The recent flood of fraudulent tax returns -- both state and federal -- is the work of "a criminal gang, possibly working outside the country," a leading cyber security expert told NBC News.
Haywood Talcove, CEO for government solutions at LexisNexis, believes the gang is using stolen user names and passwords to gain access to the accounts of people who use online tax preparation software.
"This is potentially the most serious breach of personally identifiable information in the history of our country," Talcove said. "The tax form is the mother lode of personal information."
Armed with this stolen information -- Social Security number, date of birth, dependents, employer and adjusted gross income -- the thieves can file bogus state and federal income tax returns. If they can file before you do and their fake return makes it through the system, they can steal a sizeable refund.
The IRS says that it is working with the software industry and with state tax officials to battle fraud. "Preventing and detecting identity theft and refund fraud remains a top priority for the IRS," the agency said in a statement on Friday. It added that taxpayers should continue to file their tax returns as they normally would.
The vulnerability of online tax preparation services became apparent last week when the Utah Tax Commission and the Minnesota Department of Revenue found thousands of potentially fraudulent returns. Those returns were filed using TurboTax, the popular program made by Intuit.
Intuit temporarily stopped the transmission of e-filed state income tax returns on Friday while it investigated. It resumed processing state returns after announcing that it implemented additional verification measures, such as multi-factor authentication, a technology that has proven effective at preventing identity theft.
In a blog post on Friday, the company wrote that filing of federal returns was not affected. But on its Answer Exchange page (how did my TurboTax account get hacked into), a half-dozen customers reported fraud problems with their federal return. The company agrees that is the case.
"We're absolutely aware that tax fraud is happening at the federal level as well, using compromised credentials," Julie Miller, Intuit's vice president of communications told NBC News. "This is a multi-front battle and we are going to fight it at both the state and federal level."
Intuit insists its systems were not breached. The company suggests that victims had their TurboTax login information stolen from "other sources outside the tax preparation process," possibly through a phishing scam or some other online attack.
Lisa Letchworth, who lives in Washington State, doesn't know how it happened, but crooks got into her TurboTax account. Last Tuesday, when she logged on to start her federal return, she got a nasty surprise. A message on the screen said her return had already been filed and the IRS was issuing a refund of $5,013 to someone else on a prepaid card.
"It freaked me out," she said.
Letchworth was able to see the bogus return the criminals had filed. They had all the information from last year's return -- including the names and Social Security numbers of everyone in her family, employer names, even a special education credit she claimed.
"It's really frightening," she said. "It's painfully clear they got into my account."
Because the crooks filed first, Letchworth and her husband will have to prove to the IRS that they were the victims of identity theft. Letchworth said the IRS told them it could take six months to straighten out all the paperwork and get them their refund.
What's going on here?
Tax return fraud isn't new. It's been a massive problem for both the IRS and states with an income tax. The IRS reports that it has blocked more than $63 billion in fraudulent returns since 2011.
Online tax preparation software makes it easy for crooks to create a fake return. Having the refund deposited to a prepaid card provides a low-risk way to access the stolen money.
And the crooks are getting better at beating the system.
Instead of using stolen Social Security numbers to create their fraudulent returns, they buy compromised credentials to gain access to past returns stored on tax preparation software. Using information from a real return to create a false one improves the odds that it will evade detection.
Security expert Brian Krebs told NBC News that he's found login credentials for TurboTax, H&R Block and similar services being sold on the dark web for just pennies each.
"Typically, the usernames and passwords for consumer accounts at these services are obtained via password-stealing malware that infects end-user PCs," Krebs writes on his blog.
What can you do to protect yourself?
If you use online tax preparation software, especially the kind that stores your completed tax returns, change your login information right away. That's really the only thing you can do.
Security experts believe this crime wave will get worse unless the states and the IRS deploy better procedures and more sophisticated software that can detect and stop possible return fraud.