how to prevent the bad guys from getting your tax refund

I read about a problem where the “bad guys” would file your (US) federal tax return before you could and get your refund. Luckily there is a way to protect yourself from this scenario. I did it this year. There’s a few steps, but the peace of mind is worth it to me.

Step 1 – Fill out a form

If you live in Florida, Georgia or DC, you can skip this step and go on to step three. For most of us, we have to fill out a form. The Identity Theft Affidavit form sounds like it is for those who have actually had their identity stolen. However there is another option on the form:

I have experienced an event involving my personal information that may at some future time affect my federal tax records.

Who hasn’t had some of their personal information stolen by now!

It’s not a hard form. In fact, the hardest part is that you need a photocopy of your passport, driver’s license or social security card. Which means you have to go to a photocopy machine.

Step 2 – Receive letter

Some time after filling out the form, you get a letter saying your account has been marked with an identity theft indicator. It also gives the option to opt-into to the IP PIN (Identity Protection Personal Identification Number) program. Make sure you want to. Once you opt in, there is no way to opt out in the future.

The letter also gives you a voucher to use if you have an inquiry or payment to further tie your letter to your identity. I’ve never written the IRS about anything, but keeping it in case.

Step 3 – Sign up for IP PIN

The IRS IPPIN site allows you to sign up for a PIN. It’s like two factor authentication for submitting your return. I signed up as a first time user and received a 15 minute expiring confirmation code in my gmail to validate I control that email. I then had to enter some basic info about myself – social security number, birthdate and my filing status from last year. None of this is hard for the “bad guys” to find out.

Then I had two choose three pieces of information to identify them in the future:

  1. a unique phrase for emails to me
  2. a unique phrase when I log into the site
  3. a picture when I log into the site

This is good. It makes it incredibly difficult for someone to spoof the IRS in email or on the web. Then I had to pick 4 challenge/response questions if I forget my password. They were the usual type of not terribly secure questions.

Next, I had to answer four questions to confirm my identity. Two had an answer of “n/a” just like the annual credit report system. I don’t think this is overly difficult for the bad guys to get past nor does Krebbs. In fact, the best way to protect yourself against this is to sign up so your identity already has an account and nobody else can sign up for you.

edit: online lookup is now disabled

Once you login, the system shows you the date/time of your most recent log on (which is the current one in this case) and gives you a six digit number to put on your tax return. This works whether you file on paper or electronically.

Leave a Reply

Your email address will not be published. Required fields are marked *