Skip to footer

Is your tax refund safe?

Your tax refund may take a few days longer to land in your bank account this year. That’s because criminals from around the world are determined to get to it first.

|
Damian Dovarganes/AP/File
Hands type on a computer keyboard in Los Angeles. As tax day nears, phishing season is in full swing. The IRS says it’s seen a 'surge' in phishing emails in 2016. And thieves are also baiting special hooks for payroll and human resources workers, in hopes of snagging a company’s entire stash of employee information.

Your tax refund may take a few days longer to land in your bank account this year. That’s because criminals from around the world are determined to get to it first.

“Our systems are attacked about a million times a week,” IRS Commissioner John Koskinen says. “These are Russian syndicates, Chinese. … They’re coming from all over.”

I talked to Koskinen on the same day his agency revealed that last year’s attack on the IRS’ Get Transcript system was more than twice as bad as previous estimates. The hackers apparently accessed tax return information for more than 700,000 people, not 334,000 as was reported last summer.

Koskinen says the criminals used personal information they purloined elsewhere to crack the transcript system, which allows taxpayers to download up to four previous years’ returns. The system is commonly used to provide documentation of income to mortgage lenders, college financial aid offices and others.

Victims typically don’t know anything is wrong until the IRS refuses to accept their tax return or their information is used in other frauds, such as scam phone calls or emails from criminals posing as IRS agents.

Thieves are doing your taxes

Hackers have been filing fake tax returns since e-filing was invented, usually with personal information bought on the black market. But when the bad guys have our previous filing information stolen from transcripts, they can do a much better job of impersonating us and filing bogus returns to snatch our refunds, which averaged about $3,000 last year.

Criminals will always go where the money is, so it’s not realistic to expect the IRS to end tax refund fraud entirely. What Koskinen says he wants to do is move the problem “from wholesale to retail” — in other words, from massive attacks to much more difficult, one-off crimes.

“It wouldn’t bother me if (criminals) decided we were too much trouble,” he said.

Most of the changes the IRS has made, such as updating its computer systems, will be undetectable to taxpayers.

Koskinen said when he took over the agency in 2013, the tax return processing system was so antiquated it could be updated only once a year, after tax season. Today the agency’s software can analyze filing patterns, spot problems and be adjusted more quickly, he said. Among other things, the agency now can monitor how many returns are coming from a single IP address and how fast those returns are filed.

“If you’re filing a new return every three minutes, you’re probably not carefully considering your exemptions and deductions,” he says dryly.

For taxpayers, more questions

Other changes may be more noticeable. This year, you may have to answer more or different questions to prove you’re you before your return is accepted. Some states will ask for a driver’s license number. Password requirements for tax software accounts have been beefed up, and new lockout features will limit the time and number of attempts you get to access those accounts.

The biggest change, though, may be in how long it takes to get your money. The typical processing time for e-filed returns, which used to be seven to 10 days, could stretch to three weeks or even longer because of the additional scrutiny.

“Our goal is to get 90% (of the refunds) out in 21 days,” Koskinen says. “I think taxpayers will understand we’re trying to keep their information safe.”

The IRS hack — along with massive database breaches at Anthem, Sony and other companies — have made people more aware of the need for these extra steps. The consensus in meetings with tax software providers, state tax authorities and payroll companies is that people “are accustomed and actually welcome additional security,” Koskinen says.

“Ten years ago, taxpayers might have said, ‘Why do I have to put all this information in?’” Koskinen says. “I think now everybody expects it.”

What won’t help is reverting to paper returns. More than 90% of usfile our taxes online, using providers such as TurboTax and H&R Block or going directly to the IRS website. But a paper return is no guarantee of safety; it’s converted to electronic form once it arrives at the IRS, creating the electronic IRS transcript the hackers covet.

If the safeguards fail and your refund is snatched, the IRS’ goal is to get your money back to you within 120 days, Koskinen says. In previous years, some victims had to wait nine months or more. One taxpayer recently told me he’s been waiting more than a year to get back the $10,000 he’s owed.

The IRS lists recommended steps on its site. The key ones are to file its identity theft affidavit, Form 14039, and contact its Identity Protection Specialized Unit at 800-908-4490 if your money isn’t returned within the four-month window.

Any information used to compromise a tax refund is pretty useful for other identity-theft purposes as well, so watch for other signs of identity theft.

Bigger changes to come

The way tax returns are processed still has some pretty big flaws. For instance, companies have to send W-2 wage and tax statements to employees by the end of January but don’t have to submit them to the IRS until July. That gives criminals a big window to send in phony W-2s and get refunds before the IRS catches the fraud.

Next year, employers will have to submit W-2s to the agency at the same time they’re sent to employees, Koskinen says. In the meantime, payroll companies are voluntarily submitting W-2s early to the IRS for about 20 million taxpayers, he said.

Another issue is that the authentication process still relies on security questions, which criminals are often better at answering than we are. But more secure two-factor authentication — where people are sent a code via text or email that they enter along with a password — is problematic. It might frustrate taxpayers who aren’t used to it and wouldn’t work at all for those who don’t have a way to receive the code, such as a cell phone or an email account.

The challenge, Koskinen says, is to make fraud much harder for criminals to pull off without making tax filing season even more of a nightmare for those playing by the rules.

“It’s a constant balancing effort to try to not overburden taxpayers,” Koskinen says.

Liz Weston is a columnist at NerdWallet, a personal finance website, and author of “Your Credit Score.” Email: lweston@nerdwallet.com. Twitter: @lizweston.

This article first appeared in NerdWallet. 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Is your tax refund safe?
Read this article in
https://www.csmonitor.com/Business/Saving-Money/2016/0309/Is-your-tax-refund-safe
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe