Thieves stole 100,000 past tax returns from the IRS, says the agency.
Criminals using stolen personal data accessed old tax returns of 100,000 people through the Internal Revenue Service’s website, the agency announced Tuesday.
Using Social Security numbers, birth dates, addresses and other information acquired outside the IRS website, probably from data breaches at other insitutions, the criminals were able to clear a multi-step authentication process and request tax returns and other filings through the IRS’s “Get Transcript” application. The criminals then used the information obtained from those forms to file fraudlent tax returns, the IRS said.
Though the agency has now shut down the “Get Transcript” application, it sent nearly $50 million in refunds to the scammers before detecting the breach.
Later this week, the IRS will begin sending out notification letters to each of the 200,000 taxpayers whose accounts the scammers attempted to access. About 50% of those attempts—some 100,000—were successful, and the IRS will offer free credit monitoring to those taxpayers. Either way, if you are notified by the IRS, there is more you can do to protect yourself.
1. Check In with the IRS
The IRS said it will be “marking taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward.” But anyone notified by the IRS—whether your data was successfully stolen or not—should call the IRS Identity Protection Specialized Unit at 800-908-4490 to check that the agency has indeed placed an alert on your account and that the system reflects that your information (and return) has been compromised. You may also want to contact your state revenue agency to be certain a state tax return wasn’t fraudulently filed for you as well. (For your state’s hotline, check out this list.)
Also report the theft to local police and have it documented. While local law enforcement is unlikely to investigate, many government agencies and credit bureaus require an official theft report to help you solve the fall-out.
2. Add Another Layer of Security
If you are a victim of id theft, the IRS should issue you a personal identification number that will provide you with another level of security. You’ll need to submit this PIN along with your Social Security number when you file any tax form going forward so that the IRS knows to carefully check over your account. As an identity theft victim, you’ll get a new PIN every year. If you don’t receive it, request one because this extra step could save you from dealing with fraudulent returns year after year.
3. Alert the Credit Bureaus
“If a thief had enough information about you to file a false tax return, he could have also opened new credit card accounts or taken out a loan in your name,” says CPA Troy Lewis, chairman of the American Institute of CPAs’ tax executive committee.
Set up free fraud alerts with the three major credit reporting bureaus, Equifax, Experian, and TransUnion. These alerts, which last 90 days but can be renewed, warn potential creditors or lenders that you are an identity theft victim and that they must verify your identity before issuing credit.
You can go a step further by placing a credit freeze on your files, which instructs the credit agencies to prevent new creditors from viewing your credit score and report. With a police report, it’s free; without one, it can cost as much $10, depending on your state.
A freeze will keep you from accessing instant credit, too. So if you need to apply for a loan, for example, you’ll need to give the agency permission to thaw your data, and in some cases you’ll pay a fee to lift the freeze, which can take a few days.
MONEY advises against paying for credit monitoring services, since you can do the same work yourself for free and the steps above are a better preventative measure. But if the IRS offers it to for free, you may want to sign up for the service.
4. Check Your Credit Report
You are entitled to a free copy of your credit report from each of the three agencies. Check them carefully for unauthorized activity. Look at your history as well as recent activity. Just because you were first alerted to the problem through a false tax return does not mean that’s where the ID theft started.
If you see errors in your report, such as wrong personal information, accounts you didn’t open, or debts you didn’t incur, dispute those errors with each credit agency and the fraud department of the businesses reporting that inaccurate information.
5. Be Patient
The IRS says a typical case of ID theft can take 180 days to resolve. And even after you’ve cleared up this year’s tax mess, tax and credit fraud can be a recurring problem.
When a thief files a false return and beats you to filing, the IRS flags your legit return and processes it manually, meaning your refund could be delayed for months. The IRS will always pay you your refund, regardless of whether it already paid it out to a fraudster. If your tax fraud case hasn’t been resolved and you’re experiencing financial difficulties because of the holdup with your refund, contact the taxpayer advocate service at 877-777-4778.