Employers have been generating IRS-mandated W2s and 1099s for their workforce in earnest throughout the month of January. Midmonth, the IRS began accepting individual taxpayer filings, and the miscreants engaged in tax refund fraud and identity theft left their starting gates.

None of that is news; the IRS mandates companies provide the necessary data for taxpayers to file their income tax and pay their fair share. The IRS also knows modern cybercriminals have tooled up their own processes to position themselves ahead of you in filing your tax return — a process that could place a tax refund from the IRS into an account controlled by the criminal entity.

To thwart these well-tooled and ill-intentioned individuals and organizations, the IRS has created a number of advisories for the public as well as for businesses of all sizes. The results of this IRS Security Summit Initiative include several guides filled with information and recommendations involving fraud prevention.

How Is Tax Refund Fraud Possible?

A recent USA TODAY article detailed how taxpayer data is siloed across government agencies. For example, the Social Security Administration (SSA) requires employers to file W2s by the end of February for paper submissions and March for electronic submissions. This data is shared with the IRS in July, thus creating a window of opportunity for those with an eye toward tax refund fraud.

The only items required to file the fraudulent tax refund claim is a taxpayer’s identifying data (name, date of birth, Social Security number, etc.). The criminal then files a false claim based on fraudulent W2s, knowing that it could be as late as July before the IRS reconciles the legitimate W2s with the filing. The individual taxpayer is then caught in the switches when he or she files the true return, only to find out a tax refund has already been issued.

The USA TODAY piece noted, “If you are the victim of income tax identity theft, it still takes an average of 278 days to resolve your claim and get your refund, although the IRS routinely tells taxpayers that they can expect their claims to be resolved within a still-too-long 180 days.”

To its credit, the IRS is aware of the situation and is working to break down the silos that enable this process. The vulnerability is being closed: In January 2017, the SSA will require data be filed by Jan. 31 and will strive to process all filings within 21 days.

What Steps Should Businesses Take to Combat Tax Refund Fraud?

The publication “Safeguarding Taxpayer Data: A Guide for Your Business” is full of common sense as well as sound information security advice for every business. The guide is designed to protect the privacy of the taxpayer’s data, protect the integrity of this data, prevent improper use or modification of information and ensure its availability.

The commonsense advice includes recommendations on security controls that every company should be using to protect sensitive data, including employee information that the IRS defines as taxpayer data. These tips include:

  • Lock doors to restrict access to paper or electronic files;
  • Require passwords and access controls for all computer files;
  • Encrypt electronic data;
  • Ensure disaster recovery includes backup of sensitive data;
  • Schedule comprehensive destruction of electronic and paper data; and
  • Encrypt emails when the content includes sensitive data.

Then the publication lists seven useful checklists that can be used to determine the most effective activities and practices for safeguarding data. The IRS titled these checklists:

  1. Administrative Activities;
  2. Facilities Security;
  3. Personnel Security;
  4. Information Systems Security;
  5. Computer Systems Security;
  6. Media Security; and
  7. Certifying Information Systems for Use.

Furthermore, the publication pointed all companies that engage in e-filing of tax returns to information on safeguarding e-files from fraud. On that page, the IRS mandated the following six individual security steps, all of which became mandatory in 2010:

  1. Have an extended validation SSL certificate;
  2. Conduct an external vulnerability scan;
  3. Implement information privacy and safeguard policies;
  4. Protect against bulk filing of fraudulent income tax returns;
  5. Register a public domain name; and
  6. Report security incidents.

What Steps Can the Individual Take?

If you know that your Social Security number has previously been compromised, then you are a potential target for income tax refund fraud. “You can only become a victim of income tax identity theft if the criminal files an income tax return using your Social Security number before you do, so the best way to prevent that is to file your income tax return as early as possible,” the USA TODAY article noted.

The individual employee/taxpayer is admonished in the publication “Security Awareness for Taxpayers.” To keep your computer and the information it stores secure, remain vigilant regarding phishing and malware infection attempts and protect all personal information. There are many instances where you’ll have to ward off threats before they get too close to your information to protect yourself and your tax filings.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today