11 Tips to Protect Against Cyber Breach at Tax Time

The U.S. tax season is upon us and the last thing we need, for ourselves or our company, is to attempt to file our taxes and receive a message, "Your taxes have already been filed." This happens across the nation, and when you see that message, a criminal has already used either your company data or your personally identifiable information to file taxes on your behalf and take your refund.

Unfortunately, no matter what we do to protect our information, bad things can happen. This time of year should always serve as a reminder for us to take some basic steps in order to protect ourselves and our organizations.

The process of protecting yourself from cyber threats should be seen as a year-long effort, and not just something to think about during tax season. Even though a sharp increase of breach events is noticed during tax season, many companies and accounting firms may in fact be infiltrated up to a year or more in advance of the breach. In those cases, the bad actors just sit and wait to take action on your data.

11 Ways to Protect Yourself and Your Company at Tax Time

We've created a helpful list to protect yourself and your company from these types of events. This list is by no means an end-all-be-all, but it's a good place to start in order to harden security and be less of an easy target.

• Use a reputable tax preparation service for your tax return. You should always ask the company what they are doing to protect your data from outside threats. If you self-prepare, use a reputable submission service or software that promises safety in their services.
• Keep your operating system, software programs, and network devices up to date. In order to avoid vulnerabilities that may allow someone untethered access to protected information regular patching from the manufacturers is required.
• Use encryption. If you leave the office or home with confidential data on a laptop or storage media, consider using encryption to protect that data from unauthorized access.
• Empower yourself and your employees with a bit of knowledge in basic internet safety. A few searches on the internet will help you understand what social engineering, phishing, virus, malware, and ransomware are and how to avoid them. When you view, open, install something, or fail to update software and hardware appliances, you present a possibility for a potential disaster to strike.
• Never think because you are merely an individual or a small business that you are not being targeted in the same way larger organizations are targeted. If you have a company presence on the internet, you are a potential target, no matter the size. The good news is the means you use to protect yourself and your small or midsize business, is actually the same way a larger business protects itself.
• Know that just because an ad is on a reputable website, it does not mean it's safe to click. If something piques your interest in the ad, back out of the site and search for the store or company in a search engine and find a direct link to the news story or product.
• Be cognizant when you receive an email, especially with an attachment. Pause and think for a moment, is this a solicited attachment? Am I expecting correspondence from this individual with an attachment? Is the email address correct? Does the body of the email contain correct spelling and grammar? If you are asked to click on a URL in the email, hover over the link with your cursor before clicking. Does the address point you to where the link title says it will? Does the email attempt to create a sense of urgency? Many scams will do so in an attempt to get you to avoid pausing to think.
• Verify transfers. If you are a manager or supervisor who receives a verification call regarding transfers of funds for an urgent situation, be alert and double-check the request. Criminals do their homework and footprint a target to understand their weakest point.
• Be aware of fraudulent calls. The Internal Revenue Service and Law Enforcement are not going to tell you to call them up because you need to pay back taxes or a fine over the phone with a gift card number. This is also true if you receive a call wanting you to post bond or pay a fine for a family member who has been arrested overseas. Call the U.S. State Department or U.S. Consulate in the region that the call is supposedly coming from after you check with other family members and try to reach the individual who they are reporting as being arrested.
• Think of using passphrases instead of passwords. A phrase is longer and more easily remembered, and it takes longer to decrypt. Avoid using terms or numbers that can be associated with your life and found if someone were to reverse engineer your life using social media. Keep in mind your I.T. Administrators won't ask you for your password if they want access to your account. As administrators, they can typically just take it over, if necessary.
• Never give personal or financial information over the phone unless you've verified the source. If you receive a call or an email asking you for your personal identifiers, financial information, user account names, passwords, security answer questions, ask them who they are, and call them back. This is also the case if someone is telling you that your personal information has been breached. Get off the phone and look up the company or agency they are claiming to represent and call the number listed for that company. If they are from your bank or credit card company, call the number on the back of your card or on your statement.

We all likely wish we lived in a world where we didn't have to put forth this amount of effort to protect ourselves from becoming an easy target. But the reality is, we do. We are forced to research internet safety and how to protect ourselves or our company from digital threats. It's important to start thinking about information technology, computer equipment hardware, and software that may need periodic preventative health checks, putting into place employee training or computer upgrades, and taking preventative measures, on your own terms instead of when an actual breach occurs.