Subscribe

Is your tax refund safe?

Your tax refund may take a few days longer to land in your bank account this year. That’s because criminals from around the world are determined to get to it first.

  • close
    Hands type on a computer keyboard in Los Angeles. As tax day nears, phishing season is in full swing. The IRS says it’s seen a 'surge' in phishing emails in 2016. And thieves are also baiting special hooks for payroll and human resources workers, in hopes of snagging a company’s entire stash of employee information.
    Damian Dovarganes/AP/File
    View Caption
  • About video ads
    View Caption
of

Your tax refund may take a few days longer to land in your bank account this year. That’s because criminals from around the world are determined to get to it first.

“Our systems are attacked about a million times a week,” IRS Commissioner John Koskinen says. “These are Russian syndicates, Chinese. … They’re coming from all over.”

I talked to Koskinen on the same day his agency revealed that last year’s attack on the IRS’ Get Transcript system was more than twice as bad as previous estimates. The hackers apparently accessed tax return information for more than 700,000 people, not 334,000 as was reported last summer.

Recommended: Taxes in 2016: 10 changes and five weird deductions

Koskinen says the criminals used personal information they purloined elsewhere to crack the transcript system, which allows taxpayers to download up to four previous years’ returns. The system is commonly used to provide documentation of income to mortgage lenders, college financial aid offices and others.

Victims typically don’t know anything is wrong until the IRS refuses to accept their tax return or their information is used in other frauds, such as scam phone calls or emails from criminals posing as IRS agents.

Thieves are doing your taxes

Hackers have been filing fake tax returns since e-filing was invented, usually with personal information bought on the black market. But when the bad guys have our previous filing information stolen from transcripts, they can do a much better job of impersonating us and filing bogus returns to snatch our refunds, which averaged about $3,000 last year.

Criminals will always go where the money is, so it’s not realistic to expect the IRS to end tax refund fraud entirely. What Koskinen says he wants to do is move the problem “from wholesale to retail” — in other words, from massive attacks to much more difficult, one-off crimes.

“It wouldn’t bother me if (criminals) decided we were too much trouble,” he said.

Most of the changes the IRS has made, such as updating its computer systems, will be undetectable to taxpayers.

Koskinen said when he took over the agency in 2013, the tax return processing system was so antiquated it could be updated only once a year, after tax season. Today the agency’s software can analyze filing patterns, spot problems and be adjusted more quickly, he said. Among other things, the agency now can monitor how many returns are coming from a single IP address and how fast those returns are filed.

“If you’re filing a new return every three minutes, you’re probably not carefully considering your exemptions and deductions,” he says dryly.

For taxpayers, more questions

Other changes may be more noticeable. This year, you may have to answer more or different questions to prove you’re you before your return is accepted. Some states will ask for a driver’s license number. Password requirements for tax software accounts have been beefed up, and new lockout features will limit the time and number of attempts you get to access those accounts.

The biggest change, though, may be in how long it takes to get your money. The typical processing time for e-filed returns, which used to be seven to 10 days, could stretch to three weeks or even longer because of the additional scrutiny.

“Our goal is to get 90% (of the refunds) out in 21 days,” Koskinen says. “I think taxpayers will understand we’re trying to keep their information safe.”

The IRS hack — along with massive database breaches at Anthem, Sony and other companies — have made people more aware of the need for these extra steps. The consensus in meetings with tax software providers, state tax authorities and payroll companies is that people “are accustomed and actually welcome additional security,” Koskinen says.

“Ten years ago, taxpayers might have said, ‘Why do I have to put all this information in?’” Koskinen says. “I think now everybody expects it.”

What won’t help is reverting to paper returns. More than 90% of usfile our taxes online, using providers such as TurboTax and H&R Block or going directly to the IRS website. But a paper return is no guarantee of safety; it’s converted to electronic form once it arrives at the IRS, creating the electronic IRS transcript the hackers covet.

If the safeguards fail and your refund is snatched, the IRS’ goal is to get your money back to you within 120 days, Koskinen says. In previous years, some victims had to wait nine months or more. One taxpayer recently told me he’s been waiting more than a year to get back the $10,000 he’s owed.

The IRS lists recommended steps on its site. The key ones are to file its identity theft affidavit, Form 14039, and contact its Identity Protection Specialized Unit at 800-908-4490 if your money isn’t returned within the four-month window.

Any information used to compromise a tax refund is pretty useful for other identity-theft purposes as well, so watch for other signs of identity theft.

Bigger changes to come

The way tax returns are processed still has some pretty big flaws. For instance, companies have to send W-2 wage and tax statements to employees by the end of January but don’t have to submit them to the IRS until July. That gives criminals a big window to send in phony W-2s and get refunds before the IRS catches the fraud.

Next year, employers will have to submit W-2s to the agency at the same time they’re sent to employees, Koskinen says. In the meantime, payroll companies are voluntarily submitting W-2s early to the IRS for about 20 million taxpayers, he said.

Another issue is that the authentication process still relies on security questions, which criminals are often better at answering than we are. But more secure two-factor authentication — where people are sent a code via text or email that they enter along with a password — is problematic. It might frustrate taxpayers who aren’t used to it and wouldn’t work at all for those who don’t have a way to receive the code, such as a cell phone or an email account.

The challenge, Koskinen says, is to make fraud much harder for criminals to pull off without making tax filing season even more of a nightmare for those playing by the rules.

“It’s a constant balancing effort to try to not overburden taxpayers,” Koskinen says.

Liz Weston is a columnist at NerdWallet, a personal finance website, and author of “Your Credit Score.” Email: lweston@nerdwallet.com. Twitter: @lizweston.

This article first appeared in NerdWallet. 

The Christian Science Monitor has assembled a diverse group of the best personal finance bloggers out there. Our guest bloggers are not employed or directed by the Monitor and the views expressed are the bloggers' own, as is responsibility for the content of their blogs. To contact us about a blogger, click here. To add or view a comment on a guest blog, please go to the blogger's own site by clicking on the link in the blog description box above.

About these ads
Sponsored Content by LockerDome
 
 
Make a Difference
Inspired? Here are some ways to make a difference on this issue.
FREE Newsletters
Get the Monitor stories you care about delivered to your inbox.
 

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.

Loading...

Loading...

Loading...

Save for later

Save
Cancel

Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items

OK

Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items

OK

Failed to save

You have already saved this item.

View Saved Items

OK