A surge in suspicious tax filings this year has highlighted how difficult it is for tax preparation companies and tax authorities to keep up with tax criminals, who are growing ever more sophisticated.
For some taxpayers, the fraud raises concerns about how much they should do to protect themselves as they prepare and file their returns. Some readers have written in with questions about how safe it is to file and what they should do if they are victims.
I tackled some of them here.
I use TurboTax desktop software. Am I safe?
People who use TurboTax’s desktop software don’t have to create online accounts, and therefore don’t face the same threat that Web customers face of having their accounts taken over by identity thieves looking to access prior years’ tax returns. Instead, desktop customers prepare and store their returns on their computers and submit them by printing them out and mailing them or by filing electronically.
Intuit says it “securely stores and encrypts” tax returns when it transmits them to the IRS. Chester Wisniewski, a senior security adviser for Sophos, a security software vendor, says that transmission is typically pretty secure and difficult to hack. Those taxpayers are still vulnerable to the more traditional form of tax-related identity theft, however, since criminals who may have accessed their personal information somewhere else can still use it to file fraudulent tax returns and steal their refunds.
Should I change my password?
Probably. Some of the fraudsters filing phony tax returns through TurboTax this year did so by taking over accounts held by existing TurboTax customers after figuring out customers’ usernames and passwords. Some of those thieves may have tested out usernames and passwords that may have been leaked from other Web sites.
If you use the same username and password on more than one site, you should take advantage of TurboTax’s “reset” option, which lets customers change their usernames and passwords. If changing all of the passwords on all of your accounts seems like a bit much, start by changing them on your financial accounts, Wisniewski says. “The key is that it’s not the same as everywhere else,” he says. And even if you aren’t repeating passwords, it would be a good idea to make sure the password is secure by including a mixture of numbers, letters and symbols, he says.
Can I clear my data from TurboTax’s Web site?
No. Some people who are worried about having their accounts hacked may be wondering if they can wipe their online accounts clean. But Intuit says it’s required by law to store tax returns online for at least five years after it is transmitted to the IRS and that customers cannot clear out their accounts.
For its part, Intuit has rolled out new security measures this tax season to make it harder for criminals to break into customers’ accounts, such as multi-factor authentication, which requires customers to enter a code sent to their e-mails or phones when they log in from a new computer, tablet or smartphone. Customers who can’t remember their passwords need to verify their identities by answering questions about their credit history. And Intuit spokeswoman Julie Miller says the company is thinking about requiring people to verify their e-mail and phone numbers when they create an account, making it easier to confirm their identity later on.
What should I do if my tax refund was stolen?
Report the fraud to the IRS, which will launch an investigation to help determine your identity and issue your refund. Be patient, however, since most cases take at least six months to be resolved. You can also file a claim with the Federal Trade Commission and report the fraud to your local police department.
Identity theft experts recommend checking your credit report and creating an alert with the three major credit reporting agencies so that you can be notified if someone tries to take out a loan with your Social Security number. (You can access three free credit reports a year on AnnualCreditReport.com.) That vigilance shouldn’t stop this year, either. Criminals often continue to trade personal information on the black market, which means attempts to steal refunds or to open fraudulent credit cards can happen years from now.
Still have questions? Send me a line at email@example.com.