Introduction
Refund fraud — a form of tax-related identity theft — occurs when a criminal files a tax return using your name and Social Security number and directs the refund to an account they control. Direct deposit makes transfers fast, which is great for legitimate refunds but also attractive to fraudsters. The strategies below combine IRS tools, banking controls, and practical habits I use with clients to reduce risk and speed recovery if fraud occurs.
How refund fraud typically works
- Data harvesting: Criminals obtain personal data through data breaches, phishing emails, public records, or buying stolen information on the dark web.
- File-and-run: They file a tax return early in the season, often before you do, and list a bank account or prepaid card they control for the refund.
- Cash out: Once the refund is deposited, fraudsters attempt to withdraw or move funds quickly.
Why direct deposit is targeted
Direct deposit is preferred by criminals because it moves funds directly into an account without the delay of mailing a check. That speed reduces the window for victims or the IRS to detect and stop the transaction. Because reversing an ACH payment can be complex and time-sensitive, your best defense is preventing unauthorized routing information from being used in the first place.
Immediate prevention steps (do these now)
- File early when possible
- Filing your legitimate tax return early in the season shrinks the window a fraudster has to submit a fake return in your name. This is one of the simplest, highest-impact defenses.
- Use an IRS Identity Protection PIN (IP PIN) if eligible
- An IP PIN is a six-digit code the IRS issues to confirmed identity-theft victims and a growing group of taxpayers through its opt-in program. The IP PIN prevents someone else from filing a federal return using your Social Security number because the return without the correct PIN will be rejected by the IRS. Learn more and apply via the IRS Get an IP PIN tool (irs.gov/get-an-identity-protection-pin) or check the IRS Identity Theft pages for eligibility and processes (irs.gov/identity-theft-fraud-scams).
- Limit where you give your bank routing/account numbers
- Only share direct deposit details with trusted employers, the IRS (via your tax return), and trusted financial institutions. Never provide them in response to an unsolicited email or phone call. When a legitimate party asks for bank details, confirm the request by calling a verified number.
- Enroll in bank transaction alerts and set low withdrawal notifications
- Activate mobile and email alerts for ACH credits and debits, large withdrawals, and new payee additions. Set thresholds low enough to catch suspicious deposits or immediate withdrawals. Many banks let you require multi-factor approval for new external transfers.
- Use strong, unique passwords and multi-factor authentication (MFA)
- For your bank, tax filing sites, and email accounts, use long passphrases or a password manager and enable MFA. In my practice, clients who enable MFA reduce the chance that stolen credentials will allow someone to add or change direct deposit settings.
- Consider a credit freeze or fraud alert
- A freeze stops most new credit accounts from being opened in your name, making it harder for criminals to create accounts they might use to launder refunds. A fraud alert is a lighter-weight option that warns creditors to verify identity. You can place a freeze or fraud alert through the three nationwide credit bureaus and use IdentityTheft.gov for step-by-step help.
- Monitor your IRS account and tax transcripts
- Create an IRS online account (if eligible) to monitor recent filings and tax transcripts. The IRS will sometimes flag suspicious activity, but you should also check your account annually or after suspicious notices.
- Protect your email and phone
- Many tax-filing services and banks use email to send reset links. If an attacker controls your email or phone, they can redirect deposits and reset passwords. Use MFA on email and consider separating financial accounts into a dedicated, secured email address.
Bank and payroll best practices
- Verify direct deposit setup with your employer: Confirm routing and account numbers directly with HR/payroll — not through a third party’s emailed form. If your employer allows, set pay frequency and notification preferences so you’ll know when a deposit posts.
- Review changes to direct deposit: Treat any company notification that your direct deposit has been changed as urgent. Contact payroll immediately to verify.
- Use established banks and credit unions: Financial institutions with robust fraud teams and recovery programs can act faster if an unauthorized deposit appears.
If your refund or direct deposit is compromised — step-by-step
- Contact your bank immediately
- Tell them you suspect an unauthorized deposit or transfer. Ask them to freeze or flag the account and provide details of the transaction (date, amount, routing numbers). Banks may reverse unauthorized internal transfers or assist in recovery if you report quickly.
