Hackers are stealing your tax refund

hackers steal tax refund
Ever wonder what hackers do with your stolen Social Security number? They sell them to tax fraudsters.

The recent slew of massive hacks are costing you money -- your U.S. government tax refund.

Last year alone, hackers stole more than 6.5 million Social Security numbers. The number of SSNs stolen this year might be significantly higher, given the recent Anthem hack of 80 million customers. (The company hasn't yet said how many SSNs were lost.)

Stolen SSNs are flooding online black markets -- and they're selling fast.

SSNs go for $3 to $5 when packaged with names and other personal information, according to several firms with undercover agents in those marketplaces. Fraudsters only need two ingredients required to pull off tax fraud: your name and SSN. Plug in some fake income numbers on a doctored W-2 form and voilà: They've filed taxes in your name and stolen your refund too.

Once someone claims your government check, good luck getting it back -- or claiming your next one. The IRS freezes your refunds, and investigations are so backed up, the government says the average wait time to clear up the matter is 120 days. Sometimes it takes years.

Tax fraud is older than the IRS. But in the past, fraudsters had to know someone on the inside -- crooked employees at schools, hospitals or banks willing to fork over documents, according to former federal prosecutor Jed Dwyer, now a white collar defense attorney in Miami.

Now, it just takes a few clicks.

"It's so much easier and less risky than drugs," Dwyer said. "All you need is a computer and data,"

Did someone steal your tax refund? Share your story with CNN.

Pulling off the crime

Fraudsters prefer to use commonly available tax preparation software. Forms are quickly put together, so they can file dozens or hundreds in a single day. And it partially shields them from dealing directly with the IRS.

Clever fraudsters will only use SSNs in a specific state or zip code, in an attempt to not raise any alarms at the IRS, said Adam Tyler, an executive at CSID, which monitors those shady marketplaces.

As for cashing it in and sneaking away, that's easy too. The IRS will direct-deposit the money to whatever bank account number you provide. And that includes nearly untraceable prepaid debit cards -- the throwaway kind you buy at gas stations.

It's a federal policy meant to help those too poor for a bank account avoid expensive check cashing fees. But this has become the number one way for criminals to take the money and run, according to several former prosecutors who investigated these cases with the U.S. Department of Justice's tax division until 2014.

"The fraudster is gone in the wind by the time anyone looks for them," said former prosecutor Justin Gelfand, calling these government policies "completely incompetent."

The IRS fraud controls are working -- but not well enough.

Between 2011 and 2014, the IRS spotted and halted $63 billion worth of fraudulent tax refunds. But the IRS paid identity thieves $5.2 billion in 2011 alone.

Starting this year, the IRS will not load more than three tax refunds onto a single prepaid debit card. That just means criminals will now have to split up their loot onto several different cards.

The agency also has automated fraud filters, which record the IP address of the computer you use to electronically file your taxes, Dwyer said. Alarms go off if dozens or hundreds of people's taxes get filed from the same spot.

But the IRS won't stop you from filing your taxes in Miami if you live in Seattle. After all, people move. Also, you can file a tax return with wildly different income from last year. After all, people get new jobs.

And the most glaring issue is a calendar flaw. You can file your taxes as soon as you get your W-2 from your employer around late January. But businesses don't need to send that documentation to the IRS until late spring. Therefore, there's a gap -- roughly February to June -- where fraudsters can file bogus numbers that the IRS can't verify until it's too late.

It's a gap that IRS Commissioner John Koskinen wants to close, but it'll take legislation from Congress to do it.

The IRS also wants to update its website to require a password when filing taxes to make sure you're you. The closest thing to that extra security now is a six-digit PIN -- but that option is only available to tax fraud victims and residents of Florida, Georgia and Washington. The agency wants to take this pilot program nationwide, but it faces a $200 million cut to its technology budget this year.


If you can, sign up for the extra PIN -- even if it's annoying to remember.

Meanwhile, there's no time like the present to file your taxes. The black market heats up for SSNs this time of year. And it's normal for hackers to sell the same SSN to several fraudsters at once, so hackers move fast. They know IRS refunds are essentially first come, first served.

"It's a race to file a false tax return," Gelfand said. "It's almost to the point that every year it starts in January."

Inside the market for fake passports
Inside the market for fake passports

CNNMoney Sponsors