Tax Returns Are Shockingly Easy to Hack

All it takes is a little phishing.

There are plenty of reasons why tax season in the US is stressful—but for anyone who has recently been hacked, filing your taxes can be a nightmare.

Last year, Quartz reported on how hackers gained access to hundreds of thousands of US taxpayers’ data through an application on the IRS’s website, and used that information to file fake returns. In response, the fraud victims received PINs from the IRS, as a way to safeguard their future tax returns from more identity fraud (a system some have argued isn’t secure against future hacking attempts, either). But even if the IRS had never been hacked, criminals could still easily forge your tax return—and look forward to receiving your refund—if your employer has recently been hacked. All it takes is a simple phishing attempt.

Last month, employees at Mansueto Ventures (the owner of Fast Company and Inc. magazines) received an email from their CFO Mark Rosenberg about a major security breach into the company’s data. Employees’ names, addresses, social security numbers, and wage information were all obtained by the hackers, according to company emails obtained by Quartz.

In multiple company emails, Rosenberg urged employees to check with the IRS, as well as state and local tax authorities, about the status of their return. If they had not yet filed, there was a chance the IRS had already received a return under their name. One Mansueto employee who spoke under the condition of anonymity said that after calling the IRS, he was informed that the hacker had attempted to file a return in his name, but failed after getting his birthday wrong—and then successfully filed a return on the next try.

Thankfully, the employee told Quartz, he was able to resolve the matter with the IRS—by filing a paper return and mailing it in, along with an Identity Fraud Affidavit and multiple forms of ID—and the unauthorized filer never received any money on his behalf.

The Mansueto breach wasn’t necessarily a highly sophisticated operation. It was a spear phishing attack, according to the anonymous source, in which company information was released in response to a phony email. And the data was really all the masterminds behind the attack needed to fool the IRS, at least momentarily. The employee speaking to Quartz could not say how many other people at a the company had to track down a fraudulent tax record under their name.

The IRS has been ramping up its effects to protect taxpayers from identity fraud. In an interview with NPR, commissioner John Koskinen said the IRS has been working with state tax commissioners, tax preparers, and payroll providers, and even recruiting people from the tech industry to help fight taxpayer fraud. The problem, according to Koskinen, is that at the end of the day, the agency is “virtually not hiring anyone at all” due to budget cuts.