- Report to the IRS if tax-related compromise is suspected
- If someone filed a tax return in your name, submit IRS Form 14039, Identity Theft Affidavit (irs.gov/forms-pubs/about-form-14039). Follow IRS instructions for identity-theft-related returns and keep copies of all communications.
- File a report with the FTC and your state consumer protection agency
- Use IdentityTheft.gov to create a recovery plan and generate an FTC report you can use with banks and credit bureaus. Also report the incident to your state attorney general if required.
- Place fraud alerts or freezes on your credit reports
- Contact the three major credit bureaus to add an alert or freeze, which helps prevent new accounts from being opened using your identity.
- Work the internal controls: payroll, tax pro, bank
- If a malicious actor changed employer direct deposit instructions, your employer’s payroll provider may be able to reverse a deposit or stop future payments. If a tax preparer or software account was used without authorization, contact the provider to lock the account and review recent activity.
How reversals and recoveries generally work
- ACH and bank reversals: Banks can sometimes reverse unauthorized ACH credits, but timing matters. Reversals often require bank investigation and cooperation from the receiving bank.
- IRS refunds lost to identity theft: Recovering a stolen IRS refund may take months. The IRS sometimes issues a paper check to a verified victim or works through identity verification steps. The IRS publishes guidance on identity-theft-related refunds and Form 14039 instructions (irs.gov).
- Documentation helps: Keep dated records of emails, notices, bank statements, and phone calls. These expedite investigations with banks, the IRS, and law enforcement.
Products and services worth considering
- Identity monitoring and recovery services: These services can alert you when personal data appears on risky lists, but choose reputable providers and understand limitations and costs. See our guide on Identity Theft Protection Services.
- Credit monitoring or alerts from credit bureaus: Useful for early warnings of new accounts or credit inquiries tied to your SSN.
- Bank account rewards or insurance products: Some accounts include fraud reimbursement or insurance riders; read terms carefully.
Common mistakes to avoid
- Sharing bank details casually: Do not give routing and account numbers over email, social media, or to unknown callers.
- Ignoring small alerts: Small, unexpected deposits or micro-deposits may signal account testing by fraudsters.
- Waiting to report: Delay reduces the chance of reversal and increases the difficulty of tracing funds.
Checklist: Fast action when you suspect refund fraud
- [ ] Call your bank and freeze the affected account or ask for a block on outbound transfers.
- [ ] Contact your employer or payroll provider (if payroll was affected).
- [ ] File IRS Form 14039 if a tax return was filed in your name.
- [ ] File an FTC report at IdentityTheft.gov and follow the recovery plan.
- [ ] Place a fraud alert or credit freeze with credit bureaus.
- [ ] Change passwords and enable MFA on financial and email accounts.
Related FinHelp resources
- Protecting Your Refund from Identity Theft: Detection and Recovery Steps — a detailed walk-through of how to detect tax refund identity theft and recover refunds. (See: Protecting Your Refund from Identity Theft: Detection and Recovery Steps)
- IRS Identity Theft Protection PIN — how the IP PIN works and whether you should get one. (See: IRS Identity Theft Protection PIN)
- Identity Theft Response Plan for Financial Accounts — step-by-step actions to take when your bank accounts are targeted. (See: Identity Theft Response Plan for Financial Accounts)
Author note and professional context
In my 15 years advising clients on tax and financial security, the combination of filing early, using an IP PIN when eligible, and layering bank alerts with MFA has prevented most simple refund-fraud attempts. When a client’s payroll or refund is targeted, fast coordination between the bank, employer, and the IRS typically produces the best results.
Authoritative sources and further reading
- IRS — Identity Theft and Tax Fraud pages, including the Get an IP PIN tool and Form 14039 guidance (https://www.irs.gov/identity-theft-fraud-scams and https://www.irs.gov/forms-pubs/about-form-14039).
- Federal Trade Commission — steps to report identity theft and create a recovery plan (https://www.identitytheft.gov/).
- Consumer Financial Protection Bureau — resources on protecting online and bank accounts (https://www.consumerfinance.gov/).
Professional disclaimer
This article is educational only and does not constitute legal, tax, or financial advice. For guidance specific to your situation, consult a licensed tax professional, CPA, or attorney. If you believe you are a victim of identity theft, take immediate steps with your bank, the IRS, and law enforcement as described above.
