Identity theft is a serious threat to business, partnership, estate and trust filers. Thieves may steal sensitive information to file a fraudulent tax return for a refund or to commit other crimes. All taxpayers must be alert and on guard at all times. It is important to take strong security measures to protect your business’ and your employees’ data.
Be alert to possible business identity theft if:
- You can’t e-file a return because one was already filed with the same EIN or SSN.
- You get a rejection notice for a routine extension to file request because a return with duplicate EIN or SSN is already on file.
- You receive an unexpected tax transcript or IRS notice that doesn’t match anything submitted.
- You receive a Letter 6042C or 5263C from the IRS.
- You don’t receive expected or routine correspondence from the IRS because the business address has been changed.
Take Basic Steps
Protect your business data with these basic steps:
- Install anti-malware/anti-virus security software with automatic updates enabled on all devices:
- Laptops, desktops, routers, tablets and phones
- Deploy firewall protections on your network
- Use responsible passwords with:
- At least eight characters (longer is better)
- Special and alphanumeric characters
- Passphrases instead of passwords
- Unique passwords for each account
- Protection on wireless devices
- A password manager
- Choose multi-factor authentication when available
- Encrypt sensitive files and emails with strong password protection.
- Back up sensitive data to a secure, external source not connected to your network.
- Destroy old computer hard drives and printers that contain sensitive data.
- Limit access to personal data only to individuals who need to know.
- Enter personal data only on secure sites with web addresses that begin with “https.”
Follow a Data Security Plan
Creating and maintaining a data security plan is key. If you can afford it, contact a cybersecurity consultant. If not, find help in IRS Publication 4557, Safeguarding Taxpayer DataPDF or in one of these guides:
- Start with Security: A Guide for Business from the Federal Trade Commission
- Small Business Information Security – The FundamentalsPDF from the National Institute of Standards and Technology
Educate Your Employees
You can help employees protect themselves and your business with information about data security.
Share the Taxpayer Guide to Identity Theft and Publication 4524, Security Awareness for TaxpayersPDF .
Provide employees with basic data security information and practices. For example:
- Beware of phishing emails, the most common tactic used to steal data
- Do not respond to suspicious or unknown emails.
- If the email is IRS-related, forward it to phishing@irs.gov.
- Never open or download attachments from unknown senders, even potential clients.
- Verify the email is authentic by calling them.
- Only email documents that are password-protected and encrypted.
- Use separate personal and business email accounts.
- Protect your email accounts with strong passwords and two-factor authentication, if available.
Keep EINs Current and Safe
It is important that all entities with an Employer Identification Number (EIN) keep the number safe and the application up-to-date with accurate responsible party and contact information. Update your EIN with Form 8822-BPDF .
How The IRS Protects Business Filers
The IRS, state tax agencies and the tax industry work in coordination as the Security Summit to protect taxpayer data. Their program includes safeguards that identify suspicious returns. When they identify a business-related return that is potentially fraudulent, They issue a letter to the taxpayer seeking additional information before processing the tax return. Common letters are:
- Letter 6042C if the IRS needs information to validate the return
- Letter 5263C if the IRS needs information to validate the entity
Please respond immediately to IRS correspondence.
The IRS also asks tax professionals preparing business-related returns to answer a series of questions to help authenticate the validity of the business return. Tax preparation software for business-related returns also asks these questions.
The IRS never:
- Initiate contact with taxpayers by email, text or social media to request personal or financial information
- Call taxpayers with threats of lawsuits or arrests
Call, email or text to request taxpayer Identity Protection Pins