Tax season brings a perfect storm of opportunity for cybercriminals targeting businesses. With sensitive financial data being processed and transmitted at high volumes, criminals know this is their chance to intercept valuable information or trick unsuspecting employees.
The IRS reports that business-related tax scams have increased by over 60% in recent years, with small to medium-sized businesses being particularly vulnerable. Unlike individual taxpayers, businesses offer criminals access to multiple employees’ personal information, larger potential refunds, and more complex financial structures that can mask fraudulent activity for longer periods.
Common Tax Scams Targeting Businesses
Cybercriminals have developed sophisticated schemes specifically designed to exploit businesses during tax season. Phone scams involving IRS impersonators have become increasingly convincing, with scammers using spoofed phone numbers that appear to come from official government agencies. These callers often target accounting departments, claiming urgent tax issues that require immediate attention.
Phishing campaigns have grown more sophisticated as well, with attackers creating emails that mimic tax software providers, accounting firms, or the IRS itself. These messages typically contain urgent requests for W-2 verification, tax payment information, or login credentials to financial portals.
Business identity theft has emerged as a particularly damaging threat, where criminals use stolen Employer Identification Numbers (EINs) to file fraudulent returns or open lines of credit. This form of theft can go undetected until a legitimate tax filing is rejected or unexpected tax notices arrive.
Payroll data theft represents another significant threat. Criminals specifically target HR and payroll staff with convincing requests for W-2 information, often appearing to come from executives within the company. This “W-2 phishing” can compromise the personal information of every employee in your organization.
Why Business Owners Are Valuable Targets
Business owners present high-value targets for several compelling reasons. First, they have access to comprehensive employee information including Social Security numbers, addresses, and salary details—a goldmine for identity thieves. Second, business tax returns typically involve larger sums than individual returns, making fraudulent refunds more lucrative.
Additionally, most businesses maintain multiple financial accounts and payment systems that criminals can exploit once they’ve gained a foothold. Perhaps most concerning is the potential for business identity theft, which allows criminals to conduct fraudulent activities under your company’s name for extended periods, potentially damaging your reputation and credit standing.
Essential Cybersecurity Measures for Tax Season
Protecting your business requires a proactive, multi-layered approach to security. Rather than scrambling to implement measures during tax season, the most effective strategy is developing year-round security practices that intensify during high-risk periods.
Creating a culture of security awareness across your organization is crucial. Every employee should understand they play a vital role in protecting company data, especially during tax season when scammers are most active.
File Early and Secure Your Business Returns
Filing business tax returns early represents one of the most effective preventative measures you can take. Early filing significantly reduces the window of opportunity for criminals to file fraudulent returns using your business information.
Organize your tax documentation efficiently by implementing a secure document management system that separates and protects sensitive information. When working with tax professionals, establish secure channels for sharing information from the outset, and verify their security protocols before sending sensitive data.
Consider applying for Identity Protection PINs (IP PINs) for business returns. The IRS has expanded this program, allowing businesses to add this extra layer of verification that prevents others from filing returns using your business identification numbers.
Implementing Multi-Factor Authentication
Multi-factor authentication (MFA) provides essential protection for business accounts by requiring additional verification beyond passwords. This simple but powerful security measure can prevent unauthorized access even if credentials are compromised.
Every account containing financial or tax information should have MFA enabled, including:
- Tax preparation software accounts
- IRS e-services accounts
- Banking and financial portals
- Email accounts used for financial communications
- Cloud storage containing tax documents
- Accounting software systems
Implementing MFA across your organization requires planning but delivers substantial security benefits. Designate an IT team member to oversee implementation, provide clear instructions for different devices, and offer support sessions for employees who need assistance.
Secure Document Handling and Storage
Creating a comprehensive document management system is crucial for tax season security. Implement encrypted storage for all digital tax documents, with access controls limiting document availability to only those employees who absolutely need it.
For physical documents, maintain locked filing systems with logged access and implement a clean desk policy requiring sensitive documents to be secured when not in use. Develop clear retention policies specifying how long different tax documents should be kept, based on both legal requirements and business needs.
When documents reach the end of their retention period, ensure proper destruction through cross-cut shredding for physical documents and secure deletion methods for digital files that overwrite data rather than simply deleting file references.
Protecting Your Business Identity
Business identity theft cases have increased 250% over the past five years, according to Federal Trade Commission data. This growing threat can have devastating consequences, including rejected tax returns, unexpected tax bills for fraudulent filings, damaged credit ratings, and compromised reputation with vendors and customers.
Warning signs that your business identity may be compromised include receiving tax notices for returns you didn’t file, being unable to file electronically due to duplicate returns, receiving tax transcripts you didn’t request, or discovering unexpected business credit accounts.
Securing Business Tax IDs and Credentials
Your Employer Identification Number (EIN) requires the same level of protection as personal Social Security numbers. Limit where this information appears on public-facing documents and implement strict access controls for documents containing this identifier.
Regularly monitor for unauthorized use of business credentials by reviewing business credit reports quarterly and setting up alerts for any new accounts or inquiries. Implement role-based access controls for sensitive information systems, ensuring employees can only access information necessary for their specific job functions.
Schedule regular security audits specifically focused on business credentials and tax information. These reviews should verify appropriate access levels, identify potential vulnerabilities, and ensure security measures remain effective against evolving threats.
Employee Training and Awareness
Employee education forms your first line of defense against tax scams. Create a specific tax season security policy that outlines heightened security measures during this vulnerable period. This policy should include verification procedures for any tax-related communications and clear reporting procedures for suspicious activities.
