This story is over 5 years old.


I'm a Victim of Tax Season Cybercrime

And we are all victims of our unnecessarily convoluted tax system.

It started out as a mild inconvenience—when I tried to file my taxes via Turbotax, I got an error instead.

Turbotax told me that the IRS already had a return with my social security number on it, and would not accept an e-filing. That didn't seem right. So I tried again. And again. And again. Eventually I gave up and submitted a query to customer service, which then asked me to call the hotline.

The woman on the end of the line—a pleasant lady with a vaguely Midwestern accent—asked me if I had submitted a return before. Unless I had been working on itemizing my work-related expenses in my sleep (oh god I wish), I had not. Then she asked, "Do you know if your personal information has been exposed by hackers in the past? For example, were you a part of that Anthem Blue Cross breach three years ago?" (It was actually two years ago).


I wasn't, but in this day and age, who hasn't had their social security number leaked in one way or another? The Turbotax representative took a deep breath and then launched into a very well-rehearsed and smooth speech about how I was a victim of cybercrime.


"Everything is going to be okay," said the woman in soothing tones. "Part of my job is making sure you can sleep at night."

After about five minutes of comforting reassurances that hackers were not going to destroy my life, she explained that hackers had used my name, social security number, and birthdate with Turbotax back in January. "This isn't your creepy neighbor down the round, there are three big rings operating out of Russia, Nigeria, and India. They go to town, and just make up a bunch of crap."

If you had someone else's identifying information, and used with it with valid Employer Identification Numbers, you could get the IRS to cough up a refund. The hackers would then load the money onto a prepaid Green Dot card, then vanish.

"This is all I do all day Sarah, you have no idea how prevalent this is," said the woman. "The identity theft is just crazy this year."

"Oh?" I asked, furiously typing notes on my laptop.

"Oh, yes."

I later reached out to Intuit, and a spokesperson told me that according to the IRS, "the number of new people reporting stolen identities on federal tax returns [has fallen] by more than 50 percent, with nearly 275,000 fewer victims compared to a year ago."


But anyways, back to the sympathetic Turbotax customer service representative who seemed to be expecting me to throw a fit about being hacked. "I know this is really personal. Even though it's cybercrime, they might as well have rifled through your underwear drawer."

I felt this was laying it on a bit thick, but I imagine most victims of tax season fraud aren't journalists who report on cybercrime.

"These guys aren't worth losing any sleep over, Sarah, just attack this one step at a time."

"One step at a time" involved printing out my taxes and mailing them to the IRS, along with a signed form that declared me a victim of cybercrime. The Turbotax representative also asked me to report the case to the local police, although she warned me that they weren't going to do anything about it. "We just want to establish a paper trail, you know."

She also directed me to open an account, the second one I'd created since getting hit with identity theft last year. I almost wished I had just kept the first one, but quite sensibly deletes all user information on a regular basis, unless users explicitly opt in to keep their accounts. At this point, becoming a victim of cybercrime is a springtime ritual.

Last year I got to find out that routing and account numbers can be used to withdraw money from a bank account, thus making it a 0-factor authentication system.


This year I got to ponder the national idiocy of adopting the Social Security administrative apparatus as a secret identifier. Social security numbers were never meant to be secret, they were just meant to identify workers in order to keep track of benefits. But all that it takes for my taxes to be accepted by the IRS are my SSN, birth date, and full name.

Should I be asking my editors to take my W-9 forms via SecureDrop? Am I supposed to stop publicly celebrating my birthday? Should I try to get a weird middle name or something? Maybe one that's at least twelve characters long and has at least one number and one symbol?

Fortunately I don't need to change my name to Sarah oE%w9nf7n&bA Jeong—the IRS will be issuing me a PIN to use on my future tax returns. Wow, it's almost like having a password for your taxes… is more secure?

Turbotax refunded me my money and also gave me a complimentary year's subscription to an identity theft tracking service. It was very nice of them, especially considering that it's not Turbotax's fault.

Well, it's kind of its fault. Tax fraud of this variety is only profitable because Turbotax makes it so easy to file returns en masse using hacked information, but making it easy to do your taxes is kind of the point, isn't it?

To be fair, Intuit has spent millions lobbying against free and simple e-filing administered by the IRS, enabling America's dependency on products like Turbotax. I wouldn't be in this pickle to begin with if Intuit hadn't bought itself a virtual monopoly in navigating an unnecessarily complex system. And given that I've been a customer of Turbotax for years, shouldn't it have some kind of a security system in place to flag a return with my social security number on it that's not sent using my existing account?


On the other hand, would the IRS really do a better job administering a free version of Turbotax when it's doing such a crummy job with the system it has now? There is nothing stopping the IRS from making the tax return system more secure. If the agency sent me a PIN now, why couldn't it do it before someone stole my identity?

But the IRS doesn't even need to embark on creating and maintaining a complex and secure system of taxpayer identification. Literally any extra attempt to identify a taxpayer would help. (Timothy B. Lee suggests requiring e-filers to identify previous addresses or mobile phone numbers, the way that credit monitoring agencies do). In 2015, the IRS paid at least $30 million in fraudulent refunds. The Government Accountability Office suggests the actual number is much higher, but even if it's a hundred times more, it's still a vast improvement from 2013, when the IRS paid out $5.8 billion to fraudsters.

In any case, I spent the next couple of days making phone calls, filling out forms, and then trudging through the pouring rain to get to a post office.

It was probably the most fitting end to the whole saga. Because I was in a rush, I opted to go to the nearest post office, instead of the big one I usually go to. But the "post office" I went to wasn't a real post office at all. It was some kind of a outpost or franchise, a weird little nook in a dilapidated mall. There were no USPS logos, no uniforms, no shipping options besides regular old First Class, and they certainly did not take credit card. It was either cash or a check (!!!) addressed to "US Postmaster."


After rummaging around in my pockets for dollar bills I usually keep for tipping the karaoke jockey, I mailed out my tax returns.

On my way back home, I was hit with a surge of paranoia. Were they actually going to mail out my returns? Would the paperwork get lost? How did I even know that the little post office outlet actually connected back to the USPS network? Would the IRS penalize me for being double-defrauded?

I'd just handed my federal tax returns to a third party vendor that shouldn't exist because someone had stolen my identity via another third party vendor that shouldn't exist. The USPS should have a real post office closer to my house, and the IRS should have a free government version of Turbotax.

But what do I know, I'm just the chump paying for a flawed infrastructure that makes me navigate a bureaucracy for days so that my life doesn't get ruined or whatever.

God, I really hope the IRS has my taxes.