Krebs on Security is reporting that tax return fraud has not been curbed in 2016 despite safeguards put in place. Consumers who were hit last year were given IRS PINs to help identify that they were the consumer and not a cyber thief. One flaw in that system is that the PIN can be accessed online; therefore giving thieves the opportunity to steal the PIN before the consumer can use it.

This has led to some consumers filing their tax returns only to have them rejected by the IRS because the PIN has already been used. For those that have been compromised, their returns are rerouted to the thieves financial accounts. For credit unions, this means members may be inquiring about the status of their tax return and if it has been deposited in their account.

Krebs found that from “January 2014 to May 2015, the IRS allowed anyone to access someone else’s previous year’s W-2 forms, just by supplying the taxpayer’s name, date of birth, Social Security number, address, and the answers to easy-to-guess- or Google KBA questions. The IRS killed the Get Transcript function in May 2015 after it was revealed that crooks were abusing it to hijack consumer identities and refunds.

According to the IRS, at least 724,000 citizens had their tax data stolen through the IRS’s Get Transcript feature between January 2014 and May 2015. This may in fact be a lowball number: The IRS previously said the number of those affected was 334,000, figures that were sharply revised from an initial estimate of 110,000 taxpayers.”

Scrolling through the comments on the Krebs story shows that many consumers are seeing their tax return delayed significantly because of this tax return fraud. Credit unions would be wise to follow this story to ensure their members’ information is safe and to be able to answer questions.