Cyber thieves make millions every year by stealing identities — and businesses aren’t immune from the crime.
As government agencies and private companies continue developing new firewalls, codes and methods to prevent theft, high-tech criminals respond by ramping up their tactics to breach network security.
Brian Wozniak, senior tax specialist for the IRS, and Chuck Harwood, northwest regional director of the Federal Trade Commission, recently conducted a webinar about cyber criminals who target businesses and individuals.
“Most of the time, people think of personal identity theft, but businesses are often victims, and they often have their identities stolen,” Wozniak said. “These perpetrators are seeking the customer and employee information. Tax-related identity theft happens when someone tries to use the identity of the business. The thieves are a savvy group. They’re early adapters to technology.”
Business identity theft is an emerging issue because it is more difficult to detect initially, he said.
Cyber criminals can use Employer Identification Numbers to file fraudulent tax returns. EINs are unique identification numbers assigned to businesses and are easily accessible to the public.
“Usually, the business is not aware their EIN is being used,” Wozniak said. “Keep your eye out for notices that may indicate something suspicious is going on.”
If a business receives an IRS notice about an employee who has never been on the payroll or a notice referring to a defunct business, the business might be a victim of identity theft, Wozniak said. Another red flag is if the business receives an IRS notice that its tax return is an amended return when the business filed only one.
“That’s more difficult for the IRS … the thief provides a mask of authenticity on the fraudulent 1040,” Wozniak said.
Thieves will also file change-of-address forms with the IRS in an effort to eventually obtain personal data. Businesses need to be wary when they haven’t moved but receive an IRS notice attempting to verify the business has changed locations.
Because the Internet serves as the doorway for cyber thieves, sensitive business information should be stored on computers and devices offline.
“Keeping your library of sensitive data internal and storing it in a fashion that does not give a doorway to hackers can prevent a lot of breaches,” Wozniak said.
When business information must be transmitted electronically, the computer should be connected to the Internet only as long as it takes to transmit the data, he said.
Wozniak recommended business owners use IRS form 4557 as a guide to prepare two plans — a security plan and an action plan — should the business experience a data compromise. Called Safeguarding Taxpayer Data, the form is specifically for tax preparers, but businesses might also find it helpful.
“It’s a checklist that all businesses can use to protect data. It’s a short, but very valuable tool,” Wozniak said.
The checklist identifies areas businesses should review at least once a year, he said. They include:
• Provide physical security for paper data from photocopies, mailboxes, vehicles, trash and digital data from business and personal computers.
• Lock doors to file and computer rooms.
• Provide secure areas to compile data to be destroyed.
• Create rules of behavior for employees, conduct background checks, exit interviews and have the employees sign nondisclosure agreements.
When businesses experience a theft of personal information or its intellectual property, owners should notify local law enforcement, the FTC, the IRS, customers, business partners and their attorneys, Harwood said. The FTC has specific notification requirements for businesses.
To protect their credit, businesses breached should also inform Dun & Bradstreet. Individuals should contact credit bureaus Equifax, Experian and TransUnion and possibly freeze their credit information, he said.
“The credit freeze is a great tool. You can lock down all your information so no one can use it,” Wozniak said. He also suggested completing the IRS form 14039, the identity theft affidavit.
“If you find your information is being compromised, write down everything — interview your employees, get all information, notify staff of your internal policy. If you don’t have a policy, write one,” he said.
If the business cannot pinpoint the origin of data breaches, they should take everything offline, Wozniak said. After a breach of client data, one tax preparer eliminated Wi-Fi, switched to more complex passwords, strengthened its firewall and moved all sensitive data offline.
Helpful business tools