Tax season means ID theft; here’s how you can stop it

December 15, 2015

The opening of tax season is a bonanza for identity thieves. The IRS and state tax agencies are determined to cut down on so-called stolen identity refund fraud, or SIRF for short. You can catch this wave, too, and help employees guard their personal identifying information.

Requests for early W-2s. Many commercial tax prep firms aggressively hawk their ability to e-file 1040 forms early. You don’t have to respond to anyone’s request to provide a W-2 before the Feb. 1 deadline.

Tip: If you do accommodate these early requests, make sure they come only from employees and that they’re in writing. If you believe a firm is abusing the system, you can turn it into the IRS by calling (800) 829-1040.

More anti-SIRF tactics. SIRF thrives because identity thieves can e-file phony 1040s that claim bogus refunds long before the IRS can match employees’ 1040s and W-2s. The IRS’ first stab at combating SIRF was to change the rules for requesting an extension of time to file W-2s. Beginning this year, you can only request one for-cause 30-day extension, instead of one automatic 30-day extension and another for-cause 30-day extension.

The second arrow out of its quiver involves a new pilot project with several large payroll service bureaus, in which these providers will include a 16-character verification code on Copies B and C of employees’ 2015 W-2s in a separate, labeled box. The code, which will look like this: 1234-5678-9012-3456, will be computed using W-2 data and an IRS-provided algorithm. It will be used to verify the authenticity of W-2 data on e-filed 1040s and will be entered on e-filed 1040s.

Help employees help themselves. Phishers set up websites that appear identical to the IRS’, but which entice employees anxious for their refunds to divulge personal information, including, crucially, their Social Security numbers (SSNs).

How to tell a fake IRS website: misspellings or grammatically-challenged text on websites or emails, invitations to click through or to provide SSNs, aggressive language regarding collection activities and urls that end in .com, .org or .net.

BE A HERO: Unfortunately, not even a .gov suffix means that you’ve reached the IRS. Tell employees not to Google the IRS’ website. Those who want to track their refunds online can go to Also, remind employees that the IRS never contacts taxpayers by phone or email and never asks them to disclose personal information. Finally, report suspected phishing attempts to the IRS.