While many consumers are busy preparing their 2024 tax returns, a new study shows that nearly a thousand data breaches last year could have led to tax fraud.
Data from credit agency TransUnion found that there were 970 data breaches in 2024 where criminals obtained the types of personally identifiable information (PII) required for various forms of tax fraud. In total, 640 million consumer records were exposed, containing critical details like Social Security numbers, address histories, and full names.
Data breaches are significant because even a small amount of stolen information can enable criminals launch attacks. Exposed data can help criminals file false tax returns in a victim’s name or access bank accounts to intercept tax refunds. Many criminals also target call centers to verify stolen PII or use it to gain access to online government portals.
Keeping Data Out of Criminals’ Hands
A fairly new scheme involves a mailing that arrives in a cardboard envelope from a delivery service. The letter, featuring an IRS masthead, falsely claims to be “in relation to your unclaimed refund.” It requests sensitive personal information from taxpayers—including photos of driver’s licenses—which identity thieves can use to obtain a tax refund.
To protect against tax-related identity theft, experts recommend that consumers file their taxes early and electronically rather than mailing documents. Additionally, they suggest having tax refunds sent electronically instead of receiving a check by mail.
“You should also request an Identity Protection PIN through the IRS website,” said Jennifer Pitt, Senior Fraud & Security Analyst at Javelin Strategy & Research. “This prevents someone from being able to use your Social Security number to file taxes. And sign up for credit monitoring or identity protection services to monitor any use of your personal information.”
Watch How Notices Are Delivered
The IRS continues to see a barrage of email and text scams targeting taxpayers. These messages arrive as unsolicited texts or emails, attempting to lure unsuspecting victims into providing personal and financial information.
The IRS advises taxpayers to pay close attention to how they receive communications. The agency primarily contacts taxpayers through regular U.S. mail delivered by the U.S. Postal Service. Emails or texts are generally sent only with the taxpayer’s permission.
While the agency may call to verify information or set up a meeting, it never leaves prerecorded voicemails or robocalls—taxpayers can safely ignore those. Additionally, the agency will never initiate contact through social media.
