National Tax Security Awareness Week, Day 4: Summit partners urge businesses to take steps to prevent data loss, fraud

IR-2023-227, Nov. 30, 2023

WASHINGTON – As part of National Tax Security Awareness Week, the Internal Revenue Service and the Security Summit partners today urged businesses to remain vigilant against cyberattacks aimed at stealing their customer's personal information and other business data that can help identity thieves.

The IRS continues to see instances where small businesses and others face a variety of identity theft related schemes that try to obtain information that can be used to file fake business tax returns. For example, phishing schemes continue to target businesses as well as tax professionals and individual taxpayers. And businesses continue to be targets of Form W-2 scams where identity thieves try to trick company leaders into sharing sensitive data.

"Businesses of all shapes and sizes, including tax professionals, continue to be a ripe target for identity thieves trying to obtain sensitive tax and financial data," said IRS Commissioner Danny Werfel. "Businesses and their employees need to remain careful on multiple fronts to protect their sensitive systems and data. Identity thieves continue to use an array of tactics to try getting at a treasure trove of information that can be used in many ways, including filing tax returns."

During National Tax Security Awareness Week, now in its eighth year, the Security Summit partnership of the IRS, state tax agencies and the nation's tax community work to raise awareness among taxpayers, tax professionals and the business community about the importance of safeguarding information to protect against identity theft. The Security Summit formed in 2015 to combat tax-related identity theft through better public-private sector coordination as well as strengthening internal protections in the tax community and raising public awareness about security threats.

With the tax season fast approaching, the Security Summit partners today reminded the business community and others to take extra steps to protect their financial and tax information. As the IRS and the Summit partners have strengthened their internal defenses in recent years to protect against fraud, identity thieves have increasingly focused on businesses and tax professionals as a way to obtain sensitive taxpayer information in hopes of evading systemic defenses by the IRS and the Summit partners in the tax community.

The Summit partners strongly urge businesses to employ robust information technology tools and services to rigorously safeguard their business and trade information as well as protect data directly connected to their customers, employees and business partners.

Cyber criminals target businesses of all sizes. Knowing some cybersecurity basics and putting them in practice will help business owners protect their business and reduce the risk of a cyber-attack. Criminals can target a business's credit card or payment information, business identity information or employee identity information. This information can also be used to file fraudulent business and personal tax returns.

Businesses are encouraged to follow best practices from the Federal Trade Commission, including:

  • Set security software to update automatically.
  • Back up important files.
  • Require strong passwords for all devices.
  • Encrypt devices.
  • Use multi-factor authentication.

More information is available at FTC's Cybersecurity for Small Businesses.

Businesses should also remain vigilant to tax-related "phishing" email scams, which can often be cleverly written to fool employees into opening harmful embedded links or attachments. Businesses and consumers are encouraged to send IRS-related scams to phishing@irs.gov.

All employers should remain vigilant regarding Form W-2 theft schemes. While tax scams evolve and change over time, in the most common versions a thief poses as a high-ranking company executive who emails payroll employees and asks for a list of employees and their W-2s, which contain sensitive tax and financial data. As these scams become more sophisticated, businesses may not be aware they've been the victim of a tax scam until fraudulent tax returns begin appearing with employees' names.

There are special reporting procedures for employers who experience the W-2 scam. They can be found at Identity Theft Central's Business section.

What businesses should do if they are identity theft victims

The IRS has also published Form 14039-B, Business Identity Theft Affidavit PDF, allowing businesses to proactively report possible identity theft to the IRS when, for example, the e-filed tax return is rejected.

Businesses should file the Form 14039-B if they receive a:

  • Rejection notice for an electronically filed return because a return already is on file for that same period.
  • Notice about a tax return that the entity didn't file.
  • Notice about Forms W-2 filed with the Social Security Administration that the entity didn't file.
  • Notice of a balance due that is not owed.

IRS Form 14039-B enables the IRS to respond to the business much faster than in the past, and work to resolve issues caused by the filing of a fraudulent tax return. However, businesses should not use Form 14039-B if they are the victims of a data breach with no tax-related impact. See Identity Theft Central's Business section for more details.

In addition, the Security Summit partners urgently ask businesses to keep their EIN application information current. Changes of address or responsible party may be reported using IRS Form 8822-B. And as a reminder, changes in the responsible party must be reported to the IRS within 60 days. Current information can help the IRS find a point of contact to resolve identity theft and other issues.

This is the fourth in a week-long series of tips raising awareness about tax information identity fraud. For more information and help on tax information theft prevention see IRS.gov/securitysummit.