What Is Data Security for Tax Filing?
A single tax return holds an entire life in one place — Social Security number, date of birth, address, bank routing and account numbers, dependents’ SSNs, and employer details. Data security in tax filing is the set of rules, tools, and habits that keep all of that from being used against you.
Key Takeaways
- The IRS never initiates contact by email, text message, or social media to request personal or financial information.
- An IP PIN (Identity Protection PIN) is a six-digit number that blocks anyone else from e-filing a return under your SSN.
- File Form 14039 only when your e-file is rejected as a duplicate return — if you receive Letter 5071C, 5747C, 5447C, or 4883C, follow the letter’s instructions instead.
- Verify any preparer’s PTIN in the IRS Directory of Federal Tax Return Preparers before sharing your SSN.
- Report IRS-themed phishing to phishing@irs.gov; for non-tax identity theft, file a recovery plan at IdentityTheft.gov.
- Skip public Wi-Fi for tax work and enable multi-factor authentication on every account tied to your tax data.
Table of Contents
1. Why Tax Data Is a Primary Target
A single Form 1040 packages together almost every piece of personally identifiable information a criminal needs: Social Security number, date of birth, full legal name, home address, employer, bank routing and account numbers for direct deposit, and the SSNs of any dependents. That concentration is why tax return data sells on dark markets for prices well above an ordinary stolen credit card record.
The damage lands in two waves. The first wave hits the IRS — a thief files a fraudulent return early in the season and routes the refund to a pre-paid card or mule account. The second wave hits the rest of your financial life: credit cards opened under your name, fraudulent unemployment claims, loan applications built on the same stolen file. By the time you sit down with your W-2, the first wave may already be over.
The rest of this guide walks through the tools and habits that keep you ahead of those threats.
2. The Four Tax-Season Scams You Will See
Scammers do not need new ideas each year. Four patterns cover most of what Enrolled Agents see during filing season.
IRS impersonation calls. A caller claims to be from the IRS or the Treasury and demands immediate payment on an unpaid balance, threatening arrest, license suspension, or deportation. Real IRS contact never starts this way.
Phishing emails and smishing texts. Messages arrive with IRS logos and urgent subject lines — “Refund verification required,” “Unclaimed credit on your account,” or “Click to track your refund.” The links lead to fake login pages built to harvest SSN, date of birth, and bank credentials.
Ghost preparers. Unlicensed preparers who promise outsized refunds, ask for a fee based on the refund amount, and then refuse to sign the return they prepared. Some reroute the refund to their own bank account through direct deposit instructions.
Refund theft using a stolen SSN. The simplest pattern: someone files a return in your name before you do. You find out only when your own e-file is rejected with a duplicate-return error.
3. What the IRS Will Never Do
Most scams collapse the moment you know what genuine IRS contact actually looks like. The table below covers the lines the IRS does not cross.
| The IRS Will Never | Instead, the IRS Will |
|---|---|
| Demand payment by gift card, prepaid debit, or wire transfer | Mail a notice explaining your balance and payment options |
| Email, text, or DM you to request your SSN, bank details, or IP PIN | Send the first notice by U.S. mail through USPS |
| Threaten arrest, deportation, or license suspension over the phone | Provide multiple written notices and appeal rights before any enforcement |
| Send a photo of an employee badge by text to prove identity | Carry two forms of official credentials during legitimate in-person visits |
If a message or call does any of the things in the left column, treat it as fraud. Forward suspicious emails — full message with headers — to phishing@irs.gov, then delete.
4. The IP PIN: Your Strongest Shield
The Identity Protection PIN is the single most effective defense against tax-related identity theft. It is a six-digit number assigned by the IRS and used alongside your SSN when you file. A return submitted with your SSN but without the correct IP PIN is rejected automatically.
A new IP PIN is issued each calendar year. The number you hold this year protects every return you file during the same year — current year, prior years, and amended returns — and expires at year-end.
There are three ways to obtain one:
| Method | Who It Fits | Speed |
|---|---|---|
| IRS Online Account with ID.me verification | Anyone who can verify identity online | Immediate |
| Form 15227 (below the AGI thresholds set by the IRS) | Lower-income filers who cannot use ID.me | Mailed within 4–6 weeks |
| Taxpayer Assistance Center appointment | Anyone unable to verify online or by Form 15227 | Varies |
One non-negotiable rule: the IRS never asks for your IP PIN by phone, email, or text. Share the number only with the tax professional actually preparing your return. If you lose it, retrieve it through your IRS Online Account or call 800-908-4490 for reissue by mail.
