During the 2025 filing season, the IRS flagged roughly 300,000 tax returns as confirmed identity-theft attempts, according to the agency’s annual Data Book. In a typical case, a thief uses a stolen Social Security number to e-file a fraudulent return and claim someone else’s refund before the real taxpayer even opens their tax software. The IRS offers a free, straightforward defense: a six-digit Identity Protection PIN (IP PIN) that functions as a second password on your federal return. Without the correct code, the IRS rejects the electronic filing immediately. Setting one up takes about five minutes through the agency’s online portal, and a fresh PIN is generated automatically every January.
Despite the simplicity, adoption remains surprisingly low. A review by the Treasury Inspector General for Tax Administration (TIGTA) found that large numbers of taxpayers who already showed signs of identity theft in IRS records had never been issued the protection. That finding helped push the IRS to open voluntary enrollment to every filer in the country, not just confirmed victims.
How the IP PIN works
An IP PIN is a six-digit number that prevents someone else from filing a federal tax return using your SSN or Individual Taxpayer Identification Number (ITIN). When you file Form 1040, you enter the code in the signature section. The IRS checks it against its records before accepting the submission. If the PIN is wrong or missing, the return is rejected electronically, per the agency’s Internal Revenue Manual, Section 25.23.2. That rejection applies whether the filer is a thief who never had the code or a legitimate taxpayer who simply forgot it.
Paper returns work differently. Rather than an instant electronic rejection, a paper filing without the correct IP PIN gets pulled for additional manual review. That slows processing but still adds a layer of scrutiny that a fraudulent return would need to survive.
Every January, the IRS generates a brand-new PIN, so a code leaked or stolen from a prior year becomes useless. How you receive that new code depends on how you entered the program:
- Confirmed identity-theft victims receive a CP01A notice by mail, typically in December or January, with the updated PIN. No action is required on their part.
- Voluntary enrollees must log into their IRS online account starting in early January to retrieve the new code. The PIN is generated automatically, but you need to go get it.
One important detail: once you enroll voluntarily, the IRS does not offer a way to opt out. The IP PIN requirement continues in future years, even if you enrolled as a precaution rather than in response to actual fraud. The IRS has published detailed FAQs covering eligibility, lost notices, and how the PIN interacts with both electronic and paper filings.
How to set one up
Any taxpayer with an SSN or ITIN can enroll. Here is the process as of June 2026:
- Go to the IRS online account portal. You will need to create an account or sign in if you already have one. The IRS uses ID.me for identity verification, which typically involves uploading a government-issued photo ID and taking a selfie.
- Navigate to the IP PIN section. Once logged in, look for the option to request an Identity Protection PIN.
- Receive your six-digit code. The PIN is displayed on screen and applies to the current tax year. Store it somewhere secure. You will need it when you file, and so will your tax preparer if you use one.
- Return each January. Log back in after the new year to retrieve your updated PIN for the upcoming filing season.
The IRS has encouraged all taxpayers to sign up, and the enrollment window stays open year-round.
Spouses, dependents, and state returns
Each person listed on a tax return needs their own IP PIN if they have enrolled in the program. That means if you and your spouse file jointly, you both need to retrieve your PINs before filing. The same applies to dependents: a parent who enrolls a dependent’s SSN in the IP PIN program will need that dependent’s code each year as well.
It is also worth knowing that the IP PIN protects federal returns only. It does not apply to state income tax filings. Some states have their own identity-protection programs, but coverage varies widely, and many states offer nothing comparable. If state-level tax fraud is a concern, check your state’s department of revenue for any available safeguards.
What if you lose your PIN or can’t verify online
If you misplace your CP01A notice or forget to save the code, the IRS lets you retrieve your current-year IP PIN online after re-verifying your identity. That is the fastest option.
If you cannot clear the online identity verification step, which requires a valid photo ID and access to a camera, the IRS offers fallback routes. You can call the agency directly or, in some cases, visit a Taxpayer Assistance Center in person. These alternatives work, but they take longer and could push back your filing timeline, so retrieving the PIN online well before the April deadline is the safest approach.
What if someone already filed in your name
An IP PIN is a preventive tool. It blocks fraudulent filings before they are processed. But if a thief has already filed a return using your SSN, the PIN cannot undo that. In that situation, the IRS directs you to submit Form 14039, the Identity Theft Affidavit, to flag your account. The agency will then investigate, and once the case is resolved, you will typically be enrolled in the IP PIN program automatically to prevent repeat fraud.
Many people first learn about IP PINs only after they have already been victimized. Filing Form 14039 and getting an IP PIN assigned are two separate steps, and the affidavit process can take several months to resolve. Getting an IP PIN before you need one is the entire point.
What the IRS has not made public
The program’s design is sound, but several gaps in public data make it difficult to gauge real-world effectiveness:
- Total enrollment figures. The IRS has not published how many taxpayers currently hold an active IP PIN or how quickly enrollment is growing.
- Rejection statistics. There is no public dataset showing how many e-filed returns are rejected each season specifically because of a missing or mismatched PIN. Without that number, the deterrent effect is impossible to quantify.
- Authentication failure rates. The ID.me verification process is a known friction point, particularly for older taxpayers and those without a smartphone, but the IRS has not disclosed how many applicants fail to complete it.
- Tax preparer awareness. The IRS has urged preparers to discuss IP PINs with clients, but there is no public measure of how often that conversation actually happens.
The TIGTA report that flagged unprotected taxpayers did not specify a single calendar year for its finding, and the IRS has not confirmed whether those gaps have been fully closed since voluntary enrollment expanded nationwide.
Five minutes now, one less problem every April
The core value of an IP PIN is that it changes the math for tax-refund fraud. Without one, a thief needs only your Social Security number and some basic personal details to file a return in your name. That information is already circulating after years of large-scale data breaches affecting hundreds of millions of Americans. With an IP PIN in place, the thief also needs a live, current six-digit code that changes every year and is tied to your authenticated IRS account. That does not make identity theft impossible, but it makes the most common form of tax-refund fraud significantly harder to pull off.
The IRS has made enrollment free, open to everyone, and available year-round. The annual refresh happens automatically. For a tool that costs nothing and takes a few minutes to activate, the IP PIN is one of the more practical defenses available to individual taxpayers. The remaining question is whether the IRS will publish enough performance data to show the public how much fraud the program is actually preventing.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
