For the first time, the Kentucky Revenue Department this year is asking taxpayers to wait.
Kentucky and other states are becoming more forthright, telling taxpayers they'll have to be patient and allow time for verification before refunds are sent.
It's one of several new steps against what officials say is an upsurge in identity thieves filing false returns and directing the ill-gotten refunds to their own accounts. State officials also are turning to outsiders for help, quizzing taxpayers more closely about their identities and contemplating new legislation.
It's likely just the beginning of a long fight, said Edwin King, chief of staff of Kentucky's Finance and Administration Cabinet.
Kentucky officials decided to go public because the problem was growing: They caught $16.5 million in fraudulent claims last year — double the amount they detected the previous year.
States also are tapping the experience of the Internal Revenue Service, which has had its own problems with such fraud.
The investigative arm of Congress recently studied the issue following reports from the IRS that it prevented $24.2 billion in payments to identity thieves in 2013 but paid $5.8 billion in federal returns that were later determined to be fraudulent. The Government Accountability Office study called such scams a "large, continually evolving threat that is costing taxpayers billions of dollars per year."
In 2014, Susan Combs and her husband got a letter from the feds questioning a refund claim of about $4,000. The couple had not yet filed a return that year. The IRS letter stopped a fraud attempt.
The thieves couldn't have known Combs had a professional interest in the crime. She was Texas state comptroller from 2007 to 2014, and now is a fellow at the Center for Identity, a University of Texas think tank that specializes in questions about privacy and security raised in an age when so much personal information is online.
Combs said by speaking out about the extent of the identity theft they face, bureaucrats might get support from taxpayers when they ask for money for software and other measures to improve security. But she's not entirely confident.
"I think people now believe, 'I'm going to get hacked, no matter what.'"
Tax authorities looking for convenience and efficiency have increasingly shifted to electronic filing to save taxpayers, as well as government, time and money. One way they sought to persuade taxpayers to switch from paper returns was to promise quick, direct deposit refunds to e-filers.
Fraudsters, many based outside the United States, realized agencies sending deposits quickly would be unable to verify all the returns were legitimate, said Frank Abagnale, a security consultant who can think like a criminal. Today, impostors can create fake electronic identities and profit without going to the lengths Abagnale did in his days as the chameleon-like conman portrayed in the 2002 movie "Catch Me If You Can."
"We transfer money, we wire funds" on the Internet, said Abagnale, who has consulted with tax authorities in his home state of South Carolina. "It's not a secure system."
Abagnale advised South Carolina to slow down on refunds.
"If you're going to provide security, it's not going to be very convenient," he said. "It's not going to be fast."
Colorado has another tactic for combatting fraud. In cases in which returns raise suspicions, the state revenue department mails refund checks to the address it has on file for the taxpayer instead of making a direct deposit to a potentially fraudulent account. If the return is indeed fake, the agency counts on the taxpayer to flag it.
Colorado paid almost a million refunds by direct deposit in 2011, about 60 percent of all payments, according to figures the revenue department made available to The Associated Press. Direct deposits accounted for an increasingly bigger share of all payments over the next three years.
Then came 2015, when staffers started noticing more suspicious returns. The state used caution and made only half a million direct deposits that year, about 30 percent of the total.
Bank fees on each check are 8 cents, four times the direct deposit fee. In addition, mailing each check costs 47 cents, and that doesn't include the cost of paper and stuffing envelopes.
Still, the extra cost beats compromising people's personal information or having fraudsters snatch their refunds, revenue department spokeswoman Lynn Granger said.
Taxpayers can also help, by taking simple steps like devising hard-to-guess passwords and changing them regularly, and using different passwords for different electronic accounts, said Verenda Smith, deputy director of the Federation of Tax Administrators, an information-sharing and lobbying group for state tax officials.
Not that it's always the taxpayer who gives away crucial information.
A 2002 cyberattack on South Carolina's tax collection agency exposed the personal data of nearly 4 million individual filers and 700,000 businesses. It started with a phishing email to several agency employees. At least one made the fatal click that gave hackers an official username and password.
The private sector also collects data — in 2014, insurer Anthem reported a breach that exposed social security numbers, employment and income information of up to 80 million people, among them St. Louis lawyer Scott Jarboe.
When Jarboe got an IRS refund check last year for a "bunch of money," he hadn't yet filed his returns. He contacted the IRS to clear up that case of identity theft fraud.
Kentucky tax officials hope the state's heightened security measures will head off such crimes this year, though they declined to say exactly what steps they're taking. Releasing that information could tip off identity thieves, officials said.
Dan Bork, commissioner of Kentucky's tax agency, said he understands members of the public might find it frustrating that their returns could be delayed this year.
Still, "we would rather protect their refund than have it end up in the hands of criminals," Bork said in a statement.
Associated Press writers Seanna Adcox in Columbia, S.C.; Adam Beam in Frankfort, Ky.; Bob Christie in Phoenix; Kimberlee Kruesi in Boise, Idaho; Matt Volz in Helena, Mont.; and Ann Sanner in Columbus, Ohio, contributed to this report.