Accounting: How to protect yourself and your business from identity theft and other fraud during tax season

By Kevin Ricci, CISA, MCSE, CRISC
From data breaches to phishing attacks and ransomware to identity theft, businesses are at a higher risk from cyberattack than ever before.
Lurking behind every mouse click is the potential for a technological tragedy. A seemingly benign decision, such as opening an attachment from what we believe to be a trusted sender, can result in a nearly infinite number of ruinous outcomes; malware can be deployed, a backdoor to your server could be established, or your data may be compromised.
By the time a user has realized that a mistake has been made, it may be too late to stop the potentially catastrophic damage.
One of the more prevalent risks that everyone should be aware of during tax season is identity theft, which involves the fraudulent procurement and usage of a victim’s private information, typically for financial gain. To say that identity theft attempts are commonplace is a tremendous understatement. In 2015 alone, the IRS detected and stopped more than 4.8 million suspicious tax returns. While many efforts continue to be made in order to protect and prevent this epidemic, it continues to be an immense issue for both businesses and individuals.
While identity theft cannot be totally avoided, there are some measures you can utilize to avoid becoming the next victim of a cybercriminal. The following important steps can lessen the likelihood of thieves obtaining and using personal information for fraudulent purposes.
For individuals, this means taking all of the following actions:
• protecting Social Security numbers; for example, a Social Security card should not be carried around (other than to complete Form I-9 when hired for a job), and should rarely, if ever, be entered on a website.
• limiting disclosure of personal information, such as a birthday, on social media.
• using smart password policies for financial accounts, mobile devices and other sensitive data and devices. This means different passwords for every site, complex passwords that can’t be easily guessed, and changing passwords every 60 to 90 days.
• if you suspect that you are the victim of identity theft, the IRS has provided guidance on what steps to take:
For businesses, vulnerability to identity theft can come from within (an employee or former employee) or from outside (hackers). The following best practices can greatly reduce the ability for cybercriminals to gain access to a company’s sensitive information:
• Provide cybersecurity education to every user, at least once a year, so that they know how to handle sensitive information, and can identify attempted phishing attacks, so that they become a virtual human firewall.
• Maintain a clean desk policy throughout the company, especially in areas that tax returns are handled, so that electronic or hardcopy documents containing sensitive information are secured when users are away from their work area.
• Practice the principle of least privilege, meaning that users should be allowed to access only those applications and network folders that are essential to their job function.
Whether intentional or accidental, data compromised by employees is one of the leading causes of breaches, so efforts should be made to minimize the information that users can access.
While identity theft is becoming more prevalent, due to cybercriminals constantly devising new and more sinister tactics, practicing sound security strategies can significantly reduce the risk of you becoming the next identity theft victim. Everyone must remain vigilant, as the price for not taking this threat seriously could cost us our very identity.
Kevin Ricci, CISA, MCSE, CRISC, is IT Director for Citrin Cooperman. He can be reached at (401) 421-4800 or
This article was published in the April 2017 issue of Cape & Plymouth Business.