The Seasons of Cybersecurity: The Tax Version
We typically rejoice or have something to look forward to as the seasons transition from one to another. Tax season may not be the time for most of us to rejoice. Still, cybercriminals and tax-related professionals may think otherwise. Tax season is a time of heightened risk for business owners, as cybercriminals increasingly target businesses of all sizes with malicious attacks. Every February through April, there is a rise in tax fraud by cyber criminals keen on stealing your personal and business financial data. Companies and individuals should always be aware of the risks.
Ensure Your Businesses Financial Data is Secured
Learning how to prevent these types of cyber attacks means being aware of their scams and having or implementing a comprehensive cybersecurity program like iCorps VCISCO or iCorps Cybersecurity, which can advise or protect aspects of your business so you can focus on what you do best during any season. At iCorps, we have time to focus on what we know best all year.
Business email compromise and phishing attempts are widespread during the tax season months. Small businesses send and receive significant financial and confidential information from their accountants or tax preparers. This type of environment is a prime target for cyber attacks. The Internal Revenue Service identified more than $31 billion in tax fraud and financial crimes in 2022.
Common Tax Fraud / Scam Issues
The Federal Trade Commission (FTC) says that tax-related identity theft is the most common type.
Examples of tax fraud scams, which target both individual taxpayers and businesses, include:
- Impersonating IRS Phone Scams: Callers claim to be IRS employees and say you owe money that must be paid via gift cards or wire service as soon as possible. The IRS does not call and demand immediate payment.
- Phishing, Email, and Malware Scams: Cybercriminals will attempt to get valuable data via unsolicited emails, text messages, or fake websites that prompt users to click a link and open attachments to share personal or financial information or to release malware or spyware into a computer system.
- Phishing Scams: Cybercriminals often use phishing scams to target businesses during tax season. They may send emails or text messages that appear to be from the IRS or other tax-related organizations, asking for personal information or payment. Again, the IRS does not email to ask for personal info or payments.
- Malware Attacks: Malware attacks steal sensitive information, such as Social Security numbers, bank account numbers, and passwords. Business owners should ensure their systems are up-to-date with the latest security patches and antivirus software.
- Data Breaches: Data breaches can occur when hackers gain access to a business's network or computer systems. Business owners should ensure their systems are secure and have a plan to respond to a data breach.
- Unsecured Wi-Fi Networks: Unsecured Wi-Fi networks allow hackers to gain access to a business's systems. Business owners should ensure their Wi-Fi networks are secure and use strong passwords.
- Social Engineering: Cybercriminals may use social engineering tactics to gain access to a business's systems. Business owners should know these tactics and train their employees to recognize and avoid them.
- Seasonal Tax Firms: Tax preparation companies with little or no credibility open and close quickly during peak tax season. These businesses might not have secure systems, allowing cybercriminals to access your information easily.
Cybersecurity Tips for the Tax Season and Beyond
You can protect your business from tax fraud scams and cyber attacks by implementing employee cybersecurity training and data privacy verification procedures, such as:
Do not share social security numbers or any tax documentation with unknown parties.
Check your credit report to see if bank accounts are opened in your name.
- Look for any business loans taken out under your company EIN.
- Verify information before sending any wire or ACH transfers. Call a known phone number directly (not using the email signature), and ensure that multiple parties review before pushing through any payment.
- Any deviations and/or urgent demands should be discussed with other team members or management. Threat actors tend to use urgency to rush people to make a mistake.
Only open attachments if they are expected. If in doubt, examine the email with an abundance of caution. Go directly to the URL you know, and don't rely on the links in an email.
Only allow someone requesting access to your computer if you can confirm whether they are legitimate with your IT department and/or MSP. Always gather their contact information, and secure a call back to a number you know. It is not common practice for someone unknown to call and ask for remote access.
Use secure passwords and don't share or reuse them.
Ensure you communicate with an authentic individual, not an imposter trying to steal personal and financial information. If you are unfamiliar with the person's name, verify their relationship with your company before sharing any data.
Utilize multi-factor authentication (MFA) when filing taxes online. When accessing your account, use a tax preparation service that requires a username, complex password, and MFA.
Update software on all devices and operating systems that connect to the internet. Current, fully patched software is a strong defense against viruses and malware.
You can report IRS, Treasury, or tax-related phishing scams to firstname.lastname@example.org. Reporting phishing helps prevent future phishing attempts and protect others. Once you report a phish, delete it.
If you believe you are a victim of tax-related identity theft or fraud, contact the IRS immediately at the number on the IRS notice. Call the IRS Identity Protection Specialized Unit (IPSU) if you didn't receive a notification. The government website Identity Theft also provides information on the next steps you need to take.
Cyber insurance augments and supports a business's efforts to recover from a cyber attack. It provides access to expert resources and financial support through investigation, notification, recovery, and post-recovery activities related to a data breach event. For more information to help protect your business during tax season and the entire year, contact iCorps.