Six Best Practices to Protect Your Company's Information This Tax Season

Data protection is not often a primary concern during tax season, as employees scramble to finish reports and meet filing deadlines. Yet in the wake of recent data breaches, the 2018 tax season is posed to have more fraudulent returns than ever. The IRS expects that corporate tax-related identity theft will increase greatly in 2018, and encourages taxpayers and tax professionals to take extra steps to help keep their tax data and tax identities safe. Cybercriminals have unprecedented access to sensitive data, and are constantly developing new ways to obtain and use this information. This week marks National Tax Security Awareness Week. Below you will find six best practices to help protect you and your business from cyber criminals looking to capitalize on your tax return.

1. Prevent Phishing

W-2 phishing scams are one of the easiest ways for hackers to access your sensitive data, and busy employees trying to meet filing deadlines are far more likely to click without thinking. Make sure your employees are educated on how to identify and respond to phishing emails, and feel empowered to ask questions if something doesn’t seem right. Employee training should already be part of your cybersecurity strategy, and a formal anti-phishing training program can greatly reduce the amount of phishing emails that your employees respond to. Ensuring that all your employees are educated and on-board will help reduce your company’s chances of being hit with a data breach and a fraudulent tax return.

2. Encrypt Documents That Contain Sensitive Information.

Encryption uses an algorithm to encode plaintext data so that it is unreadable by anyone that does not have a decryption key. This means that even if hackers are able to intercept your email, they won’t be able to read it. You wouldn’t leave your company’s sensitive information lying around at a coffee shop, but if you aren’t encrypting sensitive emails, that is exactly what you are doing. Threat actors can easily access data sent through unsecured networks, and then use this data to file fraudulent tax returns. There are many programs out there that will allow your company to easily send and receive encrypted emails. We like Virtru, but talk to your CISO about which program is best for your company.

3. Use Two-factor Authentication

Two-factor authentication requires both something a user knows (like a password) as well as something they have (such as an access code sent to their cell phone). Even if a thief manages to steal usernames and passwords, it’s unlikely they would also have access to the victim’s phone. Requiring two-factor authentication to access sensitive data helps ensure that unauthorized users cannot access your most sensitive files.

4. Use and Update Security Software

Security software will help protect you from malware and viruses. Threat actors are always developing new techniques, so using multiple softwares, and keeping them updated is your best bet for preventing unauthorized access to your data.

5. Know the Signs of a Fraudulent Return

Even the most secure companies will likely experience a cyberattack at some point. If the attack goes undetected, threat actors may be able to file fraudulent returns using your company’s data. Some signs that your company may be a victim of tax-related identity theft:

  • Extension to file requests are rejected because a return with the Employer Identification Number or Social Security Number already on file

  • An e-filed return is rejected because of a duplicate EIN/SSN is already on file with the IRS

  • An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer

  • Failure to receive expected and routine correspondence from the IRS because the thief has changed the address

If you experience any of these, contact the IRS.

6. Have an Incident Response Plan

Developing a comprehensive incident response plan for your company is critical.The more detailed this plan is before a threat, the easier it will be to implement if your company faces a breach. Your CISO can help you develop this plan. If your company does not have a CISO, a security consultant or virtual CISO can offer some guidance.

Though these tips will help keep you and your company safe this tax season, no cybersecurity strategy is guaranteed. We encourage everyone to be vigilant in their cybersecurity efforts, and stay aware of new scams and vulnerabilities. The IRS Security Awareness Tax Tips page offers additional information, and we will be tweeting about new vulnerabilities as we learn about them.

Bluestone Analytics helps companies secure their most valuable assets. If you would like a personalized assessment of your company’s existing cybersecurity strategy, contact us.