Conduct specialized training sessions before tax season that teach employees to recognize tax-related phishing attempts. Use examples of actual tax scam emails and walk through their red flags, including spoofed sender addresses, urgent language, unusual requests, and suspicious attachments.
Establish a clear protocol for verifying any tax-related communications, especially those requesting sensitive information or payment. This should include out-of-band verification using known contact information rather than details provided in the suspicious communication.
Working Securely with Tax Professionals
Your tax preparation partners can represent either a security strength or vulnerability. Thoroughly vetting potential tax services is essential before sharing sensitive business information. Watch for red flags such as preparers who refuse to sign returns, won’t provide their PTIN (Preparer Tax Identification Number), have vague answers about security practices, or use unsecured methods for document transfer.
Questions to Ask Your Tax Preparer
When evaluating tax professionals, ask direct questions about their security practices:
- What specific measures do you use to protect client data?
- How do you securely transmit and store tax documents?
- Who in your organization will have access to our information?
- What is your data backup strategy and retention policy?
- Do you maintain cyber insurance that covers data breaches?
- What security certifications or compliance standards does your firm maintain?
- How do you train your staff on information security?
- What is your protocol if a data breach occurs?
Their answers should demonstrate a comprehensive security approach including encryption, access controls, regular security training, and clear incident response procedures.
Secure Methods for Document Exchange
Never send sensitive tax documents as standard email attachments. Instead, use encrypted client portals provided by your tax preparer for document transmission. These systems should use strong encryption and require authentication to access documents.
If your tax professional doesn’t offer a secure portal, consider using encrypted file-sharing services with password protection and expiring access links. Implement verification procedures confirming document receipt through a separate communication channel from the one used to send documents.
When working collaboratively on tax preparation, use secure collaboration tools with appropriate access controls rather than sharing documents through unsecured channels or using public cloud storage without proper security measures.
Responding to Suspected Tax Fraud
Prompt action is essential if you suspect your business has been targeted by tax fraud. Key warning signs include receiving notices about tax returns you didn’t file, being unable to e-file because a return has already been submitted with your EIN, or employees reporting that returns were rejected due to duplicate Social Security number filings.
If you detect suspicious activity, immediately contact the IRS business identity theft department, file a report with the Federal Trade Commission, alert your financial institutions, and consider placing fraud alerts with major credit bureaus. Document every step of your response process, including dates, times, and names of individuals you speak with.
Reporting Procedures for Businesses
Businesses should report suspected tax fraud through specific channels designed for business victims. Contact the IRS Business Identity Theft department directly at their dedicated number (800-908-4490) and complete Form 14039-B (Business Identity Theft Affidavit).
Prepare comprehensive documentation including copies of fraudulent returns if available, previous legitimate returns, correspondence from the IRS, and any evidence of the suspected fraud. Be prepared to work with IRS criminal investigation units and potentially the FBI if the fraud is part of a larger criminal operation.
Contact your financial institutions immediately to secure accounts and implement enhanced monitoring. File reports with all three major credit bureaus and consider credit freezes for your business credit files to prevent additional fraudulent accounts from being opened.
Recovery Steps After Tax Fraud
Recovering from business tax fraud requires a systematic approach. First, request an Identity Protection PIN from the IRS for future filings. Work with the IRS to file correct returns and resolve any fraudulent tax liabilities assessed against your business.
Implement additional security measures including enhanced monitoring of all business accounts, more stringent authentication for financial transactions, and comprehensive review of access to sensitive systems. Consider engaging cybersecurity professionals to identify how the compromise occurred and remediate vulnerabilities.
Develop a communication plan for employees, vendors, clients, and stakeholders that provides appropriate information without creating additional security risks. Be particularly careful about sharing specific details that could be used in social engineering attacks.
Year-Round Tax Security Best Practices
Tax security shouldn’t be a seasonal concern. The most protected businesses integrate security measures into their regular operations year-round, intensifying certain practices during tax season. This approach builds security into your business DNA rather than treating it as an annual emergency response.
Creating a culture of security awareness requires ongoing education, clear policies, and visible leadership commitment. Regular reminders about security best practices, recognition for security-conscious behaviors, and integration of security considerations into business decisions all contribute to this culture.
Regular Security Assessments
Schedule comprehensive security assessments at least quarterly, with special attention to tax and financial systems. These reviews should evaluate both technical controls and procedural measures against recognized security frameworks such as NIST Cybersecurity Framework or CIS Controls.
Focus assessments on identifying vulnerabilities in systems containing tax information, including unauthorized access points, outdated software, and inadequate encryption. Document findings methodically and develop prioritized remediation plans with clear ownership and timelines.
Ensure your security measures evolve alongside emerging threats by subscribing to security bulletins from organizations like the IRS, US-CERT, and industry associations relevant to your business. Regularly update security controls based on these threat intelligence sources.
Developing a Business Continuity Plan
Create a specific tax fraud component within your broader business continuity plan. This should include detailed response procedures for different types of tax fraud, designated response team members with clearly defined responsibilities, and communication templates for various stakeholders.
Implement a comprehensive backup strategy for all critical business and tax documents, ensuring backups are encrypted, tested regularly, and stored securely with at least one copy off-site or in secure cloud storage. The 3-2-1 backup rule (three copies, two different media types, one off-site) provides an excellent foundation for this strategy.
Conduct annual tabletop exercises simulating tax fraud scenarios to test your response procedures. These exercises should involve all stakeholders who would participate in an actual incident, identifying gaps in your response plan before a real emergency occurs.
By implementing these comprehensive security measures, your business can navigate tax season with confidence, protecting both your financial assets and your reputation from increasingly sophisticated tax scams and fraud attempts. Remember that tax security is not a one-time effort but an ongoing commitment to protecting your business’s most sensitive information.
