When Becky Wittrock tried to file her taxes in March 2015, she was told there was already a return filed in her name the month before. The South Dakotan was just one of a surging number of Americans to fall victim to a scam in which fraudsters try to steal other people's tax refunds by filing phony, inflated returns on their behalf.
But this year was supposed to be different: In January, the IRS mailed Wittrock — along with 2.7 million other taxpayers — a six-digit Identity Protection (or IP) PIN that she was supposed to use to ensure that only she could electronically file on her own behalf.
"Honestly, I felt very secure I would be able to file my return without any problems," she said.
But when Wittrock tried to file her taxes last weekend, there were problems: On Monday, the IRS helpline told her that someone had filed a return using her IP PIN on Feb. 2, she said.
And what's more, according to Wittrock, the IRS representative told her that the agency had heard from other people with similar cases of fraudulent use of the IP PINs this year. "It was not a new problem," she said.
In an interview with The Post, IRS Commissioner John Koskinen called the issue a "relatively minor problem" that has affected only a "handful" of filers but acknowledged that it could be frustrating for people such as Wittrock.
"We understand that for those taxpayers this is a significant aggravation — by definition, they got an IP PIN in the first place because they'd been the victim of identity theft," he said.
But Wittrock and others who rely on the IP PINs to secure their online tax returns may have been easier to re-victimize because of the way the tax agency allows people to retrieve the numbers online, according to Brian Krebs — who first reported on Wittrock's situation.
If someone has lost their IP PIN, there's an online tool that can help them get it back. It requires some basic personal information, including name, date of birth, Social Security number, last filing status and the mailing address from your last tax return, but it also uses information from the person's credit report to ask "Knowledge Based Authentication" questions — things such as past addresses where you've lived or how much your mortgage payments cost.
Yet that basic information could have made it into the hand of fraudsters in a number of ways, such as the wave of massive data breaches that have hit consumers in recent years. Also, simple Google sleuthing can help uncover the answers to the other questions from public sources. If fraudsters succeed, they can gain access to the IP PIN — and potentially use it to help file phony returns.
The IRS should know how easily this type of system can be bypassed: The tax agency said fraudsters may have accessed tax data for more than 700,000 people last year by tricking a "Get Transcript" tool that relied on the same kind of authentication technique.
But while the tax agency took down the "Get Transcript" tool after reports of misuse last year, it appears to still rely on the same basic method to verify the identities of people wanting to retrieve IP PINs.
Only a very small fraction of taxpayers with IP PINs have used the online retrieval tool, according to Koskinen — although he did not know the exact number. The agency said it has flagged less than 200 potentially fraudulent tax filings involving IP PINs and successfully stopped refunds from being issued in the majority of these cases. But now, every tax refund filed with an IP PIN that has been retrieved online is receiving extra scrutiny, he said.
And the IP PIN retrieval tool itself does not reveal information about a taxpayer to an attacker if abused, Koskinen said, but he acknowledged that obtaining an IP PIN through the system could help a criminal with access to other necessary information file a fraudulent return.
"Since the initial question was raised about people coming in to find their IP PIN, we put stronger filters in place and monitors in place," he said. And there are additional layers of security on the back end that may not be obvious to taxpayers, according to Koskinen.
"It's a little game of cat and mouse" with fraudsters, he said.
As for Wittrock, she is unsure how her information fell into the hands of scammers last year. "You feel totally invaded. You have no idea what's going to happen to you next," she said.
After this year's incident, she is skeptical of the security measures put in place by the IRS. "There should be something tied down a little tighter with those six-digit PINs," she said.
But there is at least one silver lining: Wittrock said she was able to file her 2015 return in person at an IRS office this week and was told that the fraudulent refund from this year hadn't been sent out yet — a sign that it may have been caught by another layer of the agency's fraud filters.