How can I protect my identity when using online IRS tools?

Online IRS tools (for example, the IRS Online Account and Get Transcript services) let taxpayers view tax records, make payments, and access notices. Because these services store highly sensitive data, they are attractive to scammers and identity thieves. Below are practical, evidence-backed steps you can take today and what to do if you suspect fraud.

Why this matters

Tax accounts contain Social Security numbers, income details, and refund information—data criminals can use to commit tax return fraud, open credit accounts, or commit other identity crimes. The IRS and the FTC offer current guidance on scams and recovery steps (see IRS Identity Theft Central and IdentityTheft.gov) (IRS: https://www.irs.gov/identity-theft-central; FTC/IdentityTheft: https://www.identitytheft.gov/).

In my practice I’ve seen two common patterns: (1) people click on convincing phishing links that harvest credentials, and (2) others reuse passwords across services so one breach becomes many. Both are preventable with basic controls.

Immediate technical protections (what to do first)

  • Use unique, strong passwords for your IRS account and related email. Aim for passphrases or randomly generated passwords at least 12 characters long.
  • Use a reputable password manager to store unique passwords and generate new ones (examples: 1Password, LastPass, Bitwarden). Password managers also reduce the temptation to reuse credentials.
  • Enable multi-factor authentication (MFA) for your IRS Online Account and for the email address tied to it. MFA could be an authentication app (recommended) or a hardware security key.
  • Keep your computer, phone, and router firmware up to date. Turn on automatic updates for your operating systems and browsers.
  • Install and maintain anti-malware software on devices used to access IRS services.
  • Avoid using public Wi‑Fi for tax account access. If you must use public internet, connect through a trusted VPN to encrypt your traffic.

Citations: IRS guidance on protecting your account and common scams (https://www.irs.gov/identity-theft-central; https://www.irs.gov/newsroom/tax-scams-consumer-alerts).

Account-level actions on IRS services

  • Create an IRS Online Account only at the official IRS website and complete identity verification using the IRS-approved processes. The IRS provides specific verification instructions on its site (https://www.irs.gov/payments/your-online-account).
  • Consider enrolling in an Identity Protection PIN (IP PIN) if you’re eligible or if the IRS invites you to do so. An IP PIN is a six-digit code that prevents most fraudulent federal income tax returns filed using your SSN (https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin).
  • Monitor your IRS Online Account and tax transcripts regularly for unfamiliar activity or filings.

Phishing, scams, and how to verify communications

  • The IRS will not initiate contact by email, text, or social media asking for personal financial details. The IRS primarily communicates by mail for individual tax matters. If you receive an unsolicited email or text claiming to be from the IRS, do not click links or provide data—verify the message by visiting the IRS site directly (https://www.irs.gov/).
  • Look for red flags: incorrect grammar, urgent language demanding immediate payment, spoofed sender addresses, or unexpected attachments.
  • If you receive a suspicious communication, forward phishing emails to the IRS at phishing@irs.gov and to the Treasury Inspector General for Tax Administration (TIGTA) at complaints@@tigta.treasury.gov (check the IRS site for up-to-date reporting addresses).

Source: IRS consumer alerts and scam guidance (https://www.irs.gov/newsroom/tax-scams-consumer-alerts).

Practical habits for safer tax account access

  • Use a dedicated email address for financial and tax accounts. This reduces exposure if a personal or social email is compromised.
  • Limit administrative privileges on your devices; avoid using an administrator account for daily browsing.
  • Log out of IRS sessions and clear browser caches on shared devices.
  • Use browser extensions or settings that block known malicious websites and trackers (e.g., privacy-oriented adblockers), but don’t rely solely on them.

If you think your IRS account or tax identity has been compromised

Take each step quickly and document what you do. Time matters when stopping additional fraud.

  1. Change passwords and enable MFA on the affected accounts (IRS account and the recovery email). If you cannot access your IRS account, use the IRS Identity Theft resources.
  2. File an identity theft report at IdentityTheft.gov (FTC) and follow the recovery plan provided there (https://www.identitytheft.gov/).
  3. If tax-related identity theft is suspected (fraudulent return filed in your name), file IRS Form 14039, Identity Theft Affidavit, if instructed by the IRS or if you cannot resolve suspicious tax activity through the online account (https://www.irs.gov/forms-pubs/about-form-14039).
  4. Consider placing a fraud alert or credit freeze with the three major credit bureaus (Experian, TransUnion, Equifax). A credit freeze prevents most new credit lines from being opened in your name.
  5. If you receive IRS notices about identity theft (for example, verification letters), follow the instructions on the notice and use the IRS Identity Theft Central page to learn next steps (https://www.irs.gov/identity-theft-central).

For additional help specific to tax-account identity theft, see these internal resources on FinHelp:

These pages provide step-by-step recovery timelines and templates for responding to IRS letters.

Real-world scenarios and lessons learned

  • A small-business client of mine received an email that looked like an IRS notice and provided a link to “verify” their account. Because they used a password manager and had MFA enabled, the scammer couldn’t access the account even after obtaining the email password via a separate breach. Lesson: layered defenses (unique passwords + MFA) stop many attacks.
  • Another taxpayer who had previously been a victim was enrolled in the IP PIN program; the IP PIN prevented a fraudulent e-filed return from being accepted using their SSN. Lesson: preventive IRS tools like the IP PIN can block refund fraud up front.

Common mistakes to avoid

  • Reusing the same password across multiple accounts.
  • Clicking links in unsolicited emails that claim to be from the IRS.
  • Assuming a phone call claiming to be the IRS is legitimate—IRS imposters often use aggressive tactics. When in doubt, hang up and call the IRS at a number listed on IRS.gov.
  • Ignoring small warning signs (e.g., an unexpected change in tax filing status or a notice you didn’t expect).

Quick checklist you can follow now

  • Create or enable unique passwords and turn on MFA.
  • Register for or review your IRS Online Account at IRS.gov.
  • Consider an IP PIN if eligible or if invited.
  • Use a password manager and update devices/antivirus.
  • Report suspicious IRS communications to phishing@irs.gov and visit IdentityTheft.gov if fraud is suspected.

When to contact professionals

If you’re overwhelmed by an identity theft situation—multiple fraudulent returns, unauthorized accounts, or complex business tax issues—connect with a qualified tax professional or identity-theft specialist. In my experience, coordinating with a tax pro speeds communication with the IRS and helps preserve records necessary for recovery.

Sources and further reading

Professional disclaimer

This article is educational and does not replace personalized legal, tax, or cybersecurity advice. If you suspect identity theft affecting your tax account or finances, consult a qualified tax professional, attorney, or the IRS immediately.