Businesses should be on high alert as thieves try to use their stolen names and data to file fraudulent income tax returns. The warning comes from the Internal Revenue Service, state tax agencies and tax industry partners who make up the Security Summit partnership.
The alert marks the fourth day of National Tax Security Awareness Week, and gives businesses a heads-up to protect both data and systems.
The IRS is also planning additional steps to help businesses fight cybercriminals trying to steal their data.
"As the IRS and our partners have strengthened our security standards, identity thieves have looked for new ways to find sources of information, and businesses need to stay alert," said IRS Commissioner Charles Rettig. "Businesses, just like individuals, can be victims of identity theft. Thieves may steal enough information to file a business tax return for refund or use other scams using the company's identity."
Small Business faces a big threat.
Statistics show more than 70% of all cyberattacks are aimed at businesses with 100 or fewer employees. The thieves may target credit card information, the business’ identity information or employee identity information.
The Federal Trade Commission (FTC) encourages businesses to follow their best practices. These include:
- Set your security software to update automatically
- Back up important files
- Require strong passwords for all devices
- Encrypt devices
- Use multi-factor authentication
More information can be obtained at the FTC’s Cybersecurity for Small Businesses site.
Businesses should be especially alert to any COVID-19 or tax-related phishing email scams that attempt to trick employees into opening embedded links or attachments. IRS-related scams can be sent to phishing@IRS.gov.
The IRS is building defenses.
Starting Dec. 13, 2020, the IRS will begin masking sensitive information from business tax transcripts as well as the summary of corporate tax returns, in an effort to block thieves from stealing identifiable information that would allow them to file fake business tax returns.
Only financial entries, the IRS says, will be fully visible. All other information will have varying masking rules.
For example, only the first four letters of each first and last name—of individuals and businesses alike—will be displayed. Only the last four digits of the Employer Identification Number (EIN) will be visible.
The IRS also has launched the Form 14039-B, Business Identity Theft Affidavit, allowing companies to report possible identity theft to the IRS when, for example, the e-filed tax return is rejected.
Businesses should file Form 14039-B if they receive a:
- Rejection notice for an electronically filed return because a return already is on file for that same period.
- Notice about a tax return that the entity didn't file.
- Notice about Forms W-2 filed with the Social Security Administration that the entity didn't file.
- Notice of a balance due that is not owed.
The form enables the IRS to respond to the business much faster than in the past and to work to resolve issues that are created by a fraudulent tax form. However, businesses should not use Form 14039-B if they experience a data breach but don’t find a tax-related impact. Check out Identity Theft Central and its Business section.
The W-2 scam is still alive and well.
Tax scams can come and go, but Form W-2 theft schemes seem to be a constant threat. The most common version has a thief pose as a high-ranking company executive who emails payroll department employees and asks for a list of workers and their W-2s. Many times, businesses don’t even know they’ve been scammed until a fraudulent return shows up in employees’ names.
The IRS has special reporting procedure for employers who are hit by the W-2 scam. It also can be found at Identity Theft Central’s Business Section.
Security Summit partners also urge businesses to keep their EIN application information current. A change of address or responsible party can be reported using Form 8822-B.
Remember that a change in the responsible party has to be reported to the IRS within 60 days.
Current information can help the IRS find a point of contact quickly to resolve identity theft and other issues.
For more information about this week-long series and the effort to raise awareness about identity theft, check out IRS.gov/securitysummit on the IRS website.