5. How to Vet a Tax Preparer Before Sharing Your SSN
Every paid preparer must hold a PTIN — a Preparer Tax Identification Number — and sign every return they prepare. A preparer without a PTIN, or one who refuses to sign, is the single biggest red flag in the industry.
Before handing over your documents, check:
- Look up the preparer in the IRS Directory of Federal Tax Return Preparers with Credentials and Select Qualifications.
- Confirm the preparer will sign the return and enter their PTIN on the signature line.
- Walk away from any fee arrangement based on a percentage of your refund — this is prohibited.
- Verify the credential level. An Enrolled Agent, CPA, or tax attorney can represent you before the IRS without limitation. Annual Filing Season Program participants have limited representation rights.
- Never sign a blank return, and never sign a return you have not reviewed line by line.
6. If You Suspect Your Identity Has Been Stolen
The order in which you take the next steps matters. Acting in the wrong sequence — especially filing a duplicate Form 14039 — delays your case rather than speeding it up.
Step 1 — Respond to the IRS correctly. If you received Letter 5071C, 5747C, or 5447C, verify your identity at idverify.irs.gov. Letter 4883C requires calling the toll-free number printed on the letter. In any of these situations, do not file Form 14039 unless the IRS specifically directs you to — duplicate affidavit filings cause processing delays. File Form 14039 only when your e-filed return is rejected as a duplicate and no IRS verification letter has arrived.
Step 2 — Report to the FTC. File the incident at IdentityTheft.gov. The site generates a personalized recovery plan that covers credit, banking, and government-benefit steps outside the IRS’s jurisdiction.
Step 3 — Freeze your credit. Contact Equifax, Experian, and TransUnion individually and place a security freeze on each file. A freeze blocks new accounts from being opened under your name without your PIN.
Step 4 — File your return anyway. If the IRS rejects your e-file, file on paper. Your tax obligation does not pause because someone stole your data.
Step 5 — Enroll in the IP PIN program. Confirmed identity-theft victims are enrolled automatically by the IRS. Everyone else should opt in voluntarily before the next filing season opens.
7. Everyday Habits That Prevent Most Breaches
Most tax-data compromises do not start with a sophisticated attack. They start with a weak password, a coffee-shop Wi-Fi network, or an unshredded W-2 in a recycling bin.
- Secure your home Wi-Fi with WPA2 or WPA3 encryption and a long, unique password.
- Never file a return, log into an IRS account, or open tax documents on public Wi-Fi.
- Do not carry your physical Social Security card in your wallet. Store it in a locked location at home.
- Keep W-2s, 1099s, and supporting records for at least three years, then shred — do not simply recycle.
- When sending tax documents to a preparer, use an encrypted client portal or a password-protected PDF, never plain email.
- Enable multi-factor authentication (MFA) on your IRS Online Account, tax software, and any email account tied to tax correspondence. MFA turns a stolen password into a dead end.
EA Insight
A few years ago, a New York client called in late February after her e-file was rejected as a duplicate return. Someone had already filed under her SSN and received a $4,170 refund by direct deposit. The trigger turned out to be an email from the previous December — an “IRS Refund Verification” message she had opened, clicking through to a fake portal where she entered her SSN, date of birth, and checking-account information. We filed a paper return with Form 14039 attached, registered her for an IP PIN, opened a case at IdentityTheft.gov, and placed freezes at all three credit bureaus. Her legitimate refund finally arrived about nine months later. Since then, she has received a new IP PIN every year and shares it only with our office. The lesson that stuck with both of us: scammers do their most dangerous work in the fall and early winter, months before anyone is thinking about filing.
Frequently Asked Questions
Does the IRS ever send emails or text messages?
No. First contact from the IRS arrives by U.S. mail through USPS. Emails, texts, and social-media messages claiming to be the IRS are phishing. Forward them to phishing@irs.gov with full headers, then delete.
How quickly can I get an IP PIN?
Through an IRS Online Account with ID.me verification, immediately. By Form 15227, mailed within four to six weeks. At a Taxpayer Assistance Center, on the day of your appointment once identity is verified.
What if I lose my IP PIN?
Retrieve it through your IRS Online Account. If you cannot access the account, call 800-908-4490. Once the IRS verifies your identity, a replacement is mailed within 21 days.
My data was exposed in a breach, but my return was accepted. Do I need Form 14039?
No. Form 14039 is for tax-related identity theft specifically. Request an IP PIN for future protection and file a non-tax identity-theft report at IdentityTheft.gov.
Official Resources
Disclaimer: This article is for educational and informational purposes only and does not constitute tax, legal, or financial advice. Tax laws, IRS procedures, and security tools change periodically. Always consult a qualified tax professional for guidance tailored to your specific situation.