Is Your Business Prepared for Tax Season Cyber Attacks?

February 11, 2019

By Kyle Hutnick

Every year around this time, the IRS sounds the alarm about threats of stolen identity thanks to crooks looking to con you into handing over your sensitive information. This tax season is no different, with rising reports of social engineering schemes designed to lure employees into surrendering valuable payroll tax data.

Such emails can be tough to spot. Generally, they look legitimate and may appear to come from an executive or payroll/HR employee. The message will usually begin with what looks to be a harmless greeting, like, “Hey, can you do me a favor?” or “Are you in the office?” Over the course of just a few quick emails, unknowing employees can volunteer sensitive information, including an employer’s EIN or employees’ W-2 forms. Obviously, an employee’s full name, social security number and date of birth are powerful – and dangerous – tools when placed in the wrong hands.

Once the identity thief gets that information, the IRS reports that a cybercriminal can easily file a fraudulent tax return within just one to two days. To fight back, the IRS has created an official scam reporting process, which is available here.

Handling a sophisticated cyber attack is all about preparation. Here are some steps you can take to make your business cyber secure this tax season:

  • Educate your staff. A critical step in becoming cyber secure is to ensure that all employees can quickly recognize even the best-disguised email scam. Remind your employees to never send personally identifiable information over email, even if it appears to come from one of your executives. Be sure that everyone knows who to contact within your company if a suspicious email arrives. Remember to always err on the side of caution. If a suspicious request comes through, encourage your employees to pick up the phone and call for confirmation.
  • Know your reporting requirements. Since there is no federal data breach notification law, data breach procedures are left up to the states. The Ohio Data Breach Notification Law requires all businesses to promptly investigate a suspected data breach and notify potential victims within 45 days. Although a cybercriminal can cause serious damage within hours, be sure to fully comply with all reporting requirements. If the breach impacts more than 1,000 Ohio residents, you must also notify national credit reporting agencies. The fines for failing to meet these notification requirements are $10,000 per day in the state of Ohio.
  • Develop a year-round cyber security strategy. While tax season can invite fraudulent email attempts, scams like these can happen at any time of year. Stay informed on the latest types of attacks and have a strategy for data protection.

If your company has fallen victim to a data breach, or if you would like to know more about know you can protect your company from cyberattacks, contact Kyle Hutnick at kah@kjk.com or 216.736.7243; Thomas Moran at tim@kjk.com or 216.736.5633; or David Posteraro at drp@kjk.com or 216.736.7218.


KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.