tax season

By Patrick Thielen


Traditionally, one of the most vulnerable times of year for businesses and employees alike is tax season. As the processes and technologies that businesses use to manage payroll, W2s, and taxes evolve, so too do the scams criminals use to exploit them.

As large companies fall victim to cybercrime, small and midsize business owners and managers (SMBs) often consider what might happen if their company experienced a similar incident—and all too often, their conclusion is, “it won’t happen to me.” Despite what they might think, SMBs often have little or no cybersecurity measures in place, and this false sense of security renders them ideal targets for cyber criminals. During this year’s tax season there are several key tips for businesses to be aware of:

Protect Those W-2’s

Tax season is an especially scary time of year when it comes to cyber threats, since criminals know that with as little information as someone’s W-2 and social security number, they can file fraudulent tax returns and make off with refunds before employees are even aware there has been a compromise. According to various news reports, tax identity thefts cost the U.S. billions annually, and it can take individuals more than six months to straighten out their taxes. It is up to businesses to be aware of the threats and protect their employees—the lifeblood of their companies.

While this type of risk creates significant exposures for all sizes of companies, the disproportional financial risk it presents to SMBs can lead to a company’s demise. Businesses should proactively educate human resource employees and those with access to personal information to be wary of anyone asking for the W-2 information of employees.

Beware of Phony IRS Outreach

Businesses and employees should ignore phony threatening calls that claim to be from the IRS—this is a common way that cyber criminals try to target their prey during tax season. The IRS does not call people demanding immediate payment while threatening to arrest them. Taxpayers should also be aware of “spoofing” techniques scammers use to make it appear like the call is being made by the IRS or another government agency.

Another sign of a scam includes people claiming to be from the IRS who demand payment in a particular way, like a debit card or wire transfer. Put simply, the IRS will never send you an email, never contact you on social media and will never call you at home — they will only contact you by U.S. Mail. If these false forms of communication come to you with any identifiable information that is correct, let your payroll department know immediately.

Scammers Go Phishing

Phishing scams continue to be a problem during tax season—especially for SMBs. Criminals target tax professionals, human resource managers, accountants and others claiming to be from the IRS, a bank or another trusted source. The phishing often starts by email, but increasingly may happen through social media, text messages, or phone calls. They’re often looking for money, social security numbers, passwords or other sensitive information.

Be Preventative and Have a Plan

When it comes to cyberattacks, these days it’s not a matter of ‘if’ but ‘when’—yes, even for SMBs. With some amount of cybersecurity awareness, password hygiene with a formal password policy, employee education, and updated hardware and software, businesses can be better-suited to prevent cyberattacks both during tax season and year-round.

The most important thing that businesses can do is take the time to educate themselves and their employees. Most of the common ways that criminals target taxpayers can be prevented with education and common sense. Being armed with basic knowledge will help protect against phishing and phony IRS calls. However, in a world where one wrong move could be crippling to an entire company, businesses need to be armed and ready:

  • They should work with their HR and IT teams to come up with a reactionary plan to have at the ready in case a cybercriminal strikes. As antiquated as it may seem, this plan should exist as a hard copy—if data becomes corrupted or owners and employees are locked out of their digital assets, having a hard copy on hand will be essential.
  • In addition to having their own plan, businesses should consult with a knowledgeable agent or broker to explore the right loss prevention and insurance programs to protect themselves, their employees and their business in the case of a cyber incident. Not only is the cost of insurance typically far less than the costs of an uninsured cyber event, but one of the biggest benefits of cyber insurance for small businesses is access to a comprehensive set of services.

Today, most small business can obtain a comprehensive cyber insurance program that is cost effective, provides ready-made protection in the form of cybersecurity awareness training, password management solutions, and pre-constructed incident response plans that can be deployed quickly via phone or a smart phone app.

Patrick Thielen is a Senior Vice President at Chubb.