Protecting Your Small Business From Cyber Scams This Tax Season
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
March 24, 2019
As tax deadlines approach for corporations and individuals, cyber criminals are upping their activities, always looking for new scamming opportunities. Increasingly, small businesses are in their crosshairs. Studies show that, overall, 62% of cybercrime targets were small and medium sized enterprises. Seeing this trend, in 2018, Congress passed the “Small Business Cybersecurity Act” to encourage the development of standards for small businesses. More bipartisan legislation to protect small business is being proposed in the 116th Congress.
With $2+ trillion individual and corporate taxes flowing into the treasury by April 15, it is no wonder hackers are searching for victims. As Willie Sutton remarked, “I rob banks because that’s where the money is.” Cybercrime today includes both cyber enabled crimes and cyber dependent crimes. Small and medium sized business face similar threats as large businesses. Technology is now embedded in everything we do, including tax preparation and filing.
Cybercriminals who can siphon off only a small percentage of your money for themselves can calmly vacation in Micronesia or the Maldives for the rest of the year. If you are running a small or medium business, what should you and your business be concerned with this tax season? And what steps should you take to help minimize the chance of becoming a victim?
The 2018 IRS Criminal Investigation Report provides answers regarding the most common tax schemes in use. These are:
- Tax refund fraud; based on identity theft of TIN (either SSN or EIN)
- Internal embezzlement of funds targeted for tax payments
- Tax preparer vulnerabilities and fraud
- Blended schemes using more than one of the above
Not included in the above Report are security issues within the IRS itself. While the basic www.irs.gov site now gets an A+ security rating, internal government audits report that 74% of Federal agencies have cybersecurity programs at risk or high risk.
Tax refund fraud is the most common attack. It is based on identity theft of the business EIN and/or executives’ SSN. Back in 2013 an internal IRS audit estimated that between 2013-2018 up to $11.4B in fake refunds might be issued because of stolen or fake EIN’s. Most tax fraudsters are not directly involved with identity theft. Instead they purchase stolen ID’s online and then use them to file fraudulent returns. They may use false passports to set up the needed bank accounts to launder the money out of the US. Fake ID’s sell for $75-$10,000 depending on the exact type of ID. But this may be a good investment for the criminal, if a large fake refund can be obtained with no further work.
Tax refund fraud is not limited to small time criminal operations. Cybercrime has evolved from individual hackers to international organized gangs. Some of these gangs receive funding from nation states as well. Disrupting the tax collection process certainly is in keeping with the goals of such states.
Embezzlement is another tax related, cyber enabled crime. While businesses may not want to think this can happen to them, it does, and cyber technology makes it harder to see what is going on. Electronic funds transfer is the means used in many reported cases. They may involve the business itself if income or costs are falsely reported.
Many small businesses use an accountant or other tax preparer to file their returns. Not surprisingly, tax preparers are targets for cyber criminals. A New Jersey based firm was attacked last year and ended up with a keystroke logger within its own PC’s. The result was early returns filed by fraudsters and subsequently rejected refund requests from the real businesses and individuals.
Cyber technology also enables fraudulent activity by tax preparers. Reviewing last year’s IRS criminal cases demonstrates that business must be vigilant in reviewing returns prepared even by established tax preparation services. In these schemes, tax refunds are inflated, for example by adding business losses; the refund from the IRS goes electronically to an intermediary firm that is part of the scheme. To stay clear of this type of scam, you must carefully validate your businesses’ returns before authorizing any IRS filing.
Blended schemes rely on the creativity of the cybercriminal and the technologies such as voicemail, fax, text and email phishing. In another scam reported last year, hackers first compromised the tax preparer’s confidential data. Then a fake return was filed on behalf of clients. After the refund was deposited into client bank accounts, the hackers called the clients posing as a collection agency, and stating that a refund had been erroneously issued and that the money should be returned to avoid criminal liability. We can expect more novel schemes this year. “Trust but verify” is the only way to anticipate these risks.
What concrete steps can small business owners take? For this tax season, filing as soon as possible, employee awareness and monitoring financial accounts are the best defenses until April 15. A good resource for business owners is the NIST Small Business Cybersecurity Corner.
The most effective time to start upgrading your businesses cyber defense is now. Again, back to NIST, the government has issued a report “Small Business Information Security” in November 2016. This should be read by your COO, compliance officer and chief technology officer (or technology outsourcer). The main defensive steps outlined are:
- List all the information types your business has. What would be the cost to your business if you lose your EIN or employee W-2’s. Count the time and money cleaning up the mess.
- Identify the technology and people that are encountering the information you identified in #1.
- Identify the threats, vulnerabilities and likelihood of information theft or corruption.
- List your planned mitigations to #3.
April 15 is a great time to make steps 1-4 an annual process. In the meantime, what are the best practice and low-cost technical steps you can take for better cyber hygiene?
- Get a good password manager so you can make use of hard to guess passwords. The latest NIST guidance does not recommend regularly changing them; just make sure you pick hard to guess passwords in the first place.
- Never reuse passwords on more than one site.
- Make sure all your business services require you (and other customers) to use 2FA (two factor authentication).
- Make sure you do not operate with the built in Administrator accounts that come with PC’s. Create a standard user account type for everyday use.
- If you store sensitive financial data in the cloud, make sure only your business has the password to decrypt that information. Success in cybersecurity is defined by knowing your risks, undertaking appropriate mitigations and tracking continuous improvement. It’s basically the same process you used to build your business in the first place.
Success in cybersecurity is defined by knowing your risks, undertaking appropriate mitigations and tracking continuous improvement. It’s basically the same process you used to build your business in the first place.