We’re not trying to be alarming, but if you’ve got a small business, there’s someone looking over your shoulder—and we’re not talking about the government.
They are, however, scammers and identity thieves, looking to use the business’ confidential information to file bogus tax returns. Their endgame is to steal inflated refunds in the name of their victims.
"Businesses, just like individuals and tax pros, need to stay alert," said IRS Commissioner Chuck Rettig. "Thieves may steal enough information to file a business tax return or use other scams that involve the company or its employees."
And unfortunately, it’s the “little guy” who gets hit the hardest. Of all the cyberattacks leveled at business targets, more than 70% were aimed at businesses with 100 or fewer employees.
Business identity information, employee identity data - even credit card and other payment information - all are fair game for cybercriminals. To hang on to their data, businesses are urged to use these best practices from the Federal Trade Commission:
- Set security software to update automatically,
- Back up important files,
- Require strong passwords for all devices,
- Encrypt devices and
- Use multi-factor authentication.
Remember to be alert for any possible scams that use COVID-19 as a premise to trick email recipients into clicking embedded links or opening attachments. These scams also surface around tax time using taxes as the cover instead of COVID.
While it may not be a direct defense of data, keeping a business’ EIN information up-to-date can be important for resolving data breaches or identity theft issues quickly.
Use Form 8822-B to report changes of address or responsible party. These changes must be reported to the IRS within 60 days of the change. Keeping this information current allows the IRS and the company to respond quickly to resolve data issues.
IRS does its part
The Internal Revenue Service has tightened up how it delivers information, making it harder for identity thieves to glean actionable data that can help them file fake returns.
The agency began masking sensitive data on business tax transcripts last year. Now, only financial entries are fully visible. The rest of the data in the transcript has various rules for what can be seen—or not.
The names of businesses and individuals, for example, are reduced to the first four letters of each first and last name; Employer Identification Numbers, on the other hand, are represented by only their last four digits.
If a business suspects it has been the target of possible identity theft, they should file Form 14039-B, Business Identity Theft Affidavit. This lets firms report possible tax-related identity or data theft quicker.
If a business receives any of the following examples, they should consider filing Form 14039-B:
- Rejection notice for an electronically filed return because a return already is on file for that same period.
- Notice about a tax return that the entity didn't file.
- Notice about Forms W-2 filed with the Social Security Administration that the entity didn't file.
- Notice of a balance due that is not owed.
Note, however, that Form 14039-B should not be filed if a business has a data breach but there’s no tax-related impact.
The IRS’ Identity Theft Central web pages have more information in their Business section.
This puts the wraps on National Tax Security Awareness Week and related alerts from the Security Summit, a partnership of the IRS, state taxing agencies and tax-industry partners. The Security Summit has been tasked with fighting identity theft - especially when it occurs as part of the income tax process.
For more information on security measures affecting America’s small businesses, check out the Federal Trade Commission’s Cybersecurity for Small Businesses web page.