Don’t Take the Bait, Step 3: Security Summit Safeguards Help Protect Individuals; Renew Focus on Curbing Data Breaches and Business Identity Theft

The IRS, state tax agencies and the tax industry have made significant progress in the past two years against tax-related identity theft aimed at individuals but warned business identity theft is on the upswing.

Some of the increase in business and partnership return identity theft is fueled by cybercriminals’ increasing focus on breaching tax professionals’ systems and stealing client data. The Security Summit has launched a 10-week awareness campaign called “Don’t Take the Bait,” which encourages tax professionals to step up their security measures.

“The IRS, state tax agencies and the tax community have worked hard to turn the tide against tax-related identity theft. We’re making progress in protecting individuals but we still have more work to do, especially in the business tax area and involving tax professionals. Continued lapses in simple security measures can happen in tax professional offices and other business as well as at home,” said John Koskinen, IRS Commissioner.

So far for 2017, individuals reporting identity theft have declined sharply compared to the same time in 2016 and 2015. In the first five months of 2017, about 107,000 taxpayers reported being victims of identity theft, compared to the same period in 2016, when 204,000 filed victim reports. That’s about 97,000 fewer victims – representing a drop of 47 percent.  For comparison, there were nearly 297,000 identity theft victims during the first five months of 2015.

The decline is part of an ongoing trend that began in 2016 as Security Summit safeguards were put in place.

However, the IRS also saw an increase in identity theft involving business-related tax returns. So far for 2017, the IRS has identified approximately 10,000 business returns as potential identity theft through June 1, compared to about 4,000 for calendar year 2016 and 350 for calendar year 2015. While the number of businesses affected was relatively low, the potential dollar amounts were significant: $137 million for 2017, $268 million for 2016 and $122 million for 2015.

The affected returns included corporate returns (Forms 1120 and 1120S) and estate and trust returns (Form 1041). There also was an increase in identity theft related to the Schedule K-1 filings made by partnerships. Tax preparers will see new trusted customer questions on these types of returns. (See FS 2017-10, Information about Identity Theft Involving Businesses, Partnerships and Estates and Trusts.)

Cybercriminals are showing increasing savvy and tax expertise as they use stolen data, sometimes from tax practitioners, to file these business, partnership and trust returns for refunds. Or, they post the stolen data for resale on the Dark Net so that other criminals can file fraudulent tax returns.

“It’s especially difficult to identify any tax return as fraudulent when criminals are using information stolen from tax preparers,” Koskinen said. “The stolen data allows criminals to better impersonate the legitimate taxpayers.”

Many tax professionals take appropriate security measures, but problems persist. For the first five months of 2017, there were 177 reported data breaches at tax preparers’ offices. The IRS continues to receive reports of three to five data breaches each week.

“We need help from the tax community to combat cybercriminals and raise security awareness,” Koskinen said. “That’s why we launched a campaign this summer aimed at tax professionals called Don’t Take the Bait. We want all tax professionals to be aware of the threats and to take the necessary security steps to protect their clients’ most sensitive information. A lot of tax professionals think a data breach can’t happen to them. Unfortunately, we see new victims every week.”

Protecting Your Clients and Your Business from Business-related Identity Theft

During the 2017 filing season, the tax software industry began sharing data elements from tax returns with the IRS and states to help identity suspected identity theft business returns. For 2018, the number of elements shared from tax returns will increase to better help identify those suspect returns.

Also for 2018, the IRS will be asking tax professionals to gather more information on their business clients. All of the data being collected assists the IRS in authenticating that the tax return being submitted is the legitimate return filing and not an identity theft return. Some of the new information people may be asked to provide when filing their business, trust or estate client returns include:

• The name and Social Security number of the company individual authorized to sign the business return. Is the person signing the return authorized to do so?
• Payment history – Were estimated tax payments made? If yes, when were they made, how were they made, and how much was paid?
• Parent company information – Is there a parent company? If yes who?
• Additional information based on deductions claimed.
• Filing history – Has the business filed Form(s) 940, 941 or other business related tax forms?

Tax professionals also should beware of any potential business clients claiming they do not currently have an Employer Identification Number.

Tax professionals – like the IRS and state tax agencies - must protect their data and systems against sophisticated, well-funded and technologically adept criminal syndicates around the world. The 10-week Don’t Take the Bait campaign will focus on the steps practitioners can take to protect themselves from phishing attacks, ransomware and remote takeovers.

The Security Summit urges all tax professionals to take these simple steps:

• Educate all employees about the dangers of phishing emails posing as familiar businesses, organizations or colleagues.
• Use the best security software to guard against malware, phishing sites and viruses; set it to update automatically.
• Use strong, unique passwords for all accounts and change them frequently; use a password manager if necessary. Better yet, use two-factor authentication whenever possible.
• Encrypt all sensitive data and routinely back it up to an external disk.
• Review Publication 4557, Safeguarding Taxpayer Data, to create a security plan.

The “Don’t Take the Bait” campaign will focus on more extensive steps tax professionals can take to protect their clients and their business. See more at www.irs.gov/protectyourclients.