Over the last two years the IRS and state tax authorities have made significant strides in curbing individual identity theft. But cyberattacks against businesses are on the upswing. Here are some simple ways business taxpayers can help protect their data from hackers.
Trends in ID Theft
The IRS recently announced that the number of individuals reporting identity theft in the first half of 2017 has declined dramatically compared to 2015 and 2016. About 107,000 individual taxpayers reported stolen IDs for the first five months of 2017. In comparison, 297,000 victims filed reports during the same time period in 2015 and 204,000 in 2016.
So, individual ID theft dropped 47% over the last year, and the IRS attributes the decrease to safeguards put in place during the 2016 Security Summit.
However, the IRS has also noted an unfortunate increase in ID theft involving business tax returns. While the number of businesses affected was relatively low, the potential dollar amounts were significant:
|Year||Estimated business ID theft cases through June 1||Estimated losses|
|2015||350 tax returns||$122 million|
|2016||4,000 tax returns||$268 million|
|2017||10,000 tax returns||$137 million|
The victims of business ID theft include corporations, estates and trusts, and partnerships. These days, hackers are bolder and increasingly tax savvy in their scams. For example, they may use stolen data to file bogus business tax returns and then collect refunds. Or they might post the stolen data for resale on the so-called “Dark Net” so other criminals can file fraudulent tax returns.
Even though tax professionals have been helping clients take appropriate security measures to prevent business ID theft, problems still persist. “We need help from the tax community to combat cybercriminals and raise security awareness,” IRS Commissioner John Koskinen noted.
Ways to Combat Business ID Theft
It is critical to put measures in place for prevention and early detection of business ID theft, because it can be quite costly. Here are some simple, but effective, security measures you should consider:
Make cybersecurity a top priority. Your company needs a formal cybersecurity plan that identifies a step-by-step approach for detecting ID theft, similar to the way you would put together an annual business plan. When breaches happen, your plan should trigger a prompt, thorough response.
Safeguard intellectual property. Companies should store all employee and customer data, along with other proprietary records, such as financial statements and prior years’ tax returns, in a safe location. Before throwing out nonessential documents, shred them first. And limit access to your employer ID number to parties with whom you initiated the contact. Share sensitive information via the Internet or email only if the recipient is trusted (such as your lender or tax preparer) and the site is secure.
Use the latest cybersecurity technology. This includes firewalls, antivirus and antimalware software, and spam filters. Also exercise common sense: Don’t download files, click on links, or open pop-ups or attachments sent from unknown sources. Stored files should be encrypted for your protection and for the benefit of customers.
Educate employees. Periodically conduct training sessions to remind employees about the latest scams, such as phishing emails where hackers pose as familiar businesses or colleagues to steal sensitive information. They should also be aware of your cybersecurity plan and each person’s role if a breach occurs.
Use prepaid credit cards for purchases. Prepaid employee credit cards limit your potential for losses when employees make purchases from suppliers and vendors. If a card is breached, the company can lose only what’s prepaid and you can immediately deactivate the card.
Monitor business credit reports. It is low effort to monitor your company’s profiles from the three major business credit bureaus: Equifax, Experian, and TransUnion. For anytime access, subscribe to their monitoring services. What’s more, you can choose to receive real-time email notifications about suspicious activities affecting your company’s credit rating.
Guard your master list. Some companies track all their accounts and passwords in a master list, which can be convenient, but dangerous. A dishonest employee or hacker who manages to gain access to that list has the key to all your company’s information in one fell swoop, so you’ll need to be extra cautious with security measures.
Finally, immediately contact your tax professional if you believe you’ve been victimized. They can help you get in touch with the appropriate law enforcement authorities, business credit bureaus and financial institutions.
It’s important to note that not every preventive measure is 100% fail safe. The IRS and tax preparers are expanding their efforts to educate businesses and prevent breaches. You can also help lower your risk by crafting a formal cybersecurity plan, educating employees and implementing various other proactive security measures.