The IRS could do a lot with a few simple checks:
- Is the refund going to the same bank account as the last refund for this taxpayer? If yes, there's a minimal risk of fraud. The taxpayer would've complained if last year's refund was stolen.
- Is the taxpayer's name on the account the refund's going to, and has the account been open more than a year? If yes, the risk of fraud's low. Banks typically don't let you open accounts without checking some physical ID.
- Is the refund check being mailed to the same address as used on last year's return? If so, the taxpayer likely hasn't moved and the risk is low.
- If any of the checks fail, compare the contact information on this year's return to last year's. If they're the same, contact the taxpayer to confirm where the refund should go. If they aren't, check any supporting filings from other sources (W-2, W-4, 1099, etc.) and see if any of those sources has contact information. Use that to contact the taxpayer.
It'll slow things down a bit when there's a problem, but it'll also let the effort be concentrated on returns with the highest chance of identity fraud.
And I mean, really. "Identity theft" is just a fancy new name for impersonating someone, and impersonation for the purposes of fraud is not new.