IR-2024-128, May 1, 2024 WASHINGTON — As National Small Business Week continues, the Internal Revenue Service urges entrepreneurs to put in place data security safeguards protecting their financial, personal and employee information from scams and cybercriminals hunting for easy targets. The IRS continues to see instances where small businesses and others face a variety of financial and identity theft related schemes that try to obtain information that can be used to file fake small business tax returns, rob business bank accounts and create stolen identities. For example, “phishing” and “spearphishing” scams continue to target small businesses as well as tax professionals and individual taxpayers. Small businesses continue to be targets of Form W-2 scams where identity thieves try to trick company leaders into sharing sensitive data. “Each year, the IRS sees thousands of attempts trying to attack small business owners and other taxpayers. Those who are victimized by these schemes can see serious financial consequences,” said IRS Commissioner Danny Werfel. “Cybercriminals are relentless, and anyone can be a target. The best way business owners and individuals can protect themselves is to stay well informed on the latest scams, continuously protect their computers and smart phones and install data security at home and in the business to protect sensitive information.” Cybercriminals never sleep Data theft and cyberattacks are global threats that can use scams and fraud schemes to victimize individuals and small businesses any time of the day or night. Cybercriminals are pros at covering their tracks and can be hiding anywhere in the world. They use patterns of human behavior and computer systems to steal financial and personal information and snag victims. If small businesses don't properly protect their computer systems and train their staff on smart data protection practices, owners become easy targets for bad actors looking to break into bank accounts, steal identities or gain access to other sensitive financial or personal information. The IRS urges the small business community to stay on guard against cybercrime and to understand how important it is to safeguard their business data against identity theft. They should employ robust technology tools and services to rigorously safeguard financial and trade information, as well as protect data directly connected to customers, employees and business partners. Cybercriminals are constantly looking for weaknesses to exploit. By implementing basic cybersecurity measures and training employees, small business owners can significantly reduce their risk of a costly attack. These attacks can target a business’s most valuable data, including: Credit card and payment information. A data breach can damage a business’s reputation and leave owners liable for fraudulent charges. Business and employee identities. Stolen information can be used for a variety of crimes, including identity theft and fraud. Tax and financial information. Hackers can use this information to file fraudulent tax returns, costing a business owner time and money to resolve. Taking basic cybersecurity steps early and staying vigilant, armed with information about the latest scams, will help safeguard entrepreneurs’ business investments, customers and employees. How fraudsters target victims: scams, scams and more scams Fraudsters and cybercriminals are clever manipulators of human behavior. They use a potential victim’s natural desire to socially interact and communicate with others as an open door to attempt data and identity theft. Using common technologies like email, texting and social media, fraudsters go “phishing” by sending messages to thousands of targets at once that are designed to steal personal information directly, or by getting the victim to click on an embedded link or attachment. Using email as a method to manipulate behavior through “phishing” remains a timeless tactic by thieves hunting for potential victims. Small businesses should remain vigilant against tax-related “phishing” email scams, which can often be cleverly written to fool employees into opening harmful embedded links or attachments. Small businesses and consumers are encouraged to send IRS-related scams to phishing@irs.gov. One such example is the Form W-2 theft scheme. While versions of these scams evolve and change over time, in the most common version, a thief poses as a high-ranking company executive who emails payroll employees and asks for a list of employees and their W-2s, which contain sensitive tax and financial data. As these scams become more sophisticated, small businesses may not be aware they’ve been the victim of a tax scam until fraudulent tax returns begin appearing with employees' names. There are special reporting procedures for employers who experience the W-2 scam. Visit Identity Theft Central's business section for additional information. The Dirty Dozen The IRS publishes the Dirty Dozen yearly, a list of prevalent scams and fraudulent schemes that threaten small businesses and other taxpayers. These threats include unscrupulous and aggressive promoters of questionable claims for the Employee Retention Credit (ERC). These questionable ERC claims often put unsuspecting businesses and other entities in jeopardy of penalties, interest and potentially even criminal prosecution for claiming the ERC when they don’t qualify and aren’t entitled to it. The Dirty Dozen also provides information on what to do if an individual or small business owner suspects they may be a possible victim. For example, businesses still have an option to pull back on any unprocessed questionable ERC claims and should quickly pursue the claim withdrawal process for any tax period that hasn’t been paid yet. Business owners can use the Dirty Dozen as a starting place for their own research on popular scams from other trusted sources. One of the most egregious scams reported by the Dirty Dozen currently impacting small businesses is the "new client” spearphishing scam. Spearfishing targets specific individuals, organizations or businesses with malicious emails or text messages. In the “new client” scam, cybercriminals present themselves as a new, potential client to a known tax professional or business owner, asking them to respond to their emails. If the unwitting preparer or business owner responds, the criminal then sends a malicious attachment or website address that can compromise the victim’s computer systems and allows the attacker to access sensitive customer and financial information. Here are some red flags for which to watch out: Grammatical oddities. Poorly written emails with unusual word choices are a serious