August 14, 2017

The IRS and state tax authorities have made significant strides in curbing individual identity theft over the last two years. But cyber attacks against businesses are on the upswing. Here are some simple ways business taxpayers can help protect their data from hackers.

Trends in ID Theft

The IRS recently announced that the number of individuals reporting identity theft in the first half of 2017 has declined dramatically compared to 2015 and 2016. For the first five months of 2017, about 107,000 individual taxpayers reported stolen IDs. In comparison, 297,000 victims filed reports during the same time period in 2015 and 204,000 in 2016.

Put simply, individual ID theft dropped 47% over the last year. The IRS attributes the decrease to safeguards put in place during the 2016 Security Summit.

Unfortunately, the IRS has also noted an increase in ID theft involving businesstax returns. While the number of businesses affected was relatively low, the potential dollar amounts were significant:

Year | Estimated business ID theft cases through June 1 – Estimated losses

  • 2015 | 350 tax returns-$122 million
  • 2016 | 4,000 tax returns-$268 million
  • 2017 | 10,000 tax returns$137 million

The victims of business ID theft include corporations, estates and trusts, and partnerships. These days, hackers are bolder and increasingly tax savvy in their scams. For example, they may use stolen data to file bogus business tax returns and then collect refunds. Or they might post the stolen data for resale on the so-called “Dark Net” so other criminals can file fraudulent tax returns.Tax professionals have been helping clients take appropriate security measures to prevent business ID theft, but problems persist. “We need help from the tax community to combat cybercriminals and raise security awareness,” IRS Commissioner John Koskinen noted.

Ways to Combat Business ID Theft

Because business ID theft can be so costly, prevention and early detection measures are critical. Here are some simple, but effective, security measures you should consider:

  • Make cybersecurity a top priority. Similar to an annual business plan, your company needs a formal cybersecurity plan that identifies a step-by-step approach for detecting ID theft. When breaches happen, your plan should trigger a prompt, thorough response.
  • Safeguard intellectual property. Companies should store all employee and customer data, along with other proprietary records, such as financial statements and prior years’ tax returns, in a safe location. Shred nonessential documents before throwing them out, and limit access to your employer ID number to parties with whom you initiated the contact. Share sensitive information via the Internet or email only if the recipient is trusted (such as your lender or tax preparer) and the site is secure.
  • Use the latest cybersecurity technology. This includes firewalls, antivirus and antimalware software, and spam filters. Also exercise common sense: Don’t download files, click on links, or open pop-ups or attachments sent from unknown sources. Stored files should be encrypted for your protection and for the benefit of customers.
  • Educate employees. Conduct periodic training sessions to remind employees about the latest scams, such as phishing emails where hackers pose as familiar businesses or colleagues to steal sensitive information. They should also be aware of your cybersecurity plan and each person’s role if a breach occurs.
  • Use prepaid credit cards for purchases. Prepaid employee credit cards limit your potential for losses when employees make purchases from suppliers and vendors. If a card is breached, the company can lose only what’s prepaid and you can immediately deactivate the card.
  • Monitor business credit reports. It doesn’t take much effort to monitor your company’s profiles from the three major business credit bureaus: Equifax, Experian, and TransUnion. Subscribe to their monitoring services for round-the-clock access. What’s more, you can choose to receive real-time email notifications about suspicious activities affecting your company’s credit rating.
  • Guard your master list. Some companies track all their accounts and passwords in a master list, which can be convenient, but dangerous. A dishonest employee or hacker who manages to gain access to that list has the key to all your company’s information in one fell swoop, so you’ll need to be extra cautious with security measures.Finally, contact your tax professional promptly if you believe you’ve been victimized. He or she can help you get in touch with the appropriate law enforcement authorities, business credit bureaus and financial institutions.
  • No Guarantees. No preventive measure is 100% fail safe. The IRS and tax preparers are expanding their efforts to educate businesses and prevent breaches. You can also help lower your risk by crafting a formal cybersecurity plan, educating employees and implementing various other proactive security measures.

© 2017