Tax identity theft prevention tips for individuals & businesses round out 2018's National Tax Security Awareness Week
Welcome to a new week, another seven days for cyber criminals to try to steal your personal, financial and tax information.
Last week, the Internal Revenue Service and its Security Summit partners in state tax departments and the tax world's private sector spent five days alerting us to potential tax identity theft schemes and ways to ensure we don't fall victim.
Unfortunately, we need to be aware of the dangers of online tax and financial crime every single day of the year, not just for one designated week. That's why today I'm recapping the National Tax Security Awareness Week warnings.
1. Protect your tax identity while shopping online.
Crooks stealing your personal info while you surf for the best holiday deals could use that data to steal your tax identity and file a false return for a fraudulent refund. My post adds my own take to the IRS alert on seven ways to protect your online tax identity.
Tips include avoiding public Wi-Fi, using security software to regularly scan and clean your machine and using strong passwords along with multi-factor authentication.
2. Don't take phishing scam bait.
The IRS says it's seeing a surge in surge of new, sophisticated email phishing scams during what should be a festive holiday time. The approaching 2019 tax filing season just ramps up these schemes.
The increase is a bit of surprise. From 2015 to 2017, the IRS says tax-related phishing scam report had declined. But this year, more than 2,000 tax-related scam incidents were reported to the IRS from January through October, compared to approximately 1,200 incidents in all of 2017. Overall, in 2018 the IRS recorded a 60 percent increase in bogus email schemes that seek to steal money or tax data, leading to attempts to steal tax refunds
Some phishing emails appear to come from a business colleague, friend or relative. Others contain malware.
And they're not limited to emails; some are phone scams. Yes, the fake IRS agent phone scam is still calling potential victims, threatening taxpayers with lawsuits or arrest if payment is not made immediately, usually through a debit card.
3. Create strong passwords.
Yes, this recommendation was part of the first tax security week warning. It's so crucial that the IRS and Summit partners decided to devote a day to password creation and management to more fully protect your accounts and identity.
Cyber security experts now recommend that instead of a password, we use a passphrase. The idea is to create a passphrase that can be remembered easily and protect the account.
Your passphrase could be a line from your favorite movie or a series of associated words, rather than just a single word or unintelligible collection of characters. This means passwords like MyDoG#17 or $uE*s3P%8V are out. Longer, personal phrases you can remember, such as SunWalkRainDrive, are now preferred.
The Department of Commerce's National Institute of Standards and Technology (NIST) suggests this three-step approach to build a better password:
- Leverage your powers of association. Identify associated items that have meaning to you.
- Make the associations unique to you. Passphrases should be words that can go together in your head, but no one else would ever suspect, such as items in your living room — BlueCouchFlowerBamboo — but not the names of your children.
- Picture it. Create a passphrase that you can see in your mind. Your living room décor, for example, is easy to picture and therefore remember. But a cyber crook who has never been to your house (we hope!) — or seen your living room on your social media pages … — isn't likely to guess it.
Also, use a different password or passphrase for each account.
4. Watch out for business-related W-2 scams.
The IRS says it's seeing a growing wave of identity theft and W-2 scams, especially targeting small businesses.
As with individuals, businesses may have their identities stolen and their sensitive information used to open credit card accounts or used to file fraudulent tax returns for bogus refunds.
That tax data, on employees as well as clients include the personal information contained on W-2 forms, a document highly valued by identity thieves. However, the IRS says it has seen an increase in the number of fraudulent 1120, 1120S, 1041 and Schedules K-1 forms.
Plus, identity thieves, which have long used businesses' stolen Employer Identification Numbers (EINs) to open new lines of credit or obtain credit cards, are finding new uses for these company identifying digits. Now, warns the IRS, crooks are creating fake W-2 forms, as well as using company names and EINs, to file fraudulent tax returns.
That's why businesses, partnerships and estate and trust filers should be alert to potential identity theft and contact the IRS if they experience any of these issues:
- Extension to file requests are rejected because a return with the EIN or Social Security number (SSN) is already on file;
- An e-filed return is rejected because a duplicate EIN/SSN is already on file with the IRS;
- An unexpected receipt of a tax transcript or IRS notice that doesn't correspond to anything submitted by the filer; and/or
- Failure to receive expected and routine correspondence from the IRS because the thief has changed the address.
"Identity theft can be devastating to small businesses," said IRS Commissioner Chuck Rettig. "And as tax season approaches, the IRS and the Security Summit partners continue to warn employers to be on the lookout for emails asking for sensitive W-2 information, a dangerous scheme aimed at payroll and human resource offices."
5. Tax pros need to take extra cyber security care.
Tax professionals and their client databases are a treasure trove for identity thieves, who are always looking for better sources to use in filing fraudulent tax returns, noted Rettig. That's why in 2018, cyber criminals saw the efforts by the IRS and Security Summit state and tax industry partners to improve defenses against tax-related identity theft and raised them by devising more ways to attack tax pros.
During this year's tax filing season, the IRS received five to seven reports per week from tax firms that had been data theft victims. Through Nov. 5, the IRS received 234 reports for the year. That's a 29 percent increase from the 182 reports received during the same time in 2017. And, notes the IRS, sole practitioners are just as vulnerable to data theft as practitioners in large firms.
Since the data theft reports generally are filed by firms, that means hundreds more tax practitioners and tens of thousands of clients are affected. The IRS says this increase represents a significant trend in tax-related identity theft. It's also a sign that tax professionals must take stronger measures to safeguard their clients and their businesses.
Among the steps to create such a plan, the IRS and Security Summit suggest companies at a minimum take certain basic security safeguards, including:
- Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email.
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
- Upgrade your office passwords (see #3 above) and use different passwords for each account. Also password protect wireless devices, consider a password manager program and encrypt all sensitive files/emails.
- Back up sensitive data to a safe and secure external source not connected full-time to a network.
- Limit access to taxpayer data to individuals who need to know.
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
The IRS also reminds all professional tax preparers that they are required by federal law to create and maintain a written data security plan. IRS Publication 4557, Safeguarding Taxpayer Data, can help. Also check out NIST's Small Business Information Security – The Fundamentals.
And if you do discover any data theft or loss, report it to the appropriate IRS Stakeholder Liaison.
You also might find these items of interest:
- All states now have tax data breach notification laws
- 7 online security steps to take this holiday season (and year-round)
- World Password Day + National Small Business Week = Online and tax security tips