The IRS rejected my electronic tax return this year. The reason was my son’s tax ID required an identity PIN, which I did not have and never received. My son is 16 years old. The instructions linked from my tax preparer1 said to call a particular number to obtain a PIN for a minor dependent. It was the IRS identity fraud hotline.

Apparently, my son had filed a return for the tax year 2020, to receive some COVID-19 related benefits. After many verification questions, the agent on the line determined that my address, and previous address, did not match the address associated with my son’s tax ID, which was somewhere in New York. That was quite troubling.

The agent helpfully changed my son’s address to match mine, but told me the software tool used to generate a PIN was down and to call back the next week. So I waited, and thought about the situation. Someone had gotten hold of my son’s tax ID (Social Security Number) and name. It’s not like that information is particularly secure, since hundreds of millions of SSN records have been exposed and improperly secured. The chief offender here was DOGE, Elon Musk’s bastard child of government stupidity.

While the Social Security Administration claims that the Numident database which DOGE copied to a Cloudflare server (unapproved to store this kind of data) was not exposed, Senator Gary Peters commissioned an investigation which concluded there is a 65 percent risk of “catastrophic breach.” As a cyber security professional who regularly works with Federal Tax Information (FTI), to me this is a staggering number.

In quality management, there’s a principle called the “Cost of Quality Iceberg.” It helps to identify the hidden costs of quality problems. Typically, the hidden costs far exceed the visible, collected data and metrics used to measure quality. This principle also applies to cybersecurity and breaches. Where there’s one seen problem, that generally indicates many unseen problems that have never been reported and have no visible metrics, but are there just the same.

So the IRS admits in 2022 and 2023, there were about 1.1 million identity theft holds placed on filed returns. By the end of the filing season, about 387,000 Identity Theft Victim Assistance (IDTVA) cases were left “in inventory,” according to the IRS. There were between 9,000 and 12,000 confirmed fraudulent returns reported by the IRS for each year 2022 and 2023. In 2024, the IRS suspended 1.9 million returns for potential identity theft issues requiring a security PIN. These, I believe, are the tip of the iceberg.

If up to 300 million tax IDs were exposed in 2025, plus the myriad breaches that occur all the time, from school districts, banks, medical providers, and other sources, there’s so much tax data floating around the dark web and available for malicious actors to use, that these numbers are likely orders of magnitude below the actual threat.

If every actual fraudulent return was flagged, the IRS would quickly be overwhelmed and tax return processing would grind to a complete halt. It would be a national emergency. It’s almost certain that billions, if not tens of billions, of dollars of fraudulent refunds are being paid by the IRS, and for every dollar caught (roughly $6.3 billion in 2023), perhaps as much as $10 is paid out. So if the IRS stopped $6.3 billion, we likely paid $63 billion. That’s nearly 10 percent of the total refunds paid for the 2023 tax season.

With me, here’s what happened. I waited a week and called the IRS again. They verified my address, and my son’s address, and asked a whole bunch of other questions to ensure they were talking to me. Then again, anyone who obtained my tax return from 2024 would have been able to answer these questions, so the effectiveness of the agency’s identity verification efforts is also questionable. The kind agent told me the IRS would mail a form to my home with the identity PIN for my son, and that would take around 21 days. If I didn’t want to wait that long, I was welcome to file on paper.

Filing on paper adds months to processing time, so to me 21 days was a much better choice. However, if the PIN didn’t arrive, or someone intercepted the mail (this is also a big problem2), then I would have no choice but to file on paper. Fortunately for me, the PIN form arrived. I entered the PIN into my tax software and re-filed. The IRS accepted my return. Bada-bing, and the system worked, right?

Except it didn’t, really. A week or so later, my son got mail from the IRS. It was a refund check for the 2020 tax year. Specifically, it was the refund for the fraudulent return filed by whatever criminals stole my son’s tax information. The IRS went through all that trouble to flag the fraudulent return, issue a security PIN for my son, change his address at my direction, and then accept my return—only to process the fraudulent return and mail the check to my home. Really?

Being an honest person, I was not about to deposit a fraudulent tax refund check, even if I probably would never get caught, even if it was fraud by someone else. So I called the Identity Theft hotline again. The helpful agent verified once again who I am and who my son is, and put me on hold. After some time, he told me to write “VOID” in the space on the back of the check were we would normally endorse it. Then he told me to write a short cover letter indicating this was an erroneous refund check, and mail the check to an IRS processing center in Texas. I helped him determine the correct address of the processing center (since I do this for a living) because he was confused if this should go to the address for sending payments or general correspondence3.

I put the check and the letter in an envelope and sent it off certified mail. Always mail anything to the IRS using certified mail. Always. The USPS tells me the agency should receive the check today. I was actually worried that someone might intercept that mail, but it’s actually fairly difficult to check wash a U.S. Treasury check. Sending it certified mail gives me a lot more confidence.

So if the IRS mailed a refund check they previously flagged as potentially fraudulent, and an honest person like me took the time and effort to send it back per IRS instructions, how many people would deposit it? How many times would the IRS send a refund to the criminals who stole FTI and filed fraudulent returns? I think the COQ Iceberg principle is at work here, and it is operating at scale. Cyber criminals with AI technology (and they have it) can file millions of false returns. If the IRS catches 10 percent of them, 90 percent get paid out.

Conclusion: We have an enormous problem.

Share

SOCIAL MEDIA ACCOUNTS: You can follow us on social media at several different locations. Official Racket News pages include:

Facebook: https://www.facebook.com/NewsRacket
Twitter/X: https://twitter.com/NewsRacket

Our personal accounts on the platform formerly known as Twitter:

David: https://x.com/captainkudzu
Steve: https://x.com/stevengberman
Jay: https://x.com/curmudgeon_NH

Tell your friends about us!

Share The Racket News ™