Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

IRS Relaunches “Get Transcript” Service With Improved Security

The U.S. Internal Revenue Service (IRS) announced last week that it relaunched its Get Transcript online service after making some security improvements to its authentication process.

The U.S. Internal Revenue Service (IRS) announced last week that it relaunched its Get Transcript online service after making some security improvements to its authentication process.

The “Get Transcript” online service was launched by the IRS in January 2014 to allow users to view and download their tax transcripts. It was shut down in May 2015 after the agency discovered that it had been abused by fraudsters.

According to the IRS, Get Transcript now uses a more rigorous authentication process that should prevent fraudsters from abusing the system. The new secure access framework, which will be used for all of the agency’s online tools that require a high level of assurance, was created in collaboration with the government’s US Digital Service and other security authorities.

Before it was shut down, fraudsters could gain access to Get Transcript accounts by knowing the targeted individual’s name, date of birth, social security number and filing status, along with answers to some knowledge-based authentication (KBA) questions from credit bureau Equifax, such as previous address and loan amounts.

In the new registration process, which must be completed even by users who already registered via the old process, taxpayers must also provide financial account information (e.g. credit card number, car loan number, mortgage account number), an email address, and a mobile phone number.

The agency noted that only US-based phones can be used and the taxpayer’s name must be associated with the account – prepaid mobile phones, landlines or virtual phone services are not accepted. Individuals who have placed a credit freeze on their records through Equifax need to temporarily lift it in order to complete the registration.

As part of the new verification process, users will receive one-time activation or security codes via email and SMS. Taxpayers will also be able to see the date and time when their Get Transcript account was last accessed, which allows them to identify potential fraud attempts.

Advertisement. Scroll to continue reading.

The IRS initially reported that fraudsters abused the Get Transcript service to access the accounts of roughly 114,000 taxpayers. However, further analysis revealed that the actual number of affected accounts exceeded 700,000.

Several individuals have been identified and prosecuted for their roles in tax fraud schemes involving the Get Transcript service.

Related: Identity Thieves Use Stolen SSNs in IRS Attack

Related: IRS Suspends Identity Protection PIN Tool Over Security Concerns

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...


Spanish and US authorities have dismantled a cybercrime ring that defrauded victims of more than $5.3 million.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...