Light Dark
February 8, 2016 By Christopher Burgess 3 min read
Data Protection
Fraud Protection

Employers have been generating IRS-mandated W2s and 1099s for their workforce in earnest throughout the month of January. Midmonth, the IRS began accepting individual taxpayer filings, and the miscreants engaged in tax refund fraud and identity theft left their starting gates.

None of that is news; the IRS mandates companies provide the necessary data for taxpayers to file their income tax and pay their fair share. The IRS also knows modern cybercriminals have tooled up their own processes to position themselves ahead of you in filing your tax return — a process that could place a tax refund from the IRS into an account controlled by the criminal entity.

To thwart these well-tooled and ill-intentioned individuals and organizations, the IRS has created a number of advisories for the public as well as for businesses of all sizes. The results of this IRS Security Summit Initiative include several guides filled with information and recommendations involving fraud prevention.

How Is Tax Refund Fraud Possible?

A recent USA TODAY article detailed how taxpayer data is siloed across government agencies. For example, the Social Security Administration (SSA) requires employers to file W2s by the end of February for paper submissions and March for electronic submissions. This data is shared with the IRS in July, thus creating a window of opportunity for those with an eye toward tax refund fraud.

The only items required to file the fraudulent tax refund claim is a taxpayer’s identifying data (name, date of birth, Social Security number, etc.). The criminal then files a false claim based on fraudulent W2s, knowing that it could be as late as July before the IRS reconciles the legitimate W2s with the filing. The individual taxpayer is then caught in the switches when he or she files the true return, only to find out a tax refund has already been issued.

The USA TODAY piece noted, “If you are the victim of income tax identity theft, it still takes an average of 278 days to resolve your claim and get your refund, although the IRS routinely tells taxpayers that they can expect their claims to be resolved within a still-too-long 180 days.”

To its credit, the IRS is aware of the situation and is working to break down the silos that enable this process. The vulnerability is being closed: In January 2017, the SSA will require data be filed by Jan. 31 and will strive to process all filings within 21 days.

What Steps Should Businesses Take to Combat Tax Refund Fraud?

The publication “Safeguarding Taxpayer Data: A Guide for Your Business” is full of common sense as well as sound information security advice for every business. The guide is designed to protect the privacy of the taxpayer’s data, protect the integrity of this data, prevent improper use or modification of information and ensure its availability.

The commonsense advice includes recommendations on security controls that every company should be using to protect sensitive data, including employee information that the IRS defines as taxpayer data. These tips include:

  • Lock doors to restrict access to paper or electronic files;
  • Require passwords and access controls for all computer files;
  • Encrypt electronic data;
  • Ensure disaster recovery includes backup of sensitive data;
  • Schedule comprehensive destruction of electronic and paper data; and
  • Encrypt emails when the content includes sensitive data.

Then the publication lists seven useful checklists that can be used to determine the most effective activities and practices for safeguarding data. The IRS titled these checklists:

  1. Administrative Activities;
  2. Facilities Security;
  3. Personnel Security;
  4. Information Systems Security;
  5. Computer Systems Security;
  6. Media Security; and
  7. Certifying Information Systems for Use.

Furthermore, the publication pointed all companies that engage in e-filing of tax returns to information on safeguarding e-files from fraud. On that page, the IRS mandated the following six individual security steps, all of which became mandatory in 2010:

  1. Have an extended validation SSL certificate;
  2. Conduct an external vulnerability scan;
  3. Implement information privacy and safeguard policies;
  4. Protect against bulk filing of fraudulent income tax returns;
  5. Register a public domain name; and
  6. Report security incidents.

What Steps Can the Individual Take?

If you know that your Social Security number has previously been compromised, then you are a potential target for income tax refund fraud. “You can only become a victim of income tax identity theft if the criminal files an income tax return using your Social Security number before you do, so the best way to prevent that is to file your income tax return as early as possible,” the USA TODAY article noted.

The individual employee/taxpayer is admonished in the publication “Security Awareness for Taxpayers.” To keep your computer and the information it stores secure, remain vigilant regarding phishing and malware infection attempts and protect all personal information. There are many instances where you’ll have to ward off threats before they get too close to your information to protect yourself and your tax filings.

 |  |  | 
Christopher Burgess
CEO at Prevendra

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature