Late last week, Intuit temporarily shut down the ability of taxpayers to file their returns electronically via its TurboTax software. The cause: Tens of thousands of fraudulent returns filed in at least 18 states. The bogus returns were filed by identity thieves, looking to capitalize on personal information exposed through numerous data breaches.
I spoke with Jody Padar, CEO and principal of New Vision CPA Group in Mount Prospect, Illinois, about what taxpayers need to know about this latest fraud. Here's her advice.
1. Remember that data breaches are the problem, not TurboTax.
There is no known bug or vulnerability within Intuit's TurboTax that allowed this to happen. At this point, it does not appear that taxpayers' personal information was obtained through any TurboTax hack. Instead, this seems to be one more example of thieves making malicious use of personal information acquired through data breaches. In this case, identifying information such as names, birth dates, and social security numbers was used to create fake tax returns, and to instruct state tax authorities to send bogus refund checks to the scammers. Those fake tax returns were filed via TurboTax.
In a statement, Intuit said, "We're aware that the FBI has acknowledged that it is investigating incidents of identity theft and potential tax fraud. But to the best of our knowledge, Intuit is not the target of that investigation." Regarding the fraudulent tax returns, the statement went on to say, "We do not believe these instances of fraud resulted from a security breach of our systems. We are continuing to investigate the issue."
Whether or not you personally file your taxes electronically appears to make no difference in how likely you are to be the subject of a fraudulent return. "They're stealing the identities and then using TurboTax to file a return," says Padar. Another way to think about this: If the thieves were filing fraudulent returns via U.S. Mail, we wouldn't say the Post Office had a security issue. Says Padar: "It's not TurboTax or eFiling that is the problem."
2. File early, if possible.
There are two ways to tell if your data has been breached and if a fraudulent tax return has possibly been submitted in your name. You may find clues through a close examination of your credit report (see below). The sure-fire method is by filing your return. If you file before the scammers, it'll be the thieves' fake return that bounces back, not yours. Unfortunately, if someone else has already filed a return in your name, yours will bounce back. Then, the long work of getting things straightened out will begin. Padar says it will generally take about six months--and hours and hours of phone calls--to get it all fixed. "It's a lot of paperwork and it's a lot of rigmarole, but you will get your money back," says Padar.
The benefits of filing early, then, are at least threefold. First, you get an onerous task completed early, allowing you to move on with your life and business. Second, you'll have a better chance of being the first to file in your name, so it will be the criminal's tax return that bounces back, not yours. Third, if in a worst-case scenario, you do have to start undoing the damage caused by identity theft, at least you'll be on it early.
3. Check your credit report.
Suspicious activity can be a sign of a data breach. Says Padar: "If your identity has been stolen, you're at risk to have someone file a fraudulent tax return just like they could open a credit card on your behalf." If you think your information may have been compromised, especially in the recent Anthem hack, it's worth being proactive.