A few weeks ago, I got a letter from the IRS saying my taxes had been filed twice, which was surprising since I don’t even like to file them once. My identity had been stolen, and I found out the most frustrating way possible. Here’s how it happened, and how I recovered.
First, came the benign warning signs…
For all we talk about “identity theft,” I never really knew what it looked like. I know how I’m supposed to avoid it though: Use strong passwords, get a password manager, and enable two-factor authentication. I know what it looks like when a service I use gets hacked. But how would I actually know when I personally get my identity stolen?
In my case, it all started when my Spotify account wouldn’t stop playing Enrique Iglesias.
I started to notice the warning signs in early February. I received a few unfamiliar emails with a two-factor authentication code to a service I hadn’t signed into (which means the system was working and keeping someone out.) At first, I didn’t pay much attention. Given how many company password databases get leaked, I assumed this would happen eventually. Besides, they didn’t actually get in.
The first actual break in was Spotify. On Facebook, I used a memorable password (as opposed to the lengthy string of randomized characters my password manager creates) because I enter it pretty regularly, but I assumed the two-factor authentication would keep me protected. And while it protected my Facebook account, my Facebook login info allowed someone to use my Spotify account (which doesn’t have 2-factor) while I was using it. Whoever took over my account started playing songs from Enrique Iglesias’ Sex and Love album which, thanks to Spotify’s remote control feature, ended up playing through my computer, which is what tipped me off to the break in. I changed my Facebook login info, re-logged into Spotify, and everything was fine. Looking back, I should’ve realized something worse was coming.
…then the IRS got involved…
On February 16th, one day after I received the final form I needed, I filed my tax return. Filing early is usually a really good way to thwart identity theft, but I was just a few days too late. As I learned later, someone else had filed a tax return in my name on February 8th.
On February 26th, I received a letter from the IRS saying the return I just filed was the second one in my name and I would need to verify my identity before my return could be accepted. This eventually lead to a lengthy phone call where I learned that whoever filed the initial return claimed about $20k extra income for a refund about $9k higher than I actually expected to receive. If I hadn’t caught the issue so early, it would have been a pretty big payday for the scammer.
After I got off the phone with the IRS, I tried to figure out how my information leaked. This led to my second weird revelation about having your identity stolen: you’ll never really know what went wrong. I later found out that the service I used to file my taxes, TaxSlayer, had suffered a security breach, which is probably what led to my information being leaked. The other possibility is that my information was included in the T-Mobile data breach late last year. Either way, though, I can’t be 100% sure which service was the one that let the scammer in, or what actually happened. All I can do is audit every account I have, which highlights how important it is to start with good security practices to begin with.
If you find yourself in a similar situation, it’s likely the IRS will contact you before you even know there’s an issue. However, you can find information at the IRS website here on how to contact the agency if you think you might have had your information stolen.
…I got everything sorted out in the short term…
I had a bunch of cleanup on my plate after my call with the tax man. The IRS was able to cancel the fake return, but now I had to file a paper return instead. In addition, I would have to include a Form 14039 Identity Theft Affidavit (PDF) with that return. Aside from being mildly annoying, it’s actually relatively painless. It’s less convenient and my refund will take a little longer, but it hasn’t ruined my life.
The IRS also gave me a bit of a to-do list to finish as soon as possible:
- File a complaint with the Federal Trade Commission: The FTC runs a site called IdentityTheft.gov, where you can file a complaint that will be kept on record and used for a fraud investigation if necessary. The site also helps walk you through other steps you should take to protect your identity.
- Notify one of the three big credit agencies: Whether or not your information has been used to affect your credit, you should notify one of either Experian, Equifax, or TransUnion to let them know that your identity has been compromised. Once you contact one, they will notify the other two.
- Contact the Social Security Administration: You can log in to the SSA website to monitor your Social Security earnings for irregular activity. If you have repeated problems with someone using your social security number and nothing you do seems to stop it, you may qualify to get a new number.
We’ve also gone over many of these same steps in more detail here. Any time your identity is stolen, it’s good to be as thorough as possible. As I learned when I shrugged off Enrique Iglesias, just because you’ve dealt with the first problem doesn’t mean there won’t be bigger problems down the road to keep an eye out for, or to dive deeper to prevent.
…but there’s no way to know if this is over.
Despite an afternoon of filling out forms, making phone calls, and contacting every federal agency I could find an acronym for, I wasn’t done. In order to make sure this doesn’t happen again, I decided to audit everything about my own security, just in case. I used my password manager to check how strong my various passwords are. Any service that stores financial information was the first thing I checked, but I didn’t stop there.
I also decided to sign up for one of those free credit monitoring services I qualified for. Nearly every time a company experiences a major hack, they offer a deal with some third-party company to for identity protection services for a while. If you scroll back through our tag page of companies who have been hacked, you’ll probably find one you’ve used, too. You can also monitor your credit for free, forever. In my case, T-Mobile offered two years of Experian identity protection for free. So, I decided it couldn’t hurt (and frankly, I probably should’ve signed up when they first offered it).
The strangest part for me, though, is that there’s no real climax. Since I never found out what exactly led to my identity being stolen, I have no idea if I’ve “solved” the problem. I triple-checked all my security measures, but they’re not infallible. Fortunately, I learned that there’s a more robust system in place to help victims of identity theft than I thought. However, I only found out my identity was stolen in time by dumb luck. For plenty of others, this kind of situation is the start of a months- or years-long disaster that can take an endless series of phone calls, forms, and stress to resolve. It always seems like it can’t happen to you, but with so many high profile hacks, it’s almost becoming inevitable. You’re better off being prepared.