Small business identity theft is a big business for identity thieves. Just like individuals, businesses may have their identities stolen and their sensitive information used to open credit card accounts or file fraudulent tax returns seeking bogus refunds. To mark “National Tax Security Awareness Week,” the Delaware Division of Revenue, along with the IRS and the nation’s tax industry have joined together to warn small businesses to be on-guard against a growing wave of identity theft against businesses and employers.

In the past year, the Internal Revenue Service noted a sharp increase in the number of fraudulent Forms 1120, 1120S and 1041 as well as Schedules K-1. The fraudulent filings include forms filed relating to partnerships, estates and trusts. Identity thieves are displaying a sophisticated knowledge of the tax code and industry filing practices as they attempt to obtain valuable data to enable them to file fraudulent returns.

Identity thieves have long made use of stolen Employer Identification Numbers (EINs) to create fake Forms W-2 that they file with fraudulent individual tax returns seeking refunds. Fraudsters also used EINs to open new lines of credit or obtain credit cards. Now, they are using company names and EINs to file fraudulent returns for the businesses themselves.

As with fraudulent individual returns, there are certain signs that may indicate identity theft. Those filing returns for corporations, partnerships, estates or trusts should be alert to potential identity theft and contact the IRS if they experience any of these issues:

• Extension to file requests are rejected because a return with the Employer Identification Number or Social Security number is already on file;
• An e-filed return is rejected because a duplicate EIN/SSN is already on file with the IRS;
• An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer;
• Failure to receive expected and routine correspondence from the IRS because the thief has changed the taxpayer’s address.

New Procedures to Protect Businesses in 2018

The Division of Revenue, the IRS, and software providers share certain data points from returns, including business returns, which help identify a suspicious filing. Delaware and the IRS are asking that businesses and tax practitioners provide additional information that will help verify the legitimacy of the tax returns they file.

For 2018, the “know your customer” procedures that are being put in place include the following questions:

• Authorized signer – Confirm the name and SSN of the company executive authorized to sign the corporate tax return;
• Payment history – were estimated tax payments made? If yes, when were they made, how were they made, and how much was paid?
• Parent company information – is there a parent company? If yes, what is the name of the parent company?
• Deduction information – Provide additional information based on deductions claimed;
• Filing history – has the business filed Form(s) 940, 941 or other business-related tax forms?

Individuals operating as sole proprietorships who file Schedule C with Form 1040 and partnerships that file Schedule K-1 with Form 1065 also will be asked to provide additional information items, such as a driver’s license number. Providing this information will help Delaware and the IRS identify suspicious business-related returns.

For small businesses looking for a place to start on security, the National Institute of Standards and Technology (NIST) has produced Small Business Information Security: The Fundamentals. NIST is the branch of the U.S. Commerce Department that sets information security frameworks followed by federal agencies. The United States Computer Emergency Readiness Team (US-CERT) has created Resources for Small and Midsize Businesses.

Take the steps recommended by cyber experts to protect your business, and visit the Identity Protection: Prevention, Detection and Victim Assistance for more information about business-related identity theft.

During the online holiday shopping season, the Delaware Division of Revenue is joining with the IRS, other state tax agencies and the tax industry to mark “National Tax Security Awareness Week.” From November 27 through December 1, we’d like to remind people to be vigilant with their personal information. While you are shopping for gifts, criminals are shopping for credit card numbers, financial account information, Social Security numbers and other sensitive data that could help them file a fraudulent tax return.

Cyber criminals seek to turn stolen data into quick cash, either by draining financial accounts, charging credit cards, creating new credit accounts or even using stolen identities to file a fraudulent tax return for a refund. Anyone who has an online presence should take a few simple steps that could go a long way to protecting their identity and personal information.

Here are seven steps to help with online safety and protecting tax returns and refunds in 2018:

