Your tax refund may take a few days longer to land in your bank account this year. That’s because criminals from around the world are determined to get to it first.
“Our systems are attacked about a million times a week,” IRS Commissioner John Koskinen says. “These are Russian syndicates, Chinese. … They’re coming from all over.”
I talked to Koskinen on the same day his agency revealed that last year’s attack on the IRS’ Get Transcript system was more than twice as bad as previous estimates. The hackers apparently accessed tax return information for more than 700,000 people, not 334,000 as was reported last summer.
Koskinen says the criminals used personal information they purloined elsewhere to crack the transcript system, which allows taxpayers to download up to four previous years’ returns. The system is commonly used to provide documentation of income to mortgage lenders, college financial aid offices and others.
Victims typically don’t know anything is wrong until the IRS refuses to accept their tax return or their information is used in other frauds, such as scam phone calls or emails from criminals posing as IRS agents.
Thieves are doing your taxes
Hackers have been filing fake tax returns since e-filing was invented, usually with personal information bought on the black market. But when the bad guys have our previous filing information stolen from transcripts, they can do a much better job of impersonating us and filing bogus returns to snatch our refunds, which averaged about $3,000 last year.
Criminals will always go where the money is, so it’s not realistic to expect the IRS to end tax refund fraud entirely. What Koskinen says he wants to do is move the problem “from wholesale to retail” — in other words, from massive attacks to much more difficult, one-off crimes.
“It wouldn’t bother me if (criminals) decided we were too much trouble,” he said.
Most of the changes the IRS has made, such as updating its computer systems, will be undetectable to taxpayers.
Koskinen said when he took over the agency in 2013, the tax return processing system was so antiquated it could be updated only once a year, after tax season. Today the agency’s software can analyze filing patterns, spot problems and be adjusted more quickly, he said. Among other things, the agency now can monitor how many returns are coming from a single IP address and how fast those returns are filed.
“If you’re filing a new return every three minutes, you’re probably not carefully considering your exemptions and deductions,” he says dryly.
For taxpayers, more questions
Other changes may be more noticeable. This year, you may have to answer more or different questions to prove you’re you before your return is accepted. Some states will ask for a driver’s license number. Password requirements for tax software accounts have been beefed up, and new lockout features will limit the time and number of attempts you get to access those accounts.
The biggest change, though, may be in how long it takes to get your money. The typical processing time for e-filed returns, which used to be seven to 10 days, could stretch to three weeks or even longer because of the additional scrutiny.
“Our goal is to get 90% (of the refunds) out in 21 days,” Koskinen says. “I think taxpayers will understand we’re trying to keep their information safe.”
The IRS hack — along with massive database breaches at Anthem, Sony and other companies — have made people more aware of the need for these extra steps. The consensus in meetings with tax software providers, state tax authorities and payroll companies is that people “are accustomed and actually welcome additional security,” Koskinen says.
“Ten years ago, taxpayers might have said, ‘Why do I have to put all this information in?’” Koskinen says. “I think now everybody expects it.”
What won’t help is reverting to paper returns. More than 90% of usfile our taxes online, using providers such as TurboTax and H&R Block or going directly to the IRS website. But a paper return is no guarantee of safety; it’s converted to electronic form once it arrives at the IRS, creating the electronic IRS transcript the hackers covet.
If the safeguards fail and your refund is snatched, the IRS’ goal is to get your money back to you within 120 days, Koskinen says. In previous years, some victims had to wait nine months or more. One taxpayer recently told me he’s been waiting more than a year to get back the $10,000 he’s owed.
The IRS lists recommended steps on its site. The key ones are to file its identity theft affidavit, Form 14039, and contact its Identity Protection Specialized Unit at 800-908-4490 if your money isn’t returned within the four-month window.
Any information used to compromise a tax refund is pretty useful for other identity-theft purposes as well, so watch for other signs of identity theft.
Bigger changes to come
The way tax returns are processed still has some pretty big flaws. For instance, companies have to send W-2 wage and tax statements to employees by the end of January but don’t have to submit them to the IRS until July. That gives criminals a big window to send in phony W-2s and get refunds before the IRS catches the fraud.
Next year, employers will have to submit W-2s to the agency at the same time they’re sent to employees, Koskinen says. In the meantime, payroll companies are voluntarily submitting W-2s early to the IRS for about 20 million taxpayers, he said.
Another issue is that the authentication process still relies on security questions, which criminals are often better at answering than we are. But more secure two-factor authentication — where people are sent a code via text or email that they enter along with a password — is problematic. It might frustrate taxpayers who aren’t used to it and wouldn’t work at all for those who don’t have a way to receive the code, such as a cell phone or an email account.
The challenge, Koskinen says, is to make fraud much harder for criminals to pull off without making tax filing season even more of a nightmare for those playing by the rules.
“It’s a constant balancing effort to try to not overburden taxpayers,” Koskinen says.
This article first appeared in NerdWallet.