The Four Steps of Tax Refund Fraud: What You Need to Know

Tax refunds can be a lifeline for many Americans, bolstering savings or providing families with needed funds for unexpected expenses. Unfortunately, tax season attracts threat actors seeking to exploit the system, turning it into a hunting ground for illicit gains. This creates substantial risk for businesses and government organizations, which may be targeted with infostealers, phishing, and social engineering scams.

Here’s what you need to know about the latest Tactics, Techniques, and Procedures (TTPs) being used by threat actors in 2025’s tax season.

How Tax Refund Fraud Works

Typically, tax fraud schemes are pretty straightforward—file fraudulent returns and cash out the payment before the victim can. This process usually occurs in four steps:

1. Source victims and obtain personal information: Threat actors get the bare minimum needed to file a fraudulent tax return, which includes a victim’s name, date of birth, address, and Social Security Number.
   
2. Bypass identity and return verification methods: Fraudsters seek to obtain verified ID.me accounts, identity protection pins, and adjusted gross income from previous tax years.
   
3. Maximize fraudulent tax returns: By targeting specific programs or tax credits, malicious actors artificially increase the tax refund amount.
   
4. Cash-out: The fraudster mails the refund check to a “drop” address, transfers it into cash or cryptocurrency, or exploits anonymous payment mechanisms such as prepaid cards or payments apps.

Step 1: Sourcing Data and Obtaining “Fullz”

The most frequently discussed form of tax fraud in Flashpoint Collections is filing a return on behalf of a legitimate taxpayer using stolen PII. Fraudsters may attempt to use legitimate income information, often stolen from employers or payroll companies, or report incorrect income information to artificially bolster a tax refund.

The effectiveness of this strategy is closely linked to the quality of PII the threat actor possesses and their ability to bypass identity verification measures. The bare minimum information required to file a fraudulent return is an identity fullz, which includes a victim’s name, date of birth, address, and Social Security number (SSN). Using similar techniques to those used in credit card fraud and other identity theft related financial crimes, threat actors obtain detailed personal information leveraging infostealers, phishing, data breach dumps, and social engineering.

Step 2: Bypass Identity and Return Verification Methods

Fraudsters actively target verified ID.me accounts because they can use the accounts to gain access to sensitive tax information required for verifying tax returns. Fraudsters generally recommend obtaining or verifying ID.me accounts if a victim has filed taxes in previous years. However, first-time filers are attractive targets because they likely do not have a previously verified ID.me account, an established IP PIN, or an adjusted gross income from previous tax years, which may make it easier to file.

Fraudsters often attempt to obtain access to ID.me accounts through social engineering schemes or by using falsified documents and IDs. Threat actors engaging in social engineering schemes may coerce a victim into creating an ID.me account under the fraudster’s control or otherwise elicit sensitive personal and tax-related information from victims under false pretenses.

Common schemes for obtaining this information typically include employment, romance, or dating scams. These scams refer to social engineering schemes in which fraudsters attempt to trick victims into providing sensitive information. Fraudsters often create ads, fake job listings, or posts on social media websites and job boards to source victims for these schemes.

Step 3: Maximize Fraudulent Returns

In preparing tax returns, threat actors often exploit rebate and exemption policies to maximize the size of the received refund. Flashpoint analysts identified several tax credits and state-specific benefits discussed by threat actors as vulnerable to exploitation.

• Fuel Credit: A frequently discussed technique in 2023 was the federal fuel tax credit, utilizing Form 4136. The IRS stopped accepting this form electronically, but multiple threat actors claimed to be able to bypass this restriction with an updated method, while some switched to other unspecified techniques to obtain large refunds.
• Employer Retention Credit (ERC): Another tax credit of interest to threat actors is the ERC. One user on the “/d/fraud” Dread subforum claimed in 2023 to be able to make $20,000–50,000 USD per return using an “ERTC template” and stolen identity information, including access to verified ID.me accounts. Also in 2023, another threat actor on Telegram posted a video showing a claimed $288,000 USD payout using ERC.
• IRS Letters: Some schemes target specific taxpayer situations. For example, IRS letters, such as 5071C and 4883C, indicate that an individual’s refund is on hold pending identity verification. Certain tax fraud actors seek out these situations, claiming to know how to pass the verification requirements and cash out the tax refund.

Additional tax credits or payments often targeted by threat actors include:

• American Opportunity Tax Credit (AOTC)
• Child tax credits
  • Child Tax Credit (CTC)
  • Additional Child Tax Credit (ACTC)
• Residential Clean Energy Credit
• Earned Income Tax Credit (EITC)
• Economic Impact Payments (EIP)
• Lifetime Learning Credit
• Tax refund advance loans

State-Targeted Fraud and Disaster Relief

There are also widespread discussions of state-specific schemes, both taking advantage of specific state tax credits and fraudulent benefit applications more broadly, such as unemployment insurance and COVID-19 relief programs. For example, the New Jersey unemployment benefits program is frequently cited as a lucrative target.

Additionally, In early 2025, many tax fraud threat actors identified within Flashpoint’s Collections focused on methods to defraud the US government and victims of the Los Angeles area wildfires. Specifically, these threat actors shared fraud tutorials and methods for submitting false claims under “California Wildfires and Straight-line Winds,” DR-4856-CA.

Step 4: Cash-out

When threat actors are able to successfully obtain a refund payment from the IRS, the final step is to cash out by transferring the money to an untraceable form, such as cash or cryptocurrency, or another anonymous payment mechanism, such as prepaid credit cards, gift cards, or payment apps with weak or bypassable know-your-customer (KYC) requirements.

Fraudsters are exploiting electronic filing (e-filing) services that allow taxpayers to receive their refunds through methods like debit cards or mobile banking apps. In 2025, a frequently discussed cash-out method was the “Credit Karma to Coinbase” technique. This involves obtaining advance refund loans, depositing them into Credit Karma accounts, and then transferring those funds to Coinbase accounts, where they can be converted to cryptocurrency and ultimately withdrawn.

Other Ways of Converting to Crypto

To convert funds to cryptocurrency, threat actors use stolen, verified accounts on legitimate
cryptocurrency exchanges. Since these accounts have passed the exchanges’ KYC
requirements, threat actors can deposit funds from their tax refund and then transfer
cryptocurrency to anonymous, untraceable wallets they control using Bitcoin privacy tactics.

One of the easiest ways to convert to Bitcoin is using a CashApp account with BTC transfers enabled, which makes it possible to file taxes, receive a refund, and cash out to Bitcoin all within one mobile app. Fraudsters in illicit chat channels also recommend receiving refunds as mailed checks, and some have claimed that prepaid bank accounts could be used for refunds under $20,000 USD. Analysts note that using checks to cash out tax refunds requires that the fraudster control the “drop” address associated with the return.

Protect Against Fraud Using Flashpoint

Tax refund fraud remains a persistent and evolving threat, with cybercriminals continually developing new and sophisticated methods to exploit the tax system. To protect against these scams, organizations need to implement robust data security protocols, educate employees, and stay informed about the latest threats. To see how Flashpoint helps protect against fraud, request a demo today.