With W-2s in the mail and tax season approaching, the IRS recently released several bulletins about tax security awareness. These apply to multiple groups: taxpayers and tax preparers, individual consumers and business owners, state officials, and software providers.
Whether you’re ready to file your 2021 taxes now, or you’ll take full advantage of every day until April 18th, 2022, it’s the perfect time to brush up on the common digital scams that hackers try to execute this time of year. The goal is usually the same: to steal sensitive information or commit identity theft, which can lead to major financial gains.
Hackers act fast to try and pursue these gains, often filing fraudulent returns early in the tax season before legitimate taxpayers can do so themselves. The IRS typically anticipates a flood of early February filings of fake returns that nonetheless contain accurate taxpayer names, addresses, Social Security numbers, and even bank account information for the victims.
Some cybercriminals will then target those victims again by posing as debt collectors or the IRS claiming to reach out about refunds that had been sent in error. The victims often are asked to confirm their private information (like a Social Security number or employee identification number) and forward the money to another contact.
So What Can Tax Preparers and Payers Do to Stay Safe as Tax Season Approaches with Tax Day Just a Week Away?
CMIT Solutions recommends the following strategies, all of which should be backed by the support of a trusted IT provider who has experience working with the financial and tax industries:
1) Watch out for W-2 form theft schemes. Tax scams change as the season comes and goes, but early on in January and February, consumers and businesses remain alert to schemes that try to steal W-2 forms. In the most common version, a hacker poses as a company executive who emails payroll reporters or managers and asks for a list of employees and their W-2s. Businesses often don’t know they’ve been scammed in this fashion until an employee reports a fraudulent tax return has been filed. As more and more W-2s are delivered electronically, hackers can also try email schemes that ask for access or permission rights to digital forms. Use caution with any email like this; if you’re not sure about the legitimacy of communication, call a representative at your company to double-check.
2) Follow what the IRS calls its basic “Security Six” measures. Whether you’re a taxpayer or tax preparer, these should be standard on all systems:
- Antivirus and anti-spam software that is dynamic and automatically updated
- Multi-layered network security that includes smart firewalls
- Multi-factor authentication (MFA) to add an extra layer of protection to all online accounts
- Regular and remote data backup that preserves your company’s information
- End-to-end data encryption for all information at rest and in transit
- Virtual private networks (VPNs) that protect all remote workers
3) Add data recovery and security incident plans to your IT toolbox. If you work as a tax professional, you may be required to add extra layers to the security strategies outlined above—especially depending on the state in which you work and the industries whose business interests you represent. These include security incident and event management (SIEM) software, robust business recovery plans, and other accommodations. If a fraudulent tax return is filed in the name of one of your clients, you may have to proactively alert the IRS using Form 14039-B, Business Identity Theft Affidavit, as well.
4) Only use acceptable electronic signature options. Different tax preparers use different software for electronic filing, but the IRS has certain requirements for electronic signatures. Acceptable methods, according to the IRS, include:
- A typed name on a signature block
- A scanned or digitized image of a handwritten signature that’s attached to an electronic record
- A handwritten signature input onto an electronic signature pad
- A handwritten signature, mark or command input on a display screen with a stylus device or
- A signature created by third-party software
The IRS will accept images of signatures (scanned or photographed) including common file types supported by Microsoft 365 such as .tiff, .jpg, .jpeg, or .pdf. The IRS also allows taxpayers and representatives to use electronic or digital signatures on certain paper forms which they cannot file using IRS e-file. Be clear with your tax professional from the beginning about which file formats and software applications you’ll use.
5) Educate all employees about phishing scams as the tax filing deadline nears. This can take several forms. Ensure all employees use strong, unique passwords and multi-factor authentication (MFA). Never take an email from an unfamiliar source at face value; for example, if an email from “IRS e-Services” directs you to open a link or attachment, or includes a threat to close your account, think twice before you click or open. Type URLs manually into your browser before visiting sites you aren’t sure about, as many links will redirect to fake sites that try to steal usernames and passwords.
Tax professionals or taxpayers receiving fraudulent emails are encouraged to work with trusted IT partners and forward attempted phishing emails to phishing@irs.gov. Remember, the IRS does not send unsolicited emails — and your tax preparer shouldn’t either.
With tax season approaching and many filers just starting to get their W-2s, 1099s, and other forms in order, scam opportunities abound. Don’t get taken for a ride—be vigilant about protecting your information and avoid illicit tax-related activity.
Need help with cybersecurity, tax season software, or safe e-filing options? CMIT Solutions can help. Contact us today.