Identity theft—and developing ways to combat it—continues to be a serious issue for taxpayers and their advisors. Last summer, the IRS again teamed up with state tax agencies and the private-sector tax industry to develop the “Don’t Take the Bait” series as part of the group’s “Protect Your Clients, Protect Yourself” campaign. This partnership, known as the Security Summit, was formed in March 2015 to combat identity theft by implementing new safeguards and increasing awareness.
While this latest campaign primarily focuses on cybersecurity for tax professionals, the guidance provided in each alert can be used by business and individual taxpayers to fight back against cybercriminals.
Spear Phishing Can Leave You Susceptible to Identity Theft
Spear phishers pose as representatives of credible organizations and request sensitive information to steal their victims’ identities. These requests can come in the form of a seemingly harmless email from a trusted source and may direct the victim to access a malware-laden website, infecting the victim’s computer. Spear phishing is an especially disturbing form of cybercrime, as the information used by the criminal to bait the victim is personalized to look as legitimate as possible.
The most recent iteration of the Form W-2 scam is one example of spear phishing. In this case, the “trusted source” appears to be an executive of the victim’s organization requesting a list of all employees, including copies of their W-2s. Keep in mind this is just one example of spear phishing—a request for any kind of sensitive information should be thoroughly scrutinized before complying.
Tips for Guarding Against Cybercriminals
While the cybersecurity landscape is ever-changing, there are some steps you can take to provide a baseline of protection against the most common attacks:
- Educate yourself about the various methods cybercriminals use to obtain and misuse your sensitive data.
- Create hard-to-guess passwords and frequently update them, using a different password for each account.
- Be wary of messages containing threats or requests for information through any form of communication, electronic or otherwise. Follow up with the “source” using independently obtained contact information to verify the request’s legitimacy.
- Regularly update your computer security software and verify firewalls are functioning properly.
Additional IRS Safeguards Planned for 2018
During the 2017 filing season, the IRS required additional security information for business returns before processing. This was an attempt to help pre-identify returns involved in identity theft. For the 2018 filing season, the IRS will request even more information to help curtail the number of erroneously filed returns. Additional information may include:
- Name and Social Security number of the individual authorized to sign the return
- Estimated tax payment information, including dates and amounts paid
- Information regarding other business-related tax forms filed by the entity, e.g., Forms 940 and 941
For individual returns, there will be a new “verification code” box included on all official W-2 forms. The IRS estimates about 66 million W-2s will include a 16-character code, which will assist with authentication. Taxpayers with a W-2 containing a verification code are urged to enter it in their tax preparation software.
Equifax Security Breach
Unfortunately, even when proper security measures are taken, personal information can still fall into the wrong hands. The 2017 Equifax data breach is one example. The breach lasted from May through July and compromised the financial and personal identifying information of an estimated 145 million people. If you suspect you may have been personally affected by the breach, the Federal Trade Commission (FTC) recommends taking the following steps to help ward off potential misuse:
- Confirm whether your information was exposed in the breach by visiting Equifax’s website, selecting the “Am I Impacted?” tab and entering the requested information. Be sure you’re connected to a secure computer with an encrypted network before accessing the website.
- Sign up for a year of free credit monitoring services. Enrollment closes November 21, 2017, so prompt action is required. Enrollment in this free service doesn’t pre-empt consumers from taking legal action against Equifax, which was a concern when this service was initially offered.
- Check your credit report periodically. You can access your report from each of three credit reporting agencies (Equifax, Experian and TransUnion) once a year at no charge.
You also may consider placing a credit freeze or fraud alert on your files.
The FTC provides further information on how to protect yourself and your information after a data breach.
BKD is actively developing ways to help clients shore up their cybersecurity defenses. Our cybersecurity team can help you develop a plan to protect against unforeseen attacks or respond to a breach that has already occurred. Contact your trusted BKD advisor for more information.