Skip to Content

Hackers' ability to outfox IRS may play into tax returns again

April 15, 2016 Article 2 min read
Raj Patel
Unfortunately, there’s not much we can do to stop someone from fraudulently submitting a tax return in our names — unless the IRS implements some checks to validate returns.

Once again this year, many individuals were impacted by fraudulent tax returns, albeit differently than in 2015.

Last year’s threat played out like this: hackers submitted tax returns using stolen identities, resulting in billions of dollars in refunds sent to fraudulent accounts or addresses. Once the impacted individuals found out — after their returns were rejected by the IRS — victims then had to file IRS Form 14039 and wait approximately six months for the IRS to follow up and eventually accept the correct tax return.

To curb this threat, the IRS issued Identity Protection (IP) PINs to more than 2.5 million affected individuals. In 2016, these tax returns were only accepted if a valid IP PIN was provided. Others could opt into the program by requesting an IP PIN as a preventive measure.

While IRS approach was right on, there was one big flaw — individuals could retrieve their PIN information via the IRS website by answering four questions related to consumer credit bureau information. These validation questions included previous address, loan amounts, dates, etc. — information that could often be found online through the white pages, Zillow, and Facebook. This allowed hackers to request PIN information and submit fraudulent tax returns for the same individuals in 2016.

Previously, the IRS also allowed access to W-2 forms just by supplying the taxpayer’s name, Social Security Number, date of birth, and address. Once last year’s fraudulent tax returns became evident in April 2015, the IRS stopped this practice in May 2015. However, the IRS has stated that 334,000 individuals’ W-2 information was accessed through this means. With this information, hackers had an easy time submitting this year’s fraudulent tax returns.

So what can we do? Unfortunately, there’s not much we can do to stop someone from fraudulently submitting a tax return in our names. In wanting to increase electronic submissions and issue rapid returns, the IRS hasn’t implemented enough checks to validate those returns. For example, the IRS doesn’t always verify income upon issuing a refund; some of the validation checks occur after a refund has been issued. There’s also no address or bank account verification to ensure the refund is going to the correct individual.

Going forward, the IRS is going to change this process and mail a new IP PIN each year. Great news —but this still doesn’t address the core issue of address or account and income verification. The IRS might want to hold off on sending refunds for tax returns with different addresses from the prior year until after April 15 or once income and addresses are verified on W-2s from employers. Otherwise, we could be looking at a three-peat in 2017.

This content originally appeared at and and is part of a special blog series on cybersecurity.

Related Thinking

June 21, 2022

Cybersecurity risk in the franchise industry: Don’t wait until it’s too late

Webinar 49 min watch
June 15, 2022

Family Office Answer Book: A complete guide for family office executives

White Paper 60 min read
June 1, 2022

SOC 2 report and ISO compliance for global firm

Case Study