Employers have been generating IRS-mandated W2s and 1099s for their workforce in earnest throughout the month of January. Midmonth, the IRS began accepting individual taxpayer filings, and the miscreants engaged in tax refund fraud and identity theft left their starting gates.

None of that is news; the IRS mandates companies provide the necessary data for taxpayers to file their income tax and pay their fair share. The IRS also knows modern cybercriminals have tooled up their own processes to position themselves ahead of you in filing your tax return — a process that could place a tax refund from the IRS into an account controlled by the criminal entity.

To thwart these well-tooled and ill-intentioned individuals and organizations, the IRS has created a number of advisories for the public as well as for businesses of all sizes. The results of this IRS Security Summit Initiative include several guides filled with information and recommendations involving fraud prevention.

How Is Tax Refund Fraud Possible?

A recent USA TODAY article detailed how taxpayer data is siloed across government agencies. For example, the Social Security Administration (SSA) requires employers to file W2s by the end of February for paper submissions and March for electronic submissions. This data is shared with the IRS in July, thus creating a window of opportunity for those with an eye toward tax refund fraud.

The only items required to file the fraudulent tax refund claim is a taxpayer’s identifying data (name, date of birth, Social Security number, etc.). The criminal then files a false claim based on fraudulent W2s, knowing that it could be as late as July before the IRS reconciles the legitimate W2s with the filing. The individual taxpayer is then caught in the switches when he or she files the true return, only to find out a tax refund has already been issued.

The USA TODAY piece noted, “If you are the victim of income tax identity theft, it still takes an average of 278 days to resolve your claim and get your refund, although the IRS routinely tells taxpayers that they can expect their claims to be resolved within a still-too-long 180 days.”

To its credit, the IRS is aware of the situation and is working to break down the silos that enable this process. The vulnerability is being closed: In January 2017, the SSA will require data be filed by Jan. 31 and will strive to process all filings within 21 days.

What Steps Should Businesses Take to Combat Tax Refund Fraud?

The publication “Safeguarding Taxpayer Data: A Guide for Your Business” is full of common sense as well as sound information security advice for every business. The guide is designed to protect the privacy of the taxpayer’s data, protect the integrity of this data, prevent improper use or modification of information and ensure its availability.

The commonsense advice includes recommendations on security controls that every company should be using to protect sensitive data, including employee information that the IRS defines as taxpayer data. These tips include:

  • Lock doors to restrict access to paper or electronic files;
  • Require passwords and access controls for all computer files;
  • Encrypt electronic data;
  • Ensure disaster recovery includes backup of sensitive data;
  • Schedule comprehensive destruction of electronic and paper data; and
  • Encrypt emails when the content includes sensitive data.

Then the publication lists seven useful checklists that can be used to determine the most effective activities and practices for safeguarding data. The IRS titled these checklists:

  1. Administrative Activities;
  2. Facilities Security;
  3. Personnel Security;
  4. Information Systems Security;
  5. Computer Systems Security;
  6. Media Security; and
  7. Certifying Information Systems for Use.

Furthermore, the publication pointed all companies that engage in e-filing of tax returns to information on safeguarding e-files from fraud. On that page, the IRS mandated the following six individual security steps, all of which became mandatory in 2010:

  1. Have an extended validation SSL certificate;
  2. Conduct an external vulnerability scan;
  3. Implement information privacy and safeguard policies;
  4. Protect against bulk filing of fraudulent income tax returns;
  5. Register a public domain name; and
  6. Report security incidents.

What Steps Can the Individual Take?

If you know that your Social Security number has previously been compromised, then you are a potential target for income tax refund fraud. “You can only become a victim of income tax identity theft if the criminal files an income tax return using your Social Security number before you do, so the best way to prevent that is to file your income tax return as early as possible,” the USA TODAY article noted.

The individual employee/taxpayer is admonished in the publication “Security Awareness for Taxpayers.” To keep your computer and the information it stores secure, remain vigilant regarding phishing and malware infection attempts and protect all personal information. There are many instances where you’ll have to ward off threats before they get too close to your information to protect yourself and your tax filings.

More from Data Protection

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…