red flag. Suspicious requests. Business owners should always be wary of any unusual requests or sharing information before verifying the sender's legitimacy. Spoofed emails. Scammers can mimic previous customer emails, making them appear genuine. Don't be fooled – verify the sender's address independently. By staying alert and understanding these tactics, small business owners can protect themselves and their customers from falling victim to the "new client" scam. It’s always better to be cautious than compromised. Don't be an easy target, learn cybersecurity basics Small business owners are strongly encouraged to learn as much as possible about cybersecurity best practices, even when day-to-day information technology protection is outsourced. The IRS recommends business owners implement the Best Practices published by the U.S. Federal Trade Commission. Many will be familiar, common-sense habits and techniques, but don’t take them for granted. What works at home, also works for businesses. Protect business files and devices: Update software. This includes apps, web browsers and computer operating systems. Set updates to happen automatically. Secure business files. Back up important files offline, on an external hard drive or in the cloud. Also make sure to store paper files securely. Require passwords. Use passwords for all laptops, tablets and smartphones. Don’t leave these devices unattended in public places. Encrypt devices. Encrypt devices and other media that contain sensitive personal information. This includes laptops, tablets, smartphones, removable drives, backup tapes and cloud storage solutions. Use multi-factor authentication. Require multi-factor authentication to access areas of your network with sensitive information. This requires additional steps beyond logging in with a password such as a temporary code on a smartphone or a key that’s inserted into a computer. Protect the business wireless network: Secure the business router. Change the default name and password, turn off remote management and log out as the administrator once the router is set up. Use at least WPA2 encryption. Make sure the router offers WPA2 or WPA3 encryption and that the encryption setting is turned on. Encryption protects information sent over the network so it cannot be read by outsiders. Make smart security “business as usual:” Require strong passwords. A strong password is at least 12 characters that are a mix of numbers, symbols and capital and lowercase letters. Never reuse passwords and do not share them on a phone, in texts or by email. Limit the number of unsuccessful log-in attempts to limit password-guessing attacks. Train the staff. Create a culture of security by implementing a regular schedule of employee training. Stay informed about the latest data security risks and vulnerabilities, and keep employees informed. Consider blocking network access to employees who disregard data security measures and training. Have a plan. Have a plan for saving data, running the business and notifying customers if there is a data breach. The FTC’s Data Breach Response: A Guide for Business provides steps a business owner can take in the event of a cyber breach. More information on how business owners can protect their investments, customers and employees from cybercriminals is available at FTC's Cybersecurity for Small businesses. What to do next if a small business is a victim of identity theft The IRS has also published Form 14039-B, Business Identity Theft Affidavit PDF, allowing small businesses to proactively report possible identity theft to the IRS when, for example, an e-filed tax return is rejected. Small businesses should file Form 14039-B if they receive a: Rejection notice for an electronically filed return because a return is already on file for that same period. Notice about a tax return that the entity didn't file. Notice about Forms W-2 filed with the Social Security Administration that the entity didn't file. Notice of a balance due that is not owed. If a small business owner has been targeted by tax fraud, the IRS offers Form 14039-B to help resolve the issue quickly. This form allows the IRS to streamline communication and work faster to fix the problem. However, small businesses should not use Form 14039-B if they are the victims of a data breach with no tax-related impact. See Identity Theft Central's businesses section for more details. The IRS also urges small business owners to keep their Employer Identification Number (EIN) application information current. Changes of address or responsible party may be reported using Form 8822-B, Change of Address or Responsible Party - Business. Changes in the responsible party must be reported to the IRS within 60 days. Current information can help the IRS find a point of contact to resolve identity theft and other issues. Report spearphishing and other scams Business owners should report scams immediately by sending the suspicious email or a copy of the text message as an attachment to phishing@irs.gov. The report should include the sender’s email address, the caller’s phone number, date, time and the phone number or email address that received the message. The Report phishing and online scams page at IRS.gov provides more information on what to look out for and how to report phishing and scams. Taxpayers can also report scams to the Treasury Inspector General for Tax Administration (TIGTA) or the Internet Crime Complaint Center. Another useful tool is the Federal Communications Commission's Smartphone Security Checker. And depending on the scam in question, business owners and individuals may also send the information to the IRS Whistleblower Office for a possible monetary award. Reporting scams helps identify new emerging threats. The Office of Fraud Enforcement’s Emerging Threat Mitigation Team partners with internal and external stakeholders to identify and mitigate threats to tax administration. To report abusive promoters and preparers, complete the online Form 14242 – Report Suspected Abusive Tax Promotions or Preparers, or mail or fax a completed Form 14242 PDF and any supporting material to the IRS Lead Development Center in the Office of Promoter Investigations. Mail: Internal Revenue Service Lead Development Center Stop MS5040 24000 Avila Road Laguna Niguel, California 92677 3405 Fax: 877-477-9135 Taxpayers and tax professionals can also submit this information to the IRS Whistleblower Office, where they may be eligible for an award. For details, please refer to the sections on Abusive tax schemes and abusive tax return preparers. For more information on a broader range of topics and answers to small business tax questions, please visit IRS.gov.