IRS tool meant to protect identity theft victims may be vulnerable to identity thieves


A new report from security website KrebsonSecurity warns consumers that a tool provided by the Internal Revenue Service (IRS) — that’s meant to prevent identity theft — is still actually vulnerable to identity theft.

Tax-refund fraud is a big problem in the U.S., and it’s been getting worse over the past few years. According to the IRS, between 2011 and 2014, the agency ‘spotted and halted $63 billion worth of fraudulent tax refunds.’ While that’s great and all, the IRS also paid identity thieves $5.2 billion in 2011 alone. And in 2014, a whopping 2.7 million taxpayers had their identity stolen. 

Read more: 14 red flags that you will get audited by the IRS

How tax-refund fraud works

The way it works is a criminal submits your personal data to the IRS, claims the refund in your name and has the money sent to an address or account that’s not yours and that you can’t access.

Victims of tax-refund fraud typically don’t know that they’re victims until they go to file their taxes and their returns are rejected — because scammers have already done it in their name. And Krebs points out that those ‘who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.’

With the increase in fraud over the past few years, the IRS says it has been working to crack down on criminals and make the process more secure. And one way the agency does this is with the Identity Protection PIN — which is meant to protect consumers against tax-related ID theft.

Anyone who has previously been a victim of tax-refund fraud will receive a PIN issued by the IRS, meant to prevent this type of theft from happening again. Some taxpayers can even choose to receive a PIN, just for the added layer of security.

Read more: IRS ‘Get Transcript’ hack is getting worse, even more taxpayers affected


The IP PIN is a six-digit number that must be used on a tax return, in addition to the person’s Social Security number, to verify the taxpayer’s identity. Once you opt into the program, you can’t opt out. You will get a new PIN issued to you by the IRS each year through the mail — and the IRS won’t accept the return as valid without it.

‘What it does, it adds an extra layer of protection for taxpayers when they go to file their tax returns,’ says Mark Green with the IRS.

The potential vulnerabilities

Well, here’s the problem: the IRS also allows people to retrieve their IP PIN via the agency’s website — using personal information about you that criminals can likely find on the Internet. According to Krebs, in order to get the PIN, you just have to answer a few questions based on things like previous address, loan amounts and dates — information scammers can probably find on Facebook or other free, public websites.

And some people are figuring out the hard way that the IRS’s security tool definitely isn’t foolproof. According to Krebs, Becky Wittrock, a certified public accountant (CPA) from South Dakota, said she was issued an IP PIN in 2014 after thieves tried to impersonate her to the IRS. Then Wittrock discovered it had happened again — and the information provided by that added layer of security is what thieves stole this time.

When she tried to file her tax return on February 25, 2016, she found out that scammers had already filed in her name three weeks earlier — using the IP PIN issued by the IRS.

Wittrock told Krebs, “I tried to e-file this weekend and the return was rejected. I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.”

And when Wittrock called the IRS, she says the employee she spoke to confirmed that whoever filed in her name did in fact provide the correct IP PIN issued by the IRS — and the employee added that this case is just one of many the agency has seen this year.


The IRS says that stealing IP PINs isn’t that easy — since a new PIN is issued every year and there’s a small window between the end of tax year and when a person files that a hacker can beat them to it.

But when it comes to protecting your information and your wallet, it’s better to err on the side of caution, rather than rely on the hope that scammers miss that short window… So here’s Clark’s advice on the best way to prevent tax identity theft from happening to you.

And if you want to keep up with the IRS’s latest tips, check out the agency’s guide on how to protect yourself and spot the warning signs of possible tax-refund fraud.

  • Show Comments Hide Comments