When you think about identity theft, chances are you’re thinking about it happening to individuals. But, as improved security protocols are doing their best to reduce that crime, business identity theft is on the rise.
During the first five months of 2017, the IRS identified 10,000 potential cases of business identity theft, an increase of 250 percent compared to 2016, when only 4,000 cases were reported for the entire year. These cases include fraudulently filed corporate, estate and trust returns.
Cybercriminals are finding this a juicy source of ill-gotten gains: losses for the first five months of 2017 were estimated at $137 million. Businesses can be more lucrative for thieves than individuals because bank account balances tend to be bigger and it’s easier for a business to get credit. In addition, hackers are displaying a high level of sophistication and knowledge about corporate finance and taxes.
The key information required for business identity theft can be easy to find. Some businesses still openly display their employer identification numbers (EINs) on their websites and names of officers are generally publicly available from the secretary of state.
Here are some of the scams run by business identity thieves:
- Create fake W2s and file fraudulent individual tax returns for the refunds. This scam can happen with businesses that have shut down, but haven’t completely deactivated their corporate structure.
- Open a line of credit or get business credit card. Sometimes all a crook needs to open a line of credit is the EIN, the name of the business, its address and the name of an officer. Some scammers even alter the information on record with the Secretary of State to insert their own — or fake — names and addresses of officers. Then, a false certificate of good standing can be printed to bolster a fake identity. Adding insult to injury, business credit cards don’t always have the same liability protection against fraud that personal credit cards have.
- Purchase equipment, machinery or inventory. Thieves take advantage of 30-days net payment terms and have these items delivered to their own address. By the time the business owner finds out, the thieves have long since fled and sold the merchandise for their own gain, leaving the owner with the bill.
- File fake corporate tax returns and collect refunds. Thieves may claim large refundable credits to which they’re not entitled or steal tax payments on deposit with the IRS. Frequently, the first indication that this may have happened is the rejection of an electronically filed tax return or extension because a return with that EIN has already been filed. Another sign is IRS notices that don’t make any sense or state that additional tax is owed. Thieves also run this scam with estate and trust returns.
What the IRS is doing
In July 2017, the IRS released Fact Sheet 2017-10 to educate the public about business identity theft and to detail some of their efforts to curb this. Starting with the 2018 filing season, tax professionals will need to provide additional information in their tax software to help verify that a return is legitimate. This information includes:
- The name and social security number of the authorized signer of the corporate return.
- History of tax payments — amounts, dates and method of payment.
- Name of any parent corporation.
- Additional information based on the deductions claimed.
- Filing history of other federal returns, such as Forms 940 and 941
What should businesses do to prevent this from happening?
Some criminals get their information by hacking into the systems of accounting and tax practitioners or combing through their trash, so we need to be extra vigilant. Here are some recommended practices to help keep the identity of your business clients secure:
- Don’t display the EIN on websites.
- Shred all documents with sensitive data before disposal.
- Check the info on file with the secretary of state at least quarterly.
- Get a business credit report at least annually with the credit reporting agencies: Dun & Bradstreet, Equifax, Experian and TransUnion.
- Complete all procedures to formally dissolve a closed business.
- Educate employees about the dangers of phishing emails.
- Use strong passwords and change them frequently.
- Use two-factor authentication when possible
If theft does occur:
- Notify local law enforcement.
- Contact the IRS.
- Notify banks, credit card companies and all other creditors.
- Report the theft to the credit reporting agencies.
- Consider a credit freeze.
- Correct all incorrect information at the secretary of state.
While the extra steps needed for filing tax returns may feel burdensome, protecting our clients’ data and helping them avoid these losses is well worth the effort.