A Stranger Stole My Identity and Filed My Tax Return

Posted on by

A few weeks ago, I received a letter from the IRS saying that my tax returns were filed twice, which was surprising since I don’t even like to file them once. My identity was stolen and I found the most unpleasant way possible. This is how it happened and how I recovered.

First came the benign warning signs …

Even though we’re talking about identity theft, I never really knew what it looked like. I know how I can avoid this: use strong passwords , get a password manager, and turn on two-factor authentication . I know what it looks like when the service I’m using is hacked . But how do I really know if my personal data will be stolen?

In my case, it all started when Enrique Iglesias never stopped playing on my Spotify account.

I started noticing warning signs in early February. I received several unfamiliar emails with a two-factor authentication code for a service that I did not log into (which means the system is working and is not letting someone in). At first I didn’t pay much attention. Given the number of leaks from companies’ password databases, I assumed this would eventually happen. Plus, they weren’t actually logged in.

The first real breakthrough was Spotify. On Facebook, I used a memorable password (as opposed to the long string of random characters my password manager generates) because I enter it fairly regularly, but I assumed that two-factor authentication would protect me. And while it protected my Facebook account, my Facebook login details allowed someone to use my Spotify account (which doesn’t have two-factor setup) while I was using it. Whoever took over my account started playing songs from Enrique Iglesias’s Sex and Love album, which, thanks to Spotify’s remote control feature, ended up playing through my computer, which reminded me of the hack. I changed my Facebook login details, logged in to Spotify again and everything was fine. Looking back, I should have realized that something worse was coming.

… then the IRS stepped in …

On February 16, the day after I received my final form, I filed my tax return. Filing early is usually a really good way to prevent identity theft , but I was only a few days late. As I found out later, on February 8, someone filed a tax return in my name.

On February 26th, I received a letter from the IRS stating that the return I had just filed was the second return in my name and I would need to verify my identity before my return can be accepted. This ultimately led to a lengthy phone call, during which I learned that whoever filed the initial tax return had demanded about $ 20,000 in additional income to recover about $ 9,000 more than I actually expected to receive. If I hadn’t caught the problem so early, it would have been a pretty big paycheck for a scammer.

After talking on the phone with the IRS, I tried to figure out how my information was leaked. This led to my second weird revelation about stealing your identity: You will never know what went wrong . Later I learned that the service TaxSlayer , which I used for filing the tax return , affected by the hacking , which probably led to the leakage of my information. Another possibility is that my information was included in a T-Mobile data breach late last year . In any case, however, I cannot be 100% sure which service allowed the scammer or what actually happened . All I can do is check every account I have, which underlines how important it is to start with good security practices.

If you find yourself in a situation like this, the IRS will most likely contact you before you even know about the problem. However, you can find information here on the IRS website on how to contact the agency if you believe your information may have been stolen.

… I figured it out in a short time …

After talking with the tax inspector, I had a bunch of cleaning on my plate. The IRS was able to cancel the fake refund, but now I had to file a paper refund. In addition, I would have to attach a Form 14039 Identity Theft Affidavit (PDF) to this report . Aside from being a little annoying, it’s actually relatively painless. It is less convenient and it will take a little longer for my return, but it has not ruined my life.

The IRS also gave me a small to-do list to get done as soon as possible:

  • File a complaint with the FTC . The FTC has a website called IdentityTheft.gov where you can file a complaint that will be logged and used to investigate fraud when needed. The site will also guide you through other steps you should take to protect your identity.
  • Notify one of the three major credit agencies. Regardless of whether your information was used to influence your credit, you must notify one of Experian , Equifax or TransUnion so that they know that your identity has been compromised. Once you contact one, they will notify the other two.
  • Contact the Social Security Administration : You can log into the SSA website to track your Social Security earnings for irregular activity. If you have repeatedly had trouble with someone using your Social Security number and you feel like nothing is working, you may qualify for a new number.

We’ve also covered many of these steps in more detail here . Whenever your identity is stolen, it’s best to act as carefully as possible. As I learned when Enrique Iglesias shrugged his shoulders, just because you dealt with the first problem doesn’t mean there won’t be big problems in the future to watch out for, or to dive deeper to prevent.

… But there is no way to know if it’s over.

Even though I filled out forms in the afternoon, made phone calls, and contacted any federal agency I could find an acronym for, I was not done. To make sure it doesn’t happen again, I decided to check everything about my own safety just in case. I used my password manager to check how strong my passwords are . Any service that stores financial information was the first one I checked, but I didn’t stop there.

I also decided to sign up for one of those free credit monitoring services that I was entitled to. Almost every time a company is seriously hacked, it offers a temporary deal with a third party company to provide privacy protection services. If you scroll back to our page for tags of companies that were hacked , you will likely find one that was also used. You can also track your credit for free and forever . In my case, T-Mobile offered two years of Experian’s privacy protection for free. So I figured it wouldn’t hurt (and honestly, I should probably have signed up when they first suggested it).

But the strangest thing to me is that there really isn’t a climax. Since I never found out what exactly led to the theft of my identity, I have no idea if I “solved” the problem. I have checked all my security measures three times, but they are not flawless. Fortunately, I found out that there is a more reliable system for helping victims of identity theft than I thought. However, I found out that my identity was stolen in time by stupid luck. For many others, this situation is the beginning of a months or years of disaster that can take an endless series of phone calls, forms and stress to resolve. It always seems like this cannot happen to you, but with so many high-profile hacker attacks, it becomes almost inevitable. You better get ready .

More…

0
Uncategorized

Leave a Reply