More than $5 billion, with a B: that’s how much the IRS estimates it mistakenly paid to identity thieves last year, according to a new study from the Government Accountability Office. The thieves filed fraudulent tax returns on behalf of unsuspecting citizens, and the IRS didn’t catch the fraud until after long after the refund checks had been sent. The only good news? It could have been a lot more money. The IRS estimates it identified and stopped another $24.2 billion in attempted fraud — but the agency acknowledges it’s hard to calculate the full extent of the problem.
Here’s how thieves get away with it: You usually receive a W-2 from your employer by the end of January, then file your tax return by April 15. During that time, thieves steal your identifying information, file fake returns on your behalf, and collect the refund check. It all happens pretty quickly, since the IRS tries to issue your refund within three weeks of receiving your return.
Employers have until March to send their W-2s to the Social Security Administration, which later forwards the documents to the IRS. The IRS doesn’t begin checking tax returns against employers’ W-2s until July. The GAO has found that it can take a year or longer for the IRS to complete the checks and catch the theft.
The easiest way you can deter this kind of fraud? File early, and file electronically. Once the IRS receives a return with your social security number, the agency will reject any duplicate filings and notify you right away. The IRS is also piloting an initiative to issue single-use identity protection PIN numbers to taxpayers who have verified their identities.
Still, the danger could be growing: As recently as 2010, tax– and wage-related identity theft made up just 16% of all ID-theft complaints at the Federal Trade Commission. Last year that portion rose to 43%. Below are four more common ways ID thieves can strike — and what you can do to protect yourself.
1) Purloined paper.
Have tax documents sent to a P.O. box or delivered electronically so they can’t go missing. Shred extra copies. “Your tax return needs to be treated as an item of extreme privacy,” says Staten Island CPA John Vento.
2) Unsecure networks.
Never file electronically over public Wi-Fi or a network that’s not password-protected. Make sure you have up-to-date antivirus software and a firewall on your home computer.
3) Dodgy emails.
Be leery of any email claiming to be an IRS notice of an outstanding refund or a pending investigation; the IRS will never email you to request sensitive information. Forward suspect messages to firstname.lastname@example.org. Other electronic traps: fake websites similar to irs.gov, and tweets purporting to be from the IRS (@IRSnews is the verified handle).
4) Phone fakes.
In October of last year, the IRS warned of a sophisticated phone scam in which callers already knew the last four digits of your Social Security number and mimicked the IRS toll-free number on your caller ID. If the IRS calls you out of the blue, hang up and call back (800-829-1040).
This advice was excerpted from MONEY’s 2014 Tax Guide.