IRS, Security Summit partners wrap up National Tax Security Awareness Week with steps businesses should take to prevent data loss, fraud

IR-2022-211, December 2, 2022

WASHINGTON — To wrap up National Tax Security Awareness Week, the Internal Revenue Service and the Security Summit partners today urged businesses to remain vigilant against cyberattacks aimed at stealing their customer's personal information and other business data.

The IRS continues to see instances where small businesses and others face a variety of identity-theft related schemes that try to obtain information that can be used to file fake business tax returns. For example, phishing schemes continue to target businesses as well as tax professionals and individual taxpayers.

"Just like individuals and tax professionals, businesses of all types need to be on the lookout for attempts to steal information and data," said IRS Acting Commissioner Doug O'Donnell. "Businesses are especially attractive to cyberthieves because there is a potential to steal a lot of data. They may use the information to file a business tax return or use customer data for identity theft."

The IRS, state tax agencies and the nation's tax software and tax professional industries operate cooperatively as the Security Summit to highlight data security and fight identity theft. Today marks the final day of the seventh annual week dedicated to information security and helpful tips for individuals, businesses and tax professionals.

Cyber criminals target businesses of all sizes; knowing some cybersecurity basics and putting them in practice will help business owners protect their business and reduce the risk of a cyber-attack. Criminals can target a business's credit card or payment information, business identity information or employee identity information.

Businesses are encouraged to follow best practices from the Federal Trade Commission, including:

  • Use multi-factor authentication.
  • Set security software to update automatically.
  • Back up important files.
  • Require strong passwords for all devices.
  • Encrypt devices.

More information is available at FTC's Cybersecurity for Small Businesses.

Businesses should especially be alert to phishing email scams that attempt to trick employees into opening embedded links or attachments. IRS related scams may be sent to phishing@irs.gov so the IRS can try to track, stop or disrupt scams.

To improve security, the IRS now masks sensitive information from business tax transcripts, which summarizes tax return information, to help prevent thieves from obtaining identifiable information that would allow them to file fake business tax returns. Only financial entries are fully visible. Other information has varying masking rules. For example, only the first four letters of each first and last name will display for individuals and businesses. Also, only the last four digits of the Employer Identification Number will be visible.

The IRS also has the Form 14039-B, Business Identity Theft AffidavitPDF, that will allow companies to proactively report possible identity theft to the IRS when, for example, an e-filed tax return is rejected.

Businesses should file the Form 14039-B if it receives a:

  • Rejection notice for an electronically filed return because a return is already on file for that same period.
  • Notice about a tax return that the entity didn't file.
  • Notice about Forms W-2 filed with the Social Security Administration that the entity didn't file.
  • Notice of a balance due that is not owed.

This form will enable the IRS to respond to the business and work to resolve issues created by a fraudulent tax return. Businesses should not use the form if they experience a data breach but see no tax-related impact. For more information, see Identity Theft Central's business section.

In addition to phishing and other scams, all employers should remain alert to Form W-2 theft schemes. For example, a thief may pose as a company executive who emails payroll employees and asks for a list of employees and their W-2s. Businesses often don't know they've been scammed until an employee reports that a fraudulent tax return has been filed.

There's a special reporting procedure for employers who experience the W-2 scam. It's available in the Identity Theft Central's business section.

Finally, Security Summit partners urge businesses to keep their EIN application information current. Changes of address or responsible party information may be reported using Form 8822-B. Changes in the responsible party must be reported to the IRS within 60 days. Current information can help the IRS find a point of contact to resolve identity theft and other issues.

For more details and to learn more about this year's National Tax Security Awareness Week's efforts, visit IRS.gov/securitysummit.