Secure your Tax Returns Against Identity Theft

45% of taxpayers do not securely store tax documents — Shred-it’s 2019 Tax Season and Fraud Prevention Report

It’s tax season—again. Benjamin Franklin once used the phrase, “In this world, nothing can be said to be certain, except death and taxes.” While a tad fatalistic, as a small to mid-sized business owner—or even an individual citizen, you can probably relate to this phrase a bit more than you’re comfortable with this time of year. While some of you brave souls forge ahead on your own using software such as TurboTax or H&R Block, many prefer to err on the side of caution and hire a professional take over the tedious and often stressful chore that we all know as simply “taxes”.

So, you start compiling your documents –in a folder, in a pile on the credenza, in the junk drawer—maybe you scan them onto your network/cloud and shred the originals when you’re done because you’ve fully embraced your “digital transformation” and religiously (or at least frequently) ensure all your documents are saved to the cloud. Maybe you send that pile of papers to your tax preparer and they do the same (scan and shred), as they too are an SMB, trying to streamline their workflows and cut down on the insane amount of paper generated during tax season (trust me; I worked in a CPA’s office one tax season back in the 90’s—I was simply blown away by the amount of paper used!).

As SMBs, both you and your tax preparer’s decision to “go digital” coupled with the lack of checks and balances within small to mid-sized organizations, due mostly to fewer available IT resources, is one of the main reasons we’re seeing so many of these businesses being targeted for cybercrimes. In 2018, tax professionals reported between five and seven data thefts per week. The databases/networks of tax preparers are a veritable gold mine of tax information, making them a target for scammers, cybercriminals, and identity thieves this tax season.

“As the IRS, the states and the tax industry improve our defenses against tax-related identity theft, cybercriminals are looking for better data sources to fill out fraudulent tax returns,” said IRS Commissioner Chuck Rettig. “Tax professionals are a critical line of defense, and we urge them to protect their data, their systems and their clients.”

How can you help ensure that you’re keeping yourself—and your data—relatively safe from the myriad of dangers lurking around every corner this tax season? First, it’s important to note that tax preparers are required to create and implement a security plan to protect their clients’ data as well as their computer network from threats; this is true for sole practitioners as well as firms of all sizes.

The National Cyber Security Alliance (NCSA) has invaluable tips and advice for SMBs of varying industries. Taking simple, actionable steps can go a long way in helping to protect a company’s data and the personal information of your employees and customers during a period of high online traffic. Below, I’ll share with you some of their most important recommendations.

If you’re filing your taxes yourself (and, seriously, kudos to you!), make sure you have the most up-to-date software on all devices that connect to the internet—from security software to operating systems and mobile device firmware—everything should be completely updated. Even if Gladys—the 86-year old woman who is a godsend to your office—who only uses her computer to play solitaire and send the occasional email about apparently being the only one who knows how to make coffee, has a computer connected to the internet and therefore, you need to ensure that everything is kept as up-to-date on her PC as the rest of firm.

All those papers we talked about earlier? Now is the perfect time to identify and document what data you collect, create, store, transmit, etc. Keep careful control of the data you choose to keep and create a regular cadence for you to safely dispose of outdated or unnecessary information; stale data is a huge potential security risk.

According to the IRS, you should keep records for a minimum of 3 years from the date you filed your original return, though most experts would advise at least twice that long.

While you’re auditing all this data, it would also be a good time to assess the security of your data storage overall. Are you encrypting your data to keep it safe? The most advanced encryption security standard to date is 256-bit AES encryption, which is the standard used by GhostVolt—and ideally, your organization protects data both during transit and while at rest. This means that even if your network is compromised, your encrypted data is useless to would-be cyber bad guys.

Malicious emails are frequently the proverbial open basement window cybercriminals use to gain access to your business information, and as mentioned previously, tax season is prime-time for scammers to step up their devious attempts at finding that basement window. If an email looks even remotely suspicious — even if you know the source — it’s best to delete it immediately without opening any attachments or clicking on any links. If you don’t want to risk getting rid of an important email, verify the legitimacy of the sketchy send via a different method of communication like a quick call, text or carrier pigeon. Also, make sure all your employees—even Gladys—know what to look for in a suspicious email.

Lastly, make sure your data is locked down; use the strongest authentication tools available—think biometrics, security keys, etc., and make sure that all employee passwords are strong. Strong passwords are generally a minimum of 10-12 characters and include a mixture of upper and lowercase letters and symbols. And remind employees that keeping those super-sensitive passwords on a post-it note in their top drawer probably isn’t what you’re going for when it comes to security protocols.

Benjamin Franklin may have been right about death and taxes, but there’s one more thing that you can count on, particularly when it comes to keeping both your company’s, your employees’, and your customers’ data secure: better safe than sorry!