How to Prevent a Breach During Tax Season

Surely it can’t be time to think about tax season, How to avoid a tax scamwe haven’t even made it to Thanksgiving. If you think that’s accurate, you’d be mistaken. While it is only November, thinking about the upcoming tax season -and how to prepare your business- is wise. This is particularly important for small to medium sized businesses as they become a bigger target during this period.  

Cyber-security should always be a priority and concern for businesses, but there are some specific risks surrounding tax-season that should have organizations concerned. During tax season, scammers and hackers are on over-time, trying to obtain employee’s W-2 forms to steal their personal information and identities. They will then either use that information themselves, or to sell it on the Dark Web. This is typically done via an email scam. The scammer will send fake emails that appear to be from the Internal Revenue Service (IRS) to a member of payroll or human resources. Managers and other employees are targets too, just not as often. These requests look legitimate if not properly scrutinized.

Tips for Prevention

What should your organization do to mitigate the increased risk of becoming a victim of a scam, ransomware, or hack during tax season?

  1. Train your employees. This one is the most important. In this specific scam/hack, the information is typically exposed via email. This means that an employee either clicks on a link that infiltrates your system, or that an employee emails personal information to an unknown sender. Make doubly sure that any staff members with access to the personal information of employees is spoken to directly. Your full staff should have a wealth of knowledge on data breaches and your disaster recovery plan.
  2. Employ content scanning and filters. A scanner or filter on your mail servers can check for known threats within inbound emails and block any attachment that could be dangerous.
  3. Alert staff. When you hear of a scam making its rounds, alert your team so that they remain vigilant. The IRS will announce when they hear of a scam, so make sure to pay attention to their website.
  4. Get a cloud provider to manage your disaster recovery. While this won’t help if someone steals personal information, it will help if a hacker uses this as an “in” to unleash ransomware on your business. Rather than paying the ransom, your provider will restore your data.
  5. Have cyber-insurance. These policies generally cover your business’ liability for breaches involving customer information such as Social Security, credit card, driver’s license numbers, and health information.

Additionally, it is important to remember that the IRS won’t email you. They also won’t initiate contact with you in any way other than a letter delivered by USPS.

If the Worst Happens, What Do You Do?

According to the IRS if you find yourself in this terrible situation, here are the steps you should take.

Report the data loss to the IRS:

  • Email to notify the IRS of a W-2 data loss and provide your contact information listed below. In the subject line, type “W2 Data Loss” so that the email can be routed properly.  Do not attach any employee personally identifiable information (PII) data.
  • Business name
  • Business employer identification number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

Report the data loss to state tax agencies:

  • Email the Federation of Tax Administrators at to get information on how to report victim information to the states.

Report the loss to law enforcement officials:

Tell your employees:

  1. Review Taxpayer Guide to Identity Theft  
  2. Share IRS Publication 5027, Identity Theft Information for Taxpayers, with employees and direct them to the “Steps for Identity Theft Victims” which includes:
    • Contacting one of the three credit bureaus to place a “fraud alert” on their account.
    • File a complaint with the Federal Trade Commission.
    • Review FTC information for additional steps to recover from identity theft.
  3. The FTC also offers guidance to businesses on how to inform employees of the incident and additional steps businesses may take. See Data Breach Response: A Guide for Business.

With the holidays upon us and tax season right behind, now is the time to review your disaster recovery, and cyber-security plans. If you feel that your business is under-prepared, or you’d like a trusted advisor to review your plan, DSM is here for you. As Florida’s predictable cloud provider, we are fully staffed with IT experts that will help your business prepare for any scenario. So, when you’re ready, give us a call.


Download: 7 Key Business Drivers for Assessing Your IT Environment

Related posts