May 13, 2024

How to Protect Yourself From Tax Refund Scams

Hacker surrounded by data

If you haven’t filed your taxes yet, you should do them as soon as you can — before someone else does.

With July 15 on the horizon, the Internal Revenue Service (IRS) is once again sounding the alarm about tax refund fraud schemes. Criminals gain access to consumers’ private data, then use that information to file false tax returns and try to acquire the resulting refunds.

When the victim of this identity theft receives their (fraudulent) refund, the criminal contacts them, impersonates the IRS, says the refund is a mistake, and requests that they transfer the money to a different account. In 2017, there were nearly 600,000 fraudulent tax returns totaling $6 billion.

There are other schemes to watch out for. The Division of Consumer Affairs has warned against instant refunds (which are actually short-term loans with large interest rates) and “ghost” tax preparers who file fraudulent returns on a person’s behalf in order to boost their fees. They artificially inflate the client’s refund in order to take a bigger chunk of it.

This uptick in tax fraud creates serious problems not only for individuals, but businesses.

Companies Hit by Phishing Scams

To carry out tax refund fraud, criminals need a person’s name, date of birth, and Social Security Number. Often they require this information through phishing scams. The FBI states:

The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.

Emailing a human resources employee can allow criminals to scoop up dozens or even hundreds of consumers’ data all at once, instead of having to acquire them one by one.

To protect employees’ information, the FBI recommends that companies enact the following safety measures:

  • Limit the number of people who can handle W-2 requests
  • Require dual approval for wire transfer requests
  • Verbally confirm requests via phone calls to known contacts.

Cyber criminals also obtain social security numbers in volume by infiltrating companies that store personal identification information (PII) such as social security information. These data breaches typically occur due to lax cyber security measures on the part of the company that sustains the breach.

Individual employees whose data was accessed in this manner — leading to identity theft and/or tax refund fraud — may want to join a data breach lawsuit. Morgan & Morgan filed lawsuits after the massive Yahoo, Equifax, and MGM Resort breaches.

Consumers impacted by data breaches could be owed money for damages, or receive free credit monitoring and other benefits.

IRS Won’t Email or Threaten Police Action

If you receive an email or phone call from someone claiming to be from the IRS, they are almost definitely lying. As a general rule, the IRS does not email or call people. The vast majority of the time, the IRS sends letters via the U.S. Postal Service.

The IRS also emphasizes the following:

  • They will not demand “immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer.”
  • They will always give you the opportunity to question or appeal how much you owe.
  • They will not threaten to “bring in local police, immigration officers or other law-enforcement to have you arrested for not paying.”
  • The IRS does not have the authority to take away your immigration status or driver’s license.
  • In the rare event of a home visit, IRS agents will always show two forms of official credentials.

In short, if someone is trying to bully you into swift payment with a specific kind of card, it’s most likely a scammer.

You can report phishing scams to or file an identity theft complaint at the Federal Trade Commission site You should contact an attorney if you or a loved one has experienced financial or reputational damage because of a scam or breach.