Employers have been generating IRS-mandated W2s and 1099s for their workforce in earnest throughout the month of January. Midmonth, the IRS began accepting individual taxpayer filings, and the miscreants engaged in tax refund fraud and identity theft left their starting gates.

None of that is news; the IRS mandates companies provide the necessary data for taxpayers to file their income tax and pay their fair share. The IRS also knows modern cybercriminals have tooled up their own processes to position themselves ahead of you in filing your tax return — a process that could place a tax refund from the IRS into an account controlled by the criminal entity.

To thwart these well-tooled and ill-intentioned individuals and organizations, the IRS has created a number of advisories for the public as well as for businesses of all sizes. The results of this IRS Security Summit Initiative include several guides filled with information and recommendations involving fraud prevention.

How Is Tax Refund Fraud Possible?

A recent USA TODAY article detailed how taxpayer data is siloed across government agencies. For example, the Social Security Administration (SSA) requires employers to file W2s by the end of February for paper submissions and March for electronic submissions. This data is shared with the IRS in July, thus creating a window of opportunity for those with an eye toward tax refund fraud.

The only items required to file the fraudulent tax refund claim is a taxpayer’s identifying data (name, date of birth, Social Security number, etc.). The criminal then files a false claim based on fraudulent W2s, knowing that it could be as late as July before the IRS reconciles the legitimate W2s with the filing. The individual taxpayer is then caught in the switches when he or she files the true return, only to find out a tax refund has already been issued.

The USA TODAY piece noted, “If you are the victim of income tax identity theft, it still takes an average of 278 days to resolve your claim and get your refund, although the IRS routinely tells taxpayers that they can expect their claims to be resolved within a still-too-long 180 days.”

To its credit, the IRS is aware of the situation and is working to break down the silos that enable this process. The vulnerability is being closed: In January 2017, the SSA will require data be filed by Jan. 31 and will strive to process all filings within 21 days.

What Steps Should Businesses Take to Combat Tax Refund Fraud?

The publication “Safeguarding Taxpayer Data: A Guide for Your Business” is full of common sense as well as sound information security advice for every business. The guide is designed to protect the privacy of the taxpayer’s data, protect the integrity of this data, prevent improper use or modification of information and ensure its availability.

The commonsense advice includes recommendations on security controls that every company should be using to protect sensitive data, including employee information that the IRS defines as taxpayer data. These tips include:

  • Lock doors to restrict access to paper or electronic files;
  • Require passwords and access controls for all computer files;
  • Encrypt electronic data;
  • Ensure disaster recovery includes backup of sensitive data;
  • Schedule comprehensive destruction of electronic and paper data; and
  • Encrypt emails when the content includes sensitive data.

Then the publication lists seven useful checklists that can be used to determine the most effective activities and practices for safeguarding data. The IRS titled these checklists:

  1. Administrative Activities;
  2. Facilities Security;
  3. Personnel Security;
  4. Information Systems Security;
  5. Computer Systems Security;
  6. Media Security; and
  7. Certifying Information Systems for Use.

Furthermore, the publication pointed all companies that engage in e-filing of tax returns to information on safeguarding e-files from fraud. On that page, the IRS mandated the following six individual security steps, all of which became mandatory in 2010:

  1. Have an extended validation SSL certificate;
  2. Conduct an external vulnerability scan;
  3. Implement information privacy and safeguard policies;
  4. Protect against bulk filing of fraudulent income tax returns;
  5. Register a public domain name; and
  6. Report security incidents.

What Steps Can the Individual Take?

If you know that your Social Security number has previously been compromised, then you are a potential target for income tax refund fraud. “You can only become a victim of income tax identity theft if the criminal files an income tax return using your Social Security number before you do, so the best way to prevent that is to file your income tax return as early as possible,” the USA TODAY article noted.

The individual employee/taxpayer is admonished in the publication “Security Awareness for Taxpayers.” To keep your computer and the information it stores secure, remain vigilant regarding phishing and malware infection attempts and protect all personal information. There are many instances where you’ll have to ward off threats before they get too close to your information to protect yourself and your tax filings.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today