A New Tax Scam, and Tips on How to Deal With It

If you weren’t expecting an income tax refund but discover a big deposit from the Internal Revenue Service in your bank account, don’t be quick to celebrate. You may have been the target of a clever new scam.

The latest twist in tax-time identity fraud involves thieves who pilfer personal and financial information, often from professional tax preparers. They then use those details to file fake tax returns and have refunds — sometimes as large as $20,000 — sent electronically to your account with plans to collect it later.

The I.R.S. initially warned about the scam on Feb. 2, urging tax professionals to “step up security and beware of phishing emails that can secretly download malicious software that can help cybercriminals steal client data.”

The agency next issued a warning to taxpayers on Feb. 13 after reports of the incidents “mushroomed” from a few hundred potential victims nationwide to thousands, said Terry Lemons, an agency spokesman.

“This one is really worrisome to us,” Mr. Lemons said. “Scammers are getting a government deposit into your account.”

In the past few years, the I.R.S. said, its Security Summit — a collaboration with state tax agencies and makers of do-it-yourself tax software — has helped reduce incidents of tax-related identity fraud, in which someone files a fake return in your name to collect a refund.

But now, criminals are increasingly targeting businesses, including tax professionals and human resource departments, because they are rich sources of sensitive personal information — including W-2 forms, bank statements and tax returns — that thieves can use to impersonate taxpayers and file bogus returns with authentic data.

“Criminals go where the data is,” said Jonathan Horn, senior manager for tax policy and advocacy with the American Institute of Certified Public Accountants.

How does putting the money in your account benefit the criminals? The thieves think you’ll give it to them.

The crooks, for example, will call victims and pretend they’re a collection company for the I.R.S., which has deposited the funds in error. They then demand that victims transfer the money to a different account. “They say, ‘We made a mistake; send it back to us,’” Mr. Lemons said.

Or, they will leave voice messages threatening the taxpayer with criminal fraud charges or an arrest warrant if they don’t call the number provided to return the “refund.”

“It signifies the ingenuity of the fraudsters out there,” said Russell Schrader, executive director of the National Cyber Security Alliance, which promotes online safety and security.

The scam has the ring of truth for victims, as there is actually an erroneous deposit sitting in their bank account (or in some cases, a paper check in the mailbox). That can frighten victims into acting, especially if a caller is bullying them. But it’s always best to hang up and independently check whether the information you were given is valid, said Eva Velasquez, chief executive of the nonprofit group Identity Theft Resource Center. “Always go to the source when you get these kind of contacts,” she said. Look up a public number for the I.R.S. online, she advised, and contact the agency to ask if the call was legitimate. (The I.R.S. identity theft unit’s number is 1-800-908-4490).

Here are some questions and answers about tax refund fraud:

What should I do if an erroneous tax refund is deposited in my account?

If it seems too good to be true, it probably is, Mr. Lemons said. Don’t forward the money, he said, and don’t spend it: “Don’t go out and make a down payment on a new car with the cash.”

If the refund arrived as a direct deposit, the agency said that you should contact your bank’s automated clearinghouse department and have the funds returned to the I.R.S. (Consumers may also need to close their account.) Call the I.R.S. to explain why the money is being returned, notify your tax preparer and file a complaint with the Federal Trade Commission.

In the case of paper checks, the next steps depend on whether you have cashed the check. The agency provides details on its website.

What questions about security procedures should I have for my tax preparer?

Mr. Horn with the accountant association recommended that consumers ask whether their tax preparer uses encrypted email — standard email isn’t secure and should never be used for sensitive financial information — and where the agency stores its paper files.

Mr. Lemon offered his own suggestions: Do you update security protocols regularly? Do you train employees to recognize phishing attacks? How is information shared securely with clients?

David Thomas, chief executive of Evident ID, an information security company based in Atlanta, suggested asking which employees have access to your files, and inquiring whether the firm offers extra login security. He particularly likes YubiKey, a token that authenticates a user’s identity.

The tax preparation firm “should have confident answers” to your questions, Mr. Thomas said.

Does a bogus refund in my account mean a fake tax return was filed in my name?

Most likely yes, but you should contact the I.R.S. to verify if it has accepted a return using your Social Security number, Ms. Velasquez said. In some fraud cases overseas, she said, criminals have been known to mix and match stolen information. So it may be possible that criminals used one person’s data to file a tax return, but someone else’s bank account to deposit the refund. If a fraudulent return was filed in your name, she said, you’ll probably have to file a special affidavit with the I.R.S. explaining that you are a victim of identity theft. Victims can contact the resource center for free help, she said.