CHICAGO–Credit unions will want to start cautioning their members about tax refund theft, as 2025 brings an elevated risk, according to a new TransUnion analysis.
The company noted Researchers found that in 2024 there were 970 data breaches in which fraudsters obtained the kinds of personally identifiable information (PII) required for various forms of tax fraud.
“In total, 640 million consumer records were exposed in 2024, containing critical pieces of information like Social Security numbers, address histories, and full names,” TransUnion stated.
It pointed to a recent TransUnion report that found full Social Security numbers were exposed in 71% of data breaches in the first half of 2024 alone—up from 57% in all of 2023. The exposed information can help fraudsters file false tax returns in a victim’s name, or access someone’s bank account to intercept their tax return, TransUnion added.
‘Tremendous Vulnerability’
“What we found is that the volume and severity of recent data breaches have created tremendous vulnerability,” Greg Schlichter, director of research and consulting for TransUnion’s public sector business,” said in a statement. “Government agencies, like the IRS, as well as financial institutions and consumers need to be alert to this threat.”
Defeating Fraudsters
TransUnion is offering this advice for defeating fraudsters:
- Many fraudsters will target call centers to either test the veracity of PII acquired from criminal marketplaces, or to directly impersonate a victim. “Call center leaders must look out for suspicious calls—such as those that show signs of spoofing, or those placed through a Voice-over-IP service—even for routine requests like address changes or tax return tracking,” the company said.
- Fraudsters will access online government portals with stolen PII to validate stolen identity information, file false returns or intercept return status updates. Organizations and agencies should employ identity verification and document authentication technologies to flag impersonators who may also use AI to generate photo-realistic credentials, TransUnion recommended.
What’s Needed
TransUnion said its researchers note branded calling tools are likely needed for organizations and agencies looking to proactively notify taxpayers whose returns are at risk, given the volume of government impersonation fraud. The company said one of its recent surveys found 62% of consumers won’t answer a call from a number or caller ID name they don’t recognize, even if they’re expecting a call from a government agency.
Role for Financial Institutions
TransUnion said financial institutions:
- Should check to confirm that the payee matches the account owner on record. “This can help ensure that incoming funds are intended for that customer/member.”
- “Even prior to this point, however, (financial institutions) should already be scrutinizing their deposit account openings to check for potentially fraudulent account creations that are used for criminal activities like drop accounts and mule accounts,” the company said. “Similarly, financial institutions should remain diligent to try to protect their existing deposit accounts from account takeovers”
Steps by Consumers
TransUnion said consumers and members can also protect themselves by monitoring their bank account activity and credit history. When they know their tax refund is due, they can check regularly to ensure it remains in their account.
“They can also use credit monitoring services to know if fraudsters have created new accounts in their name,” it added.