Well hey everybody out there, Happy Weekend!! Guess what!?!? If you filed for an tax extension, you are going to have to pay next month. This also happens to be one of the prime seasons for the Cyberattacker to come about from their hiding.
The reason for this is clear and simple: In one fell swoop, they can collect a
treasure trove of Personal Identifiable Information (PII) datasets from people
all over the United States, and in fact even in the entire world, if they have
to file taxes here in the United States.
But now, their tactic has changed. It is not so much going after individuals,
but rather the IRS itself and pretty all of the tax accountants that they can
get their hands on.
Why are they doing it this way? Well, the answer is simple: Rather than just go after one individual, why
not go after an entity that has more PII datasets that can be garnered in one
shot, as just described? Once again, one
will never be 100% prone to not being a victim, but the key is in mitigating
that risk.
Although you have the ultimate responsibility to make sure
your confidential information and data is safe, the other parties have an equal
stake as well, and must be cognizant of the fact also that they need to do
their part as well.
So what can be done?
Here are some strategies:
*Your accountant should be implementing training programs:
Yes, this is a subject that has been labored on before who
knows how many times, but your accountant should be having regular security
awareness training seminars for their employees, if the company is large
enough. If it is not, then your
accountant themselves should seek out the needed training so that he or she can
be aware of what to look out for. Once
again, it all comes down to Phishing Emails.
As I have written about in the past, to recognizing such things as BEC
Attacks, Spear Phishing Attacks, the Fake Invoice Attacks, Social Engineering
Attacks, Smishing Attacks, you name it.
The best line of defense in this regard is to simply ignore the call,
delete the Email, or the text message.
Of course, if you are expecting to receive something, and you still have
doubts, contact your accountant or the IRS first to see if it is
legitimate. Of course, calling the IRS
and waiting for hours on end can be an infuriating task, so maybe in this
regard, you could even seek the help of reputable Cybersecurity company. But just first make sure that you your
homework on them first. Everybody wants
to help each other, so there should be a minimal charge if any, to help you
out. Actually in this regard, you could
even engage a Penetration Testing company to simulate real world Phishing
attacks of the types that I have just reviewed, just to see how cognizant your
employees are. Of course, those that
fall for the bait, will need more training.
In theory, these Emails should look like Phishing Emails with the IRS
logo. But keep one thing in mind: That Cybersecurity company who is doing these
mock drills for you must be licensed by the IRS in order to use it. If there is no explicit and written
permission, not only will they, but you could also be held liable for using an
official government logo without permission.
So in this regard, make sure that the Cybersecurity company does indeed
have this permission.
*Make sure that your documents are delivered securely:
Yes, there are still some people who like to do things the old-fashioned
way, and still use the snail mail for the receiving and receiving of tax return
documents. But most of us have now gone
the digital route, so that we can get our refund even quicker. But there has to be security on both
fronts: Your accountant should send your
stuff through an encrypted Email software package. Yes, this can be a pain, because you will
have to create an account and use a One Time Password (OTP) to access these
documents. Then you, the taxpayer, has to
make sure that whatever you send to your accountant is also safe as well. Hopefully, there will be some layer of
encryption in the Email service that you use.
But if you are using a service like Yahoo Mail or Gmail, don’t count
it. If you send stuff with these two,
always call your accountant’s office to make sure that they have received all
of the attachments. And also confirm
with them that everything looks reasonably OK, in other words, they should also
be checking for the integrity of the contents.
In the Cyberworld, there is always that chance your message could be
inserted, and fake or altered documents could be inserted instead while your
message is in transition to the receiving party.
*Beware of intimidation tactics:
In order to lure taxpayers and accountants and even
businesses in general to give up their PII datasets, the Cyberattacker will go
to great lengths to claim that they are an authorized representative from the
IRS. Such scams to be on the lookout for
include the following:
*A call demanding immediate payment such as using a credit
card, debit card, checking account, etc.;
*Demand that any back taxes to be paid also immediately
without the benefit of first appealing to a court of law;
*Threaten to physically invade the place of business, and
arrest employees, take control of the business license, etc.
The bottom line here is that the IRS, no matter how
intimidating that they may get (especially with this those letters), have to
stay within certain bounds of the law that they cannot overstep. For example, they will never call you
demanding for payment, nor will they threaten you to come to your
business. All communications is usually
done by the snail mail, and there is a process that the IRS must follow before
it all comes down to this. Heck, there
is even a taxpayer’s Bill of Rights that they have to abide by, and one of them
is your right to go to tax court to fight the IRS if you think that they are in
the wrong. But this brings up yet
another key issue: How do you even know
if a snail mail letter you get from the IRS is for real or not? Yes, this is happening also, and even I was
almost duped once. If you have any
doubts, always call the IRS to see if they have actually sent you a letter or
not.
*Access to W2 documents:
This is probably the heart and soul of any tax return that
is to be prepared. After all, the gross
wages that you have earned and all of the taxes that you have withheld have to
reported to the IRS by the end of January.
Likewise, employers are also required by law, to send out W2 forms in
the mail to employees no later than by January 31st. But in an effort to make things more
streamlined and efficient, many companies are now offering for these documents
to be offered and accessed on the Internet.
While most of the confidential information is usually X’d out (such as
the Social Security Number), this sometimes does not happen. So, if you do go this route, make sure that
the portal you are using to access these documents require at least two forms
of authentication (the more, the better), with one of them being at least a One
Time Password. Also, if you are an
accountant, make sure that you restrict the access of these documents in your
company to only those staff members who absolutely need to have it in order to
complete the tax return. You need to be
especially mindful of this if your employees use their Smartphones to access
these documents if they work remotely.
My Take On This:
Well, there you have it, some tips for both you and your
accountant to keep your tax returns safe so that you can get your refund and
enjoy it for whatever you want to use it for.
I personally have known of people and businesses that have fallen for
tax scams, and it can take years to recover from it. It is both a drain financially and
mentally. Avoid all of these
nightmares by being proactive now!!!
No comments:
Post a Comment