This happens all too often – someone files their tax return expecting a nice refund when their return is rejected because one has already been filed with their social security number. How did that happen? You can’t necessarily point the finger of blame on that unfortunate person because they had a piece of their personal identity stolen. The source of the data breach could have been their employer and here’s how that happens.

Someone in HR or Accounting gets an email from a company executive asking for a copy of all of their W-2s and a list of all employees with their social security numbers. Even though the person getting the request feels that this is a bit odd, they comply. After all, who are they to argue with one of the leaders of the company?

But it’s not actually a company executive, it’s a cyber criminal. The minute the bad guys get all of this Personal Identifiable Information (PII) they’re either taking the next step to monetize it or selling it to another cyber criminal who will.

Go Backwards to Discover the Breach

This kind of scenario is completely avoidable by having layers of security in place that include processes to verify that requests for confidential information are truly from the person they claim to be.

Let’s go backwards and see how we can undo this tragedy and give you the information you need to protect your company from being a victim of the same kind of situation.

Why did the cyber criminal target your business?

Everyone is a target. It doesn’t matter what size of business you are, how many employees you have, how much revenue you bring in. In fact, if you don’t think you’re a target, that probably makes you an easy target because you don’t take cybersecurity as seriously as you should.

Could the email have been blocked?

Yes, it’s possible that the email that requested the information could have been blocked if you had an advanced spam filter. At the very least, an email filter that identified the message as coming from an external source would have raised a red flag.

What if the email really came from the executive’s email account?

If the executive was a victim of Business Email Compromise (BEC) then you’ll have to find out how that person was managing (or mismanaging) their accounts. They could have had their weak password cracked or the executive could have unknowingly given up his or her credentials in an initial phishing scheme.

How did the cyber criminal know who had access to the W-2s?

There’s a lot to be learned about your business and who works for you just by doing some internet research. However, it’s also entirely possible that the cyber criminal did their sleuthing from within your own network if you don’t have advanced security tools that detect and respond to such threats.

How did the cyber criminal collect the money?

Refunds coming from your fraudulently filed tax return aren’t going to appear in your mail box or bank account. The cyber criminal will set it up so that the funds are electronically transferred to debit cards, or they’ll use an address where they can steal the refund out of the mail.

How to Avoid Becoming a Tax Fraud Victim

Responsibility for keeping your confidential information safe is shared by both employee and employer. Since we’re talking about a scenario here where the employer was the source of the breach, let’s talk about some must-have foundational security tactics for small and medium-sized businesses.

Advanced Cybersecurity Tools – Whatever you were doing three years ago for security isn’t enough today. Cyber criminal technology has evolved and you need security tools that use Artificial Intelligence (AI) to monitor, detect and respond to threats, including those that come through email.

Here’s a partial list of security layers that you might need to add to beef up your cyber defenses:

• Endpoint Detection and Response (EDR)
• Advanced Email Spam Filter
• Security Information and Event Management Tool (SIEM)

Multi-Factor Authentication (MFA) – MFA makes it harder for your accounts to be compromised because there’s a second step involved that cyber criminals can’t access.

Cybersecurity Awareness Training – Make your employees a strong line of cyber defense by teaching them how to recognize and respond to suspicious messages.

Security Policies and Procedures – Control access to information with strict need-to-know policies and have business procedures in place to verify that requests for access to confidential information are authentic.

Control Your Domain – Buy domain names that cyber criminals could use to impersonate your website or email addresses.

Related: Read a true story of how a phishing email and look-alike domain netted $160,000 for a hacker

Get Your Tax Return Filed Early but Stay Vigilant

One of the best ways to thwart a tax scam is to get your return filed as early as possible before anyone has a chance to impersonate you. However, if your confidential information has been breached, you’re still at risk for other crimes that utilize stolen identities.

The bottom line is that you and your employer share the responsibility to protect confidential information – both yours and theirs. Stay vigilant, strengthen your security posture, and make cybersecurity a continuing topic of conversation (which is about the only way to get people to care about cybersecurity short of becoming a victim).

Related: How to Get People to Care About Cybersecurity

XPERTECHS DEFENDs Against Cyber Threats

Here at XPERTECHS, we help companies up their security game so that they can effectively manage cyber risks. We provide cybersecurity services through our managed IT services framework that gives clients sound IT management and innovative IT strategy that allows them to get better business results from technical strength and strategy.

Contact us for a free IT consultation.