Technology has long made accounting easier, from the first adding machines to electronic spreadsheets to today’s cloud computing ecosystem. While recent advancements have allowed business owners and their accountants to collaborate efficiently from any location, they also created a growing cybersecurity risk that cyber insurance can help manage.

Cyberattacks Threaten All Organizations

According to a 2022 survey commissioned by CyberCatch, 75% of small and medium-sized businesses (SMBs) could only survive three to seven days if they suffered a cyberattack.

Big businesses are frequent targets, and their security breaches tend to make headlines. But smaller businesses are easier prey for cybercriminals because they lack the complicated security infrastructure that larger businesses maintain.

The cost of a data breach can be devastating for small businesses. A data breach costs SMBs, on average, $101,000, according to Kaspersky’s IT Security Economics Report for 2020. That cost includes detecting and shutting down the attack, recovering lost data, notifying third parties, legal expenses related to the breach, and lost business.

Cloud accounting is more secure than having all your business’ accounting data on a desktop or device because providers typically deploy top-of-the-line security features. However, any system — cloud or otherwise — is only as strong as its weakest link. It only takes one user falling victim to a social engineering attack, using a weak password, or opening a malware-inflected attachment to give cybercriminals access to your payroll records, vendor and customer lists, bank account numbers, and more.

Manage the Risk with Cyber Insurance

Cyber insurance has become an increasingly important risk management tool for businesses. This insurance policy provides businesses with various coverage options to help recover from data breaches and other security issues.

While the exact coverages vary from policy to policy, cyber insurance typically covers two broad categories of losses:

Like any insurance policy, cyber insurance policies have exclusions. Typical cyber policy exclusions include lost future profits, the lost value related to intellectual property theft, and the cost of upgrading security after a data breach.

How to Buy Cyber Insurance

Most major commercial insurance carriers offer cyber insurance coverage, so reach out to your agent or broker to get a quote. But keep in mind while cyber insurance is increasingly essential coverage for most small businesses, it can also be difficult — and expensive — to buy.  According to Marsh, a New York City-based insurance broker, and advisor, cyber insurance premiums in the U.S. increased by an average of 96% from 2020 to 2021.

Following a few IT security best practices can reduce your risk and improve your chances of getting coverage at an affordable price. Those best practices include:

As technology evolves, so will your exposure to various types of cyber-risks. While cyber insurance coverage can be a critical part of managing those risks, it doesn’t replace security best practices. Take the necessary steps to protect your business to a better chance of minimizing your exposure.

The partners and professionals at Hamilton Tharp, LLP would like to remind our clients to watch for IRS notices and letters. With IRS scams and identity theft on the rise, stopping identity theft and refund fraud is a top priority for the Internal Revenue Service. The IRS has many new safeguards in place to help fight against stolen identity refund fraud. These safeguards are designed to better authenticate the taxpayer’s identity and the validity of the tax return at the time of filing. If the IRS received your federal income tax return, but needs more information to verify your identity and process your tax return, they will send you Letter 4883C. There are many reasons why a return may appear to be suspicious to IRS systems, and the agency takes this precautionary step to help protect you.

If you received Letter 4883C, it is not fraud. It is a legitimate request, from the IRS, asking you to verify your identity. The letter will contain instructions to call the toll-free IRS Identity Verification telephone number at 800-830-5084. Before you call, gather the following items:

If you are unable to verify your identity with the customer service representative, you may be asked to visit an IRS Taxpayer Assistance Center in person. To find a Taxpayer Assistance Center closest to you, visit https://apps.irs.gov/app/officeLocator/index.jsp and enter your zip code into the office locator. Taxpayer Assistance Centers are closed on federal holidays. You will be asked to provide photo identification and a taxpayer identification number such as your social security number. You may also be asked to provide a copy of the tax return in question.

Remember, the IRS will never

We also remind our clients, this is the time of year they may see scam emails from their tax software provider or others asking them to update online accounts. Taxpayers should learn to recognize phishing emails, calls or texts that pose as familiar organizations such as banks, credit card companies, tax software providers or even the IRS. These ruses generally urge taxpayers to give up sensitive data such as passwords, Social Security numbers and bank account or credit card numbers.

