Fool me once, shame on you. Fool me twice, shame on the IRS.

Victims of identity theft because of the IRS’s lax security for online systems fell prey to scammers once again thanks to the very protections the IRS put in place to protect them. It would almost be comical except, no one is laughing, especially those who are victims of fraud – again.

The IRS mailed 2.7 million taxpayers a six-digit ID pin that they must use to ensure that only they electronically file their taxes. This was supposed to defend against scammers filing fraudulent returns using their information and under their name. However, when some tax filers tried to file their returns with this “secure” pin, they learned a tax return had already been filed – by someone else claiming to be them.

One victim explains her unbelievable tale of being targeted again to the Washington Post:

When Becky Wittrock tried to file her taxes in March 2015, she was told there was already a return filed in her name the month before. The South Dakotan was just one of a surging number of Americans to fall victim to a scam in which fraudsters try to steal other people's tax refunds by filing phony, inflated returns on their behalf.

"Honestly, I felt very secure I would be able to file my return without any problems," she said.

But when Wittrock tried to file her taxes last weekend, there were problems: On Monday, the IRS helpline told her that someone had filed a return using her IP PIN on Feb. 2, she said.

And what's more, according to Wittrock, the IRS representative told her that the agency had heard from other people with similar cases of fraudulent use of the IP PINs this year. "It was not a new problem," she said.

IRS head John Koskinen passed it off as no big deal since just a “handful” of filers experienced this problem. The IRS has flagged fewer than 200 potentially fraudulent tax filings involving IP PINs and stopped refunds from being issued in most of these cases.

Even if the problem is not major, it’s likely to happen again without action. Given the IRS’s track record we can’t assume this re-victimization is limited to just 200 cases. Far more people than the IRS knows or is publically disclosing may have been targeted.

One security expert says the problem lies with how easy the IRS makes it to retrieve a lost pin number. All that someone needs is basic personal information such as name, date of birth, social security number, and the mailing address of the most recent tax return filed. Some of that is information scammers would already have on previous victims. Other information can be gleaned from Google searches and social media.

Unfortunately, Americans who were victims are once again left at the mercy of scammers with no guarantee of protection from the IRS. As we reported this week, the IRS hack from last year affects almost 400,000 more Americans than the IRS knew or disclosed.

We don’t really know what to believe with the IRS, but for an  agency with the power to tax us and collect substantial personal information on us, we demand better than to be sitting ducks to online predators time-and-time again.