It’s obvious that individuals can’t afford to ignore the threat of tax identity theft, but the IRS has taken some measures to combat the epidemic that has implications for employers, too. Businesses also need to be aware of the risk of tax identity theft they face. Criminals aren’t just pursuing Social Security numbers (SSNs) — they’re also going after employer ID numbers (EINs) assigned by the IRS.
Individual tax identity theft
To date, most of the attention has been paid to individual victims of tax identity theft. According to the IRS, it occurs when someone uses a stolen SSN to file a tax return claiming a fraudulent refund. The victim may be unaware of this until he or she attempts to file a return and learns that one has already been filed. Alternatively, the IRS might send a taxpayer a letter saying it has identified a suspicious return with the taxpayer’s SSN. The U.S. Government Accountability Office found that the IRS paid out $5.8 billion dollars in fraudulent refunds for the 2013 tax year.
In addition, a fraudster might use another’s SSN to obtain a job. The employer then reports that person’s income to the IRS under the stolen SSN. The victim, obviously, won’t include those earnings when filing his or her tax return, so IRS records will indicate that the victim underreported income.
How does a fraudster obtain an SSN? These thefts can often be traced back to the victim’s place of employment. Insiders at a company may steal the numbers and other employee or customer information. Perpetrators also might wait until staff members let their guards down and leave SSNs readily accessible on computers or in waste receptacles. And, of course, individuals may simply be careless with their SSNs and other sensitive information.
While large companies like banks and hospitals are favorite targets, the improper lifting of just a single SSN can wreak havoc for one of your employees or customers. That means smaller companies are at risk, too.
Tax identity theft is a top concern for the IRS, which has again placed it on its annual “Dirty Dozen Tax Scams” list. The agency will be implementing new provisions and is working with states and the payroll industry to put new safeguards in practice.
Most notably for employers, the Protecting Americans from Tax Hikes (PATH) Act signed in late 2015 now requires employers to file W-2, W-3 and 1099 forms by January 31 of the year following the tax year. The idea is that it will be easier for the IRS to catch discrepancies between legitimate forms filed by employers and those filed by fraudsters seeking refunds based on false forms — before the agency sends out refund checks.
The earlier deadline takes effect for statements filed in 2017 for the 2016 tax year. (W-2s and 1099s still must be furnished to employees and payees by January 31.) With these forms now due to be filed with the IRS a month earlier than in the past (or, for electronic filers, two months earlier), employers will need to pull together the necessary information more promptly.
The IRS is also expected to expand a pilot program it launched this year to verify the authenticity of W-2 data submitted by taxpayers on electronically filed tax returns. For the pilot program, the IRS partnered with several major payroll service providers to provide a 16-digit code and a new Verification Code field on a limited number of W-2 copies provided to employees. Each unique number is derived from data on the form itself and therefore is known only to the IRS, the payroll service provider and the employee. The IRS plans to broaden the scope of the program for the 2017 filing season by increasing the number and types of W-2 issuers involved.
Risks for businesses
Thieves are going after EINs, which is a startling proposition for the many businesses that put far more effort into protecting SSNs than their EINs. A fraudster could use a stolen EIN to report false income and withholding and file for a refund. The Treasury Inspector General for Tax Administration has estimated that the IRS could issue almost $2.3 billion in potentially fraudulent tax refunds based on EINs annually. Moreover, the legitimate business could find the IRS coming after it for payroll taxes that were reported as withheld but not remitted.
As with SSN theft, EIN theft victims may not discover something’s amiss until they file their tax returns and receive IRS notification that they had already filed for that tax year. They also might be tipped off by receipt of an IRS notice regarding nonexistent employees.
Tips for preventing tax identity theft
You can take several steps to help reduce the risk of theft of SSNs and EINs, including:
- Using antivirus and other security software on all workplace computers,
- Updating your data security plans regularly to reflect new risks,
- Educating employees about phishing schemes,
- Truncating or redacting the numbers where possible
- Keeping the numbers and other sensitive information in a secure location and restricting access on a need-to-know basis,
- Updating business filings with the IRS and the secretary of state for your state when contact information changes,
- Monitoring your credit reports, IRS and state tax authority accounts, and other business filings,
- Filing tax returns and W-2s, W-3s and 1099s as early as possible, and
- Developing an action strategy for dealing with tax identity theft, including identifying whom to notify in the event of theft.
Businesses should bear in mind — and remind their employees and customers — that the IRS doesn’t initiate contact with taxpayers by email, text messages or social media to request personal or financial information.
Don’t put your head in the sand
The risk of tax identity theft, whether of SSNs or EINs, is real. We can help you take the necessary steps to avoid the morass of negative consequences that can result for a business and its employees and customers.