If you receive a suspicious email, check with us first. Never open an attachment or link from an unknown or suspicious source. It may infect your computer with malware or steal information. Remember, the IRS does not send unsolicited emails or request sensitive data via email.

The Internal Revenue Service warns taxpayers of a new twist on an old scam in which criminals’ steal client data from tax professionals, file fraudulent tax returns and deposit the erroneous refund into the taxpayers’ real bank account. They will then use a variety of tactics to reclaim the refund from the taxpayer.  There are currently two versions of the scam.

Version One

Criminals posing as debt collection agency officials acting on behalf of the IRS contacted the taxpayers to say a refund was deposited in error, and they asked the taxpayers to forward the money to their collection agency.

Version Two

The taxpayer who received the erroneous refund gets an automated call with a recorded voice saying he is from the IRS and threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

What should you do if you received an erroneous refund?

The IRS urges taxpayers to follow established procedures for returning an erroneous refund to the agency. The IRS also encourages taxpayers to discuss the issue with their financial institutions because there may be a need to close bank accounts. Taxpayers receiving erroneous refunds also should contact their tax preparers immediately.

Remember, the IRS will never

The professionals in our office are closely monitoring this evolving scam, we will keep you apprised.

The Internal Revenue Service, state tax agencies and the tax industry urges all employers to educate their payroll personnel about a Form W-2 phishing scam that made victims of hundreds of organizations and thousands of employees last year.

The Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community. During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces. The scam affected all types of employers, from small and large businesses to public schools and universities, hospitals, tribal governments and charities.

Reports to phishing@irs.gov from victims and nonvictims about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016. Last year, more than 200 employers were victimized, which translated into hundreds of thousands of employees who had their identities compromised.

The IRS and its partners in the Security Summit effort hope to limit the success of this scam in 2018 by alerting employers immediately. The IRS can take steps to protect employees, but only if the agency is notified immediately by employers about the theft. Last year, the IRS created a new process by which employers should report these scams.

How the scam works

Best Practices for Employers 

To prevent falling victim of the Form W-2 Scam, employers can:

If the business or organization victimized by these attacks notifies the IRS, the IRS can take steps to help prevent employees from being victims of tax-related identity theft.

How to notify the IRS if you are a victim

The IRS established a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how Form W-2 scam victims can notify the IRS:

Include the following:

Businesses and organizations that fall victim to the scam and/or organizations that only receive a suspect email but do not fall victim to the scam should send the full email headers to phishing@irs.gov and use “W2 Scam” in the subject line.

Be aware that cybercriminals’ scams are constantly evolving. Employers should be alert to any unusual requests for employee data.

We know identity theft is a frustrating process for victims. The IRS is taking this issue very seriously and continues to expand on their robust screening process to stop fraudulent returns.

What is identity theft?

Identity theft occurs when someone uses personal information such as your name, Social Security number (SSN) or other identifying information without your permission, to commit fraud or other crimes, such as claiming a fraudulent refund.

How do you know if your tax records have been affected?

Usually, an identity thief uses a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund. Generally, the identity thief will use a stolen SSN to file a forged tax return and attempt to get a fraudulent refund early in the filing season.

You may only become aware this has happened to you if you file your return later in the filing season and discover that two returns have been filed using the same SSN.

Be alert to possible identity theft if you receive an IRS notice or letter that states that:

What should you do if your tax records are affected by identity theft?

If you receive a notice from the IRS, contact us immediately. If you believe someone may have used your SSN fraudulently, we will notify the IRS immediately by completing the appropriate paperwork.

If you are a victim of identity theft, the Federal Trade Commission recommends that you

If your SSN number is compromised, the IRS recommends that you

How can you protect your tax records?

If your tax records are not currently affected by identity theft, but you believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, please let us know. We can assist you in contacting the IRS and other agencies to ensure your identity is safe.

How can you minimize the chance of becoming a victim?