• Shop at familiar online retailers. Generally, sites using the “s” designation in “https” at the start of the URL are secure. Look for the “lock” icon in the browser’s URL bar. But remember, even bad actors may obtain a security certificate so the “s” may not vouch for the site’s legitimacy.
• Avoid unprotected Wi-Fi. Beware of making purchases at unfamiliar sites or clicking on links from pop-up ads. Unprotected public Wi-Fi hotspots also may allow thieves to view transactions. Do not engage in online financial transactions if using unprotected public Wi-Fi.
• Learn to recognize and avoid phishing emails that pose as a trusted source such as those from financial institutions or the IRS. These emails may suggest a password is expiring or an account update is needed. The criminal’s goal is to entice users to open a link or attachment. The link may take users to a fake website that will steal usernames and passwords or an attachment may download malware that tracks keystrokes.
• Keep a clean machine. This applies to all devices — computers, phones and tablets. Use security software to protect against malware that may steal data and viruses that may damage files. Set it to update automatically so that it always has the latest security defenses. Make sure firewalls and browser defenses are always active. Avoid “free” security scans or pop-up advertisements for security software.
• Use passwords that are strong, long and unique. Experts suggest a minimum of 10 characters, but longer is better. Avoid using a specific word; longer phrases are better. Use a combination of letters, numbers and special characters. Use a different password for each account. If you can’t remember all your passwords, use a password manager, which securely stores the passwords for you.
• Use multi-factor authentication. Some financial institutions, email providers and social media sites allow users to set accounts for multi-factor authentication, meaning users may need a security code, usually sent as a text to a mobile phone, in addition to usernames and passwords. For added protection, some financial institutions also will send email or text alerts when there is a withdrawal or change to the account. Generally, users can check account profiles at these locations to see what added protections may be available.
• Encrypt and password-protect sensitive data. If keeping financial records, tax returns or any personally identifiable information on computers, this data should be encrypted and protected by a strong password. Also, back-up important data to an external source such as an external hard drive. When disposing of computers, mobile phones or tablets, make sure to wipe the hard drive of all information before throwing it away.

There are also a few additional steps people can take a few times a year to make sure they have not become an identity theft victim. Receive a free credit report from each of the three major credit bureaus once a year. Check it to make sure there are no credit changes that don’t look familiar. Create a “My Social Security” account online with the Social Security Administration which can be used to see how much income is attributed to your SSN annually. This can help determine if someone else is using your SSN for employment purposes.

The Division of Revenue, the IRS, and the tax industry are committed to working together to fight against tax-related identity theft and to protect taxpayers. Visit the “Taxes. Security. Together.” awareness campaign, or review IRS Publication 4524, Security Awareness for Taxpayers for additional information.

House Bill 180, sponsored by Representative Baumbach, has bipartisan support in General Assembly

DOVER, Del. – Governor John Carney and members of the General Assembly announced legislation on Thursday that would expand protections for Delawareans affected by computer security breaches.

The bipartisan legislation, House Bill 180, is sponsored by Representative Paul Baumbach. Additional sponsors include Senator David Sokola, Senator Ernesto “Ernie” Lopez, Senator Brian Pettyjohn, Representative Stephanie T. Bolden and Representative Deborah Hudson.

“This legislation would provide additional, common sense protections for Delawareans whose personal information may be compromised in a cybersecurity breach,” said Governor Carney. “We live in a world where these types of breaches are becoming more common, and we should enact additional safeguards for all Delawareans who may be affected. Thank you to Representative Baumbach and all members of the General Assembly who are taking on this important issue.”

“I am pleased to have been able to work with colleagues, members of the governor’s team and members of the technology branch of the Delaware bar to enable Delaware to play catch-up, if not leapfrog, on consumer notifications and protections when there are security breaches of your personal identification. Unfortunately these breaches are becoming too common and often involve a large number of victims,” said Representative Baumbach. “House Bill 180 will improve the notification requirements and ensure that in cases where Social Security numbers are breached, victims receive one-year of identity theft mitigation services. There is more to do, but this bill puts Delaware back on track to ensure better protection for our residents against identity theft due to data breaches.”

“In the ever changing world of cyber-technology, we must be responsive as a government in stepping up to protect Delawareans against the increasing threat of security breaches,” said Senator Sokola. “This legislation asked more of businesses when it comes to vigilance and reporting to law enforcement without burdening them or adding to their overhead. It’s a smart, collaborative path forward.”

“In light of all of the issues we’ve had in regard to instances of our systems being targeted, I think this legislation is extremely important at this time, not just for Delaware, but for our country,” said Senator Lopez.

“I am pleased to be a co-sponsor of this important bill,” said Representative Hudson. “In today’s ever-changing world of technology, there can never be too many safeguards in place to protect Delawareans against identity theft. This bill allows us to continue making strides in keeping citizens’ information safe and secure.”

The legislation would increase cybersecurity protections for Delawareans by requiring businesses to safeguard personal information, and to provide notice to Delawareans affected by a breach within