US tax service says, “2FA is a must!”

The Beatles famously sang about The Taxman back in 1966, when Britain had much higher taxes on the rich than it does now:

    Let me tell you how it will be
       There's one for you, nineteen for me
    'Cause I'm the taxman, yeah, I'm the taxman

    Should five per cent appear too small
       Be thankful I don't take it all
    'Cause I'm the taxman, yeah, I'm the taxman

    If you drive a car, I'll tax the street
       If you try to sit, I'll tax your seat
    If you get too cold, I'll tax the heat
       If you take a walk, I'll tax your feet
    'Cause I'm the taxman, yeah, I'm the taxman

It was the era, if you like, where income tax boiled down to “you versus the Revenue”, the earner versus the government, the individual versus society.

How times have changed!

These days, there’s a very clear third player in the income tax game: cybercriminals.

Personal taxation now incudes a new sort of battleground, with taxpayers and the IRS as unexpected allies on one side of the fight, and cybercrooks on the other.

That’s because of what are known very descriptively as tax refund scams.

We’ve written about tax refund scams many times before on Naked Security, and the way they work is easily told.

Simply put, crooks figure out enough about you that they are in a position to submit a realistic looking tax return on your behalf…

…and then they do just that, except that they understate your income convincingly enough that the IRS pays out a refund, into a bank account provided by the crooks…

…who promptly run off with the money.

That means the crooks have stolen that money not just from you, not just from the government, but essentially from all of us – the refunded money gets drained out of the system and will never be seen again.

You end up with a fraudulent tax return filed against your name; the government ends up with a huge dent in its tax revenues; and the mess can take ages to sort out.

An unfair advantage

Annoyingly, the crooks have an unfair advantage here, just because of the way most of us – perfectly reasonably, and lawfully, and understandably – approach our tax returns.

Many countries give a fairly generous amount of time to submit tax returns, preferring slow but correct answers to hasty submissions that need constant revision, and many taxpayers (you know if you are one of them!) take a fairly generous amount of the available time to complete the paperwork.

As a result, tax refund scammers don’t have much trouble getting their fake returns in before real taxpayers submit their real ones.

Also, many if not most countries prefer you to file online these days, to reduce the cost of collecting taxes in the first place.

And many if not most taxpayers prefer to do just that, because it’s easier and less stressful than handling pages and pages of written forms as in the past.

As a result, tax refund scammers can scam in bulk and from afar- they don’t need to take the risk of visiting a tax office in person for each taxpayer they want to impersonate.

For example, the scammers will claim that they – which really means you, of course – were unable to work for a significant part of the year, for example due to injury or illness, and therefore that taxes witheld so far were greatly overpaid.

If the crooks can provide fake but believable documentation, tax offices in many countries will typically issue a refund automatically and fairly quickly.

After all, the tax office knows where you live, so they can and will prosecute you and claw the money back if you provide fake information, so an efficient refund system can be considered both fair and fairly safe.

Unless the money refunded is drained out of the system altogether, of course.

Plugging the leaks

Well, the IRS is determined to plug the leaks, especially during the coronavirus outbreak, where remote filing of everything has become the norm.

The IRS is currently in the middle of a five-step series called Working Virtually: Protecting Tax Data at Home and at Work, with help from government departments at state and federal level, taxation professionals and financial institutions.

Part 2 of the five-part series just came out and we can report that its primary advice is really simple:

Use multi-factor authentication to protect accounts.

Indeed, from 2021, the IRS will demand that all tax software vendors must offer multi-factor authentication, and expects all tax professionals preparing returns to make use of this feature:

Starting in 2021, all tax software providers will be required to offer multi-factor authentication options on their products that meet higher standards. Many already do so. A multi-factor or two-factor authentication offers an extra layer of protection for the username and password used by the tax professional. It often involves a security code sent via text.

Using multi-factor authentication is the second in a five-part series called Working Virtually: Protecting Tax Data at Home and at Work. The public awareness initiative by the IRS, state tax agencies and the private-sector tax industry – working together as the Security Summit – spotlights basic security steps for all practitioners, but especially those working remotely or social distancing in response to COVID-19.


Of the numerous data thefts reported to the IRS from tax professional offices this year, most could have been avoided had the practitioner used multi-factor authentication to protect tax software accounts.

What to do?

We know it’s an old drum, but we’re not tired of beating it yet: 2FA won’t sort out the problems of phishing and fraud, but it slows down cybercriminals significantly.

We know it’s an inconvenience: 2FA does add a bit of extra hassle to your online experience, but in return, you make things a lot harder for the crooks.

And we know there are plenty of excuses not to do it: your phone could get stolen; your SIM card could get swapped so that the crooks get your text messages instead; or you might lock yourself if you leave your phone at home.

But in most cases, your phone won’t get stolen (or if it does it will be passcode protected and inaccessible anyway); your SIM card won’t get swapped (and even if it does the crooks still need your password too); and you won’t lock yourself out (or at least not after the first time it happens).

Why it’s worth it

We’ve found 2FA to be a bit like seatbelts and bicycle helmets.

At first, they’re all kind of annoying to use, and you feel as bit as though they’re a vote of no confidence that assumes you will fail rather than backing you to succeed.

After a while, though, they don’t just feel acceptable but highly desirable – because the effort involved in using them is close to zero, and you start to feel naked without them.

Tax refund fraud isn’t just an injury to you, it’s an insult to everyone, so…

please don’t delay, adopt 2FA today!