If you become a victim of identity theft, the professionals in our office can assist you in dealing with the IRS and any other agencies with which you must communicate. Call us today.

Equifax, one of the United States’ three major consumer credit reporting agencies, recently reported a breach that compromised the personal information of approximately 143 million Americans. The nature of this breach is particularly alarming because many consumers may not even know they are customers of the company. Equifax receives information from multiple sources including banks, lenders, credit card companies and retailers. Names, social security numbers, birth dates, addresses and driver’s licenses were among the information stolen from Equifax’s databases.

Credit card numbers for about 209,000 people were exposed, as was “personal identifying information” on roughly 182,000 customers involved in credit report disputes.

How to determine if you were one of the 143 million Americans affected

Additional steps you can take

We are closely monitoring this issue and will keep you informed of any new developments.

Even though the tax filing season has ended for most taxpayers, The Internal Revenue Service recently issued a warning that tax-related scams continue. People should remain on alert to new and emerging schemes involving the tax system that continue to claim victims. Below we have listed four recent scams to be aware of and the tell tale signs of a scam.

EFTPS Scam
A new scam which is linked to the Electronic Federal Tax Payment System (EFTPS) has been reported nationwide. Con artists will call to demand immediate tax payment. The caller claims to be from the IRS and says that two certified letters mailed to the taxpayer were returned as undeliverable. The scammer then threatens arrest if a payment is not made immediately by a specific prepaid debit card. Victims are told that the debit card is linked to the EFTPS when, in reality, it is controlled entirely by the scammer. Victims are warned not to talk to their tax preparer, attorney or the local IRS office until after the payment is made.

“Robo-call” Messages
It is important to remember that the IRS does not call and leave prerecorded, urgent messages asking for a call back. In this tactic, scammers tell victims that if they do not call back, a warrant will be issued for their arrest. Those who do respond are told they must make immediate payment either by a specific prepaid debit card or by wire transfer.

Private Debt Collection Scams
The IRS recently began sending letters to a relatively small group of taxpayers whose overdue federal tax accounts are being assigned to one of four private-sector collection agencies. Taxpayers should be on the lookout for scammers posing as private collection firms. The IRS-authorized firms will only be calling about a tax debt the person has had – and has been aware of – for years. The IRS would have previously contacted taxpayers about their tax debt.

Scams Targeting People with Limited English Proficiency
Taxpayers with limited English proficiency have been recent targets of phone scams and email phishing schemes that continue to occur across the country. Con artists often approach victims in their native language, threaten them with deportation, police arrest and license revocation among other things. They tell their victims they owe the IRS money and must pay it promptly through a preloaded debit card, gift card or wire transfer. They may also leave “urgent” callback requests through phone “robo-calls” or via a phishing email.

Tell Tale Signs of a Scam:

The IRS (and its authorized private collection agencies) will never:

How to Know It’s Really the IRS Calling or Knocking

The IRS initiates most contacts through regular mail delivered by the United States Postal Service. However, there are special circumstances in which the IRS will call or come to a home or business, such as:

For more information visit “How to know it’s really the IRS calling or knocking on your door” on IRS.gov.

If you think you are the target of a scam follow up with your accountant for further guidance.

One only needs to skim the daily news to realize that hackers are getting better and cybersecurity is more important than ever. The most recent cyberattack was a strain of ransomware that spread itself across all workstations in a network, causing a global epidemic. Luckily, a programmer developed an internal “kill switch,” which disabled the malware from spreading any further. Regardless of whether your system was impacted by this outbreak or not, there are many lessons to be learned. Principally, the need to reinforce fundamental security practices to prepare for the future.

Taking these recent outbreaks into consideration, it is evident that organizations need to make cybersecurity risk management a top priority. To help leaders in the accounting profession reach this goal, the American Institute of CPAs (AICPA) has unveiled a cybersecurity risk management reporting framework that will help companies and auditors communicate cyber risk readiness to stakeholders. The framework is long overdue; until now a common language for companies to communicate about their cybersecurity risk management was non-existent. The AICPA’s new framework includes three main resources:

  1. Description criteria used by management to explain the organization’s cybersecurity risk management program.
  2. Control criteria used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.
  3. Attest Guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, will be used to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.

Cyber threats are constantly evolving, and unfortunately, your cash and customer information are desirable targets. Providing assurance to your team and stakeholders requires intentionality and a plan. Having strong cybersecurity measures in place will help safeguard sensitive information and the AICPA’s new reporting framework will help you better communicate your preparedness to key stakeholders. If you need any guidance in this area, please reach out to one of our tax advisors.

The Internal Revenue Service, state tax agencies and the tax industry recently issued an urgent alert to all employers that the Form W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.

In a related development, the W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on wire transfers that is victimizing some organizations twice. “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.

When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.

Here’s how the scam works:

Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this year.

New Twist to W-2 Scam: Companies Also Being Asked to Wire Money

In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers.

The IRS, states and tax industry urge all employers to share information with their payroll, finance and human resources employees about this W-2 and wire transfer scam. Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers.

Steps Employers Can Take If They See the W-2 Scam

  • Organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.
  • Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return gets rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.

Be Safe Online

In addition to avoiding email scams during the tax season, taxpayers and tax preparers should be leery of using search engines to find technical help with taxes or tax software. Selecting the wrong “tech support” link could lead to a loss of data or an infected computer. Also, software “tech support” will not call users randomly. This is a scam. Taxpayer or tax preparers looking for tech support for their software products should go directly to the provider’s web page.

The professionals in our office can answer any questions you may have regarding Phishing scams. Call us today.

IRS Warns Taxpayers to Guard Against New Tricks by Scam Artists Losses Top $20 Million

WASHINGTON — Following the emergence of new variations of widespread tax scams, the Internal Revenue Service today issued another warning to taxpayers to remain on high alert and protect themselves against the ever-evolving array of deceitful tactics scammers use to trick people.

These schemes — which can occur over the phone, in e-mails or through letters with authentic looking letterhead — try to trick taxpayers into providing personal financial information or scare people into making a false tax payment that ends up with the criminal.

The Treasury Inspector General for Tax Administration (TIGTA) has received reports of roughly 600,000 contacts since October 2013. TIGTA is also aware of nearly 4,000 victims who have collectively reported over $20 million in financial losses as a result of tax scams.

“We continue to see these aggressive tax scams across the country,” IRS Commissioner John Koskinen said. “Scam artists specialize in being deceptive and fooling people. The IRS urges taxpayers to be extra cautious and think twice before answering suspicious phone calls, emails or letters.”

Scammers posing as IRS agents first targeted those they viewed as most vulnerable, such as older Americans, newly arrived immigrants and those whose first language is not English. These criminals have expanded their net and are now targeting virtually anyone.

In a new variation, scammers alter what appears on your telephone caller ID to make it seem like they are with the IRS or another agency such as the Department of Motor Vehicles. They use fake names, titles and badge numbers. They use online resources to get your name, address and other details about your life to make the call sound official. They even go as far as copying official IRS letterhead for use in email or regular mail.

Brazen scammers will even provide their victims with directions to the nearest bank or business where the victim can obtain a means of payment such as a debit card. And in another new variation of these scams, con artists may then provide an actual IRS address where the victim can mail a receipt for the payment — all in an attempt to make the scheme look official.

The most common theme with these tricks seems to be fear. Scammers try to scare people into reacting immediately without taking a moment to think through what is actually happening.

These scam artists often angrily threaten police arrest, deportation, license revocation or other similarly unpleasant things. They may also leave “urgent” callback requests, sometimes through “robo-calls,” via phone or email. The emails will often contain a fake IRS document with a telephone number or email address for your reply.

It is important to remember the official IRS website is IRS.gov. Taxpayers are urged not to be confused or misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. Taxpayers should never provide personal information, financial or otherwise, to suspicious websites or strangers calling out of the blue.

Below are five things scammers often do that the real IRS would never do.

The IRS will never:

Here’s what you should do if you think you’re the target of an IRS impersonation scam: