Small businesses are especially vulnerable to cyberattacks and should be on guard as thieves try to steal names and data, then use them to file bogus tax returns, the IRS and its partners warned.

More than 70% of cyberattacks target businesses with 100 or fewer employees.

These attacks often focus on information related to credit cards, the business identity, and employee identity, according to the Security Summit, a partnership involving the IRS, state tax agencies, and the tax industry.

The partnership warned businesses to “enact the strongest measures possible” to protect their data and systems.

“Businesses, just like individuals, can be victims of identity theft,” IRS Commissioner Charles Rettig said in a statement.

“Thieves may steal enough information to file a business tax return for a refund or use other scams with the company’s identity.”

Best Practices

Businesses should follow these best practices from the Federal Trade Commission:

  • Set your normal security software to update automatically
  • Backup important files
  • Require strong passwords for all devices
  • Encrypt devices
  • Use multi-factor authentication

Businesses should be especially aware of any COVID-19 or tax-related phishing emails that try to trick employees into opening embedded links or attachments that can give scammers access to sensitive information.

If you get an email scam, please forward it to the IRS.

The IRS said it will do its part, including Dec. 13, when it will begin masking sensitive information from business tax transcripts to help prevent thieves from getting their hands on identifiable information that would enable them to file fake business tax returns.

The agency said only financial entries will be fully visible and that all other information will be masked in some way, such as partial letters or numbers.

Identity Theft

The IRS also launched its Business Identity Theft Affidavit that will allow companies to report possible identity theft to the agency.

A business should file the affidavit if it receives a:

  • Rejection notice for an electronically filed return because a return is already on file for the same period
  • Notice about a tax return the business didn’t file
  • Notice about W-2 forms filed with the Social Security Administration that the business didn’t file
  • Notice of a balance due that is not owed

Filing the affidavit will enable the IRS to respond faster and work to resolve your issues. Businesses should not use the form if they have a data breach but see no tax-related impact.

W-2 Scams

Employers should remain alert to W-2 theft scams, including the most common in which a thief poses as a high-ranking company official who emails payroll employees, asking for a list of all employees and their W-2 forms.

Businesses often don’t know they’ve been scammed until a fraudulent tax return shows up in employees’ names.

More information and reporting procedures for victims of these scams are located in the agency’s Identity Theft Central.

The partnership also reminds businesses to keep their EIN application information current.

Changes of address or the responsible party should be reported promptly.

Any changes in the responsible party must be reported to the IRA within 60 days by law.

Current information helps the agency find a contact person in case of identity theft or other issues.