The IRS, state tax agencies and the tax industry have made significant
progress in the past two years against tax-related identity theft aimed at
individuals but warned business identity theft is on the upswing.
Some of the increase in business and partnership return identity theft is
fueled by cybercriminals’ increasing focus on breaching tax professionals’
systems and stealing client data. The Security Summit has launched a 10-week
awareness campaign called “Don’t Take the Bait,” which encourages tax
professionals to step up their security measures.
“The IRS, state tax agencies and the tax community have worked hard to turn
the tide against tax-related identity theft. We’re making progress in
protecting individuals but we still have more work to do, especially in the
business tax area and involving tax professionals. Continued lapses in simple
security measures can happen in tax professional offices and other business as
well as at home,” said John Koskinen, IRS Commissioner.
So far for 2017, individuals reporting identity theft have declined sharply
compared to the same time in 2016 and 2015. In the first five months of 2017,
about 107,000 taxpayers reported being victims of identity theft, compared to
the same period in 2016, when 204,000 filed victim reports. That’s about 97,000
fewer victims – representing a drop of 47 percent. For comparison, there
were nearly 297,000 identity theft victims during the first five months of
2015.
The decline is part of an ongoing trend that began in 2016 as Security
Summit safeguards were put in place.
However, the IRS also saw an increase in identity theft involving
business-related tax returns. So far for 2017, the IRS has identified
approximately 10,000 business returns as potential identity theft through June
1, compared to about 4,000 for calendar year 2016 and 350 for calendar year
2015. While the number of businesses affected was relatively low, the potential
dollar amounts were significant: $137 million for 2017, $268 million for 2016
and $122 million for 2015.
The affected returns included corporate returns (Forms 1120 and 1120S) and
estate and trust returns (Form 1041). There also was an increase in identity
theft related to the Schedule K-1 filings made by partnerships. Tax preparers
will see new trusted customer questions on these types of returns. (See
FS
2017-10, Information about Identity Theft Involving Businesses,
Partnerships and Estates and Trusts.)
Cybercriminals are showing increasing savvy and tax expertise as they use
stolen data, sometimes from tax practitioners, to file these business,
partnership and trust returns for refunds. Or, they post the stolen data for
resale on the Dark Net so that other criminals can file fraudulent tax returns.
“It’s especially difficult to identify any tax return as fraudulent when
criminals are using information stolen from tax preparers,” Koskinen said. “The
stolen data allows criminals to better impersonate the legitimate taxpayers.”
Many tax professionals take appropriate security measures, but problems
persist. For the first five months of 2017, there were 177 reported data
breaches at tax preparers’ offices. The IRS continues to receive reports of
three to five data breaches each week.
“We need help from the tax community to combat cybercriminals and raise
security awareness,” Koskinen said. “That’s why we launched a campaign this
summer aimed at tax professionals called Don’t Take the Bait. We want all tax
professionals to be aware of the threats and to take the necessary security
steps to protect their clients’ most sensitive information. A lot of tax
professionals think a data breach can’t happen to them. Unfortunately, we see
new victims every week.”
Protecting Your
Clients and Your Business from Business-related Identity Theft
During the 2017 filing season, the tax software industry began sharing data
elements from tax returns with the IRS and states to help identity suspected
identity theft business returns. For 2018, the number of elements shared from
tax returns will increase to better help identify those suspect returns.
Also for 2018, the IRS will be asking tax professionals to gather more
information on their business clients. All of the data being collected assists
the IRS in authenticating that the tax return being submitted is the legitimate
return filing and not an identity theft return. Some of the new information
people may be asked to provide when filing their business, trust or estate
client returns include:
- The name and Social
Security number of the company individual authorized to sign the business
return. Is the person signing the return authorized to do so?
- Payment history – Were
estimated tax payments made? If yes, when were they made, how were they
made, and how much was paid?
- Parent company
information – Is there a parent company? If yes who?
- Additional information
based on deductions claimed.
- Filing history – Has the
business filed Form(s) 940, 941 or other business related tax forms?
Tax professionals also should beware of any potential business clients
claiming they do not currently have an Employer Identification Number.
Tax professionals – like the IRS and state tax agencies - must protect their
data and systems against sophisticated, well-funded and technologically adept
criminal syndicates around the world. The 10-week Don’t Take the Bait campaign
will focus on the steps practitioners can take to protect themselves from
phishing attacks, ransomware and remote takeovers.
The Security Summit urges all tax professionals to take these simple steps:
- Educate all employees
about the dangers of phishing emails posing as familiar businesses,
organizations or colleagues.
- Use the best security
software to guard against malware, phishing sites and viruses; set it to
update automatically.
- Use strong, unique
passwords for all accounts and change them frequently; use a password
manager if necessary. Better yet, use two-factor authentication whenever
possible.
- Encrypt all sensitive
data and routinely back it up to an external disk.
- Review Publication 4557,
Safeguarding Taxpayer Data, to create a security plan.
The “Don’t Take the Bait” campaign will focus on more extensive steps tax
professionals can take to protect their clients and their business. See more at
www.irs.gov/protectyourclients.