IRS records and raise no alarms. The taxpayer is then contacted by the scammers, posing as the IRS, saying that the money was transferred to the account by mistake and it should be sent back to the IRS. Return information is given. Of course, the money will be sent to the hackers not the IRS. Later, the IRS may actually contact the taxpayer about the erroneous deposit and the taxpayer may really have to pay them the money.
My next question was: How do I know this letter came from the IRS? In order to validate me as the victim, I had to send them proof of my identity. They wanted a copy of my 2019 return, a copy of my passport, and a copy of my driver’s license. That’s a lot of personal information to give away. Would it be possible for a scammer to fake a letter from the IRS simply to get my personal information? This might seem overly paranoiac, but I work in cybersecurity where paranoia is the norm and “Trust No One” is the guiding principle.
Yes, a very good hacker could fake an IRS letter, but this one would have been particularly difficult to fake. The letter came in what, at least on the surface, looked like an official IRS business envelope. It came by registered mail. I live abroad so I could readily see that the paper size was that only used in the U.S. The letter itself had the IRS logo and referred to a letter number that seemed valid. I, therefore, concluded the letter was real and, if not, the hackers really deserved to get my refund, which was $0.00.
One thing in my favor was that I filed a paper return. Living overseas, I have no choice. Although it was not clear from the IRS letter, my guess is the scammers tried to file for the return online. You would think the IRS could have checked this out, but, maybe they don’t have such detection algorithms in place.
Oddly, my first question was not how the scammers managed to get my SSN and name. After the Solarwinds hack, every U.S. citizen must assume that this information is widely available. I was sure that the hackers didn’t get the information from my computer, but I can’t protect other companies or organizations I worked for and who have my personal information on file from getting hacked. This graph from the Federal Trade Commission shows the rise in identity theft.
And here are last year’s stats for tax fraud. Notice the steep rise by the end of the year which corresponds to the rise in identity theft.
This is the time of year that tax fraud peaks. Scammers have to file before the taxpayer they are targeting, so they rush to get their fake returns in as early as possible. This way, when the real taxpayer tries to file, they will be told they have already filed and then the fun begins.
There is an additional reason why this year will see more tax fraud than usual and it is called the Identity Protection Personal Information Number or IP PIN. In the past, all people who have been scammed by a tax fraud would be given an IP PIN to protect them from future theft attempts. However, this year, anyone can apply for an IP PIN. The IRS notes, however, that to get this PIN, “you must pass a rigorous identity verification process.” If you pass the test, you will be sent a new PIN each year and if you don’t put that PIN on your tax forms, those forms will not be valid. Yes, it’s possible that hackers or anyone with access to your personal information may be able to apply for a PIN in your name, but it would be quite difficult and probably more work than a hacker wants to do. Remember. Financially motivated hackers are lazy. They want quick and easy money.
That said, there may be an increase in people applying for this IP PIN. However, they will not get a PIN for the 2020 tax year but for the next year; 2021. In other words, this is the last time hackers can get to many accounts without this PIN getting in the way. True, probably most people don’t want to go through the process of getting the IP PIN, but the odds just turned against the hackers. So, what I’m saying here is this. Yes, it might take a lot of work to get an IP PIN and it may prove troublesome to get a new one each year, but if you truly want to keep your tax returns safe, apply for the IP PIN.
In my own case, I’m not sure I’ll be automatically offered an IP PIN or not. I’ve already sent them voluminous proof of my identity, so getting offered one is, indeed, possible. My problem is that I was not given any details of the identity-based tax fraud. Maybe there’s more to this than I’ve been told. In any event, I’ll update this post when I get more information.