Here’s a terrible thing that happens: Thieves pretend they’re you, file a tax return in your name very early in the year, claim a fat refund and run away with the money.
When you try to file your own return, the Internal Revenue Service rejects it. After all, according to the agency’s system, your taxes have already been filed.
Months, and sometimes years, of hellish red tape ensues.
The I.R.S. has a tool called an identity protection PIN, or IP PIN, that can prevent this nightmare in most instances. You register and hand over some personal information so the government can verify you. Then you get a six-digit IP PIN to use when filing your taxes each year.
Easy enough, right? But my inbox is filled these days with deep wariness. For weeks now, the so-called Department of Government Efficiency has deployed individuals inside the I.R.S. to poke at its computer systems.
Readers worried about the possibility of those people breaking something and exposing data accidentally to wider numbers of people. Or that they would inadvertently create vulnerabilities that hackers could exploit. They also said they were worried that Elon Musk or others on his team could use the I.R.S. data for nefarious purposes.
I’ve gone ahead and gotten my IP PIN anyway. So has James E. Lee, president of the Identity Theft Resource Center, a former cybersecurity executive who is on an I.R.S. advisory panel.
In these highly uncertain times, we can’t be sure who will do what to whom next.
But we can know what has already happened to data that the federal government stores. In 2015, the White House revealed that hackers had stolen vast troves of sensitive information about 21.5 million people from the federal Office of Personnel Management. Last year, a former I.R.S. contractor was sentenced to five years in jail for leaking data on thousands of wealthy citizens, including President Trump, to The New York Times and ProPublica.
“Any place that stores your personal information, whether the U.S. government or the corner grocery store, is at risk — period,” Mr. Lee said.
So if DOGE represents added risk, why not add protection?
It’s not a rhetorical question to plenty of readers, so let’s start with an explainer on how the I.R.S.’s IP PIN system works.
To begin, you’ll need an online account with the agency if you don’t have one already and complete a brief identity verification process. During that process, you’ll hand over information that the federal government most likely already has — and thus, like any such data, is already there for the taking if thieves or bad internal actors want to put it to nefarious uses.
Once you’re registered, generating the IP PIN is quick and easy. You don’t need to save or remember it, either; you can log back in to get it when you need it. (This PIN is different from the five-digit PIN that some people use to file their taxes electronically, and you can have both types.)
Then you submit the IP PIN when filing your taxes. The IP PIN will change once per year. The I.R.S. has a thorough F.A.Q. about the IP PIN system on its website.
Now consider the downside of not protecting yourself. If thieves file a return in your name — and it has happened to hundreds of thousands of people — you won’t get any tax refund owed to you for a good long while. And to get that money, you’ll spend a lot of unquality time with the I.R.S. re-establishing yourself.
And then there’s this: My colleague Andrew Duehren recently reported that the I.R.S. is preparing to reduce its work force by as much as 50 percent. Good luck to anyone trying to fix an identity theft problem if that happens. It could easily take a couple of years.
I worry more about the risk of tax-refund fraud than I do about DOGE employees’ work inside the I.R.S. Most of my personal data is already out there somewhere on the dark web or hackable in various places anyway.
As the former I.R.S. taxpayer advocate Nina E. Olson, now the executive director of the nonprofit Center for Taxpayer Rights, told me via email this week, there are still laws about disclosure of taxpayer data. That’s why that I.R.S. contractor went to jail.
If DOGE employees or Mr. Musk himself breaks those laws, there will be consequences. And if there aren’t, we will be in a great deal more existential trouble as a country.
Ms. Olson said she was going to get her own IP PIN. I wondered if Danny Werfel, the last I.R.S. commissioner under President Joseph R. Biden Jr., had already done so.
He didn’t want to say when we talked this week. He has a longstanding practice of not getting too personal, lest he look like he’s endorsing a piece of tax-filing software, say.
“But I’m a very cautious taxpayer,” he said. “I’ll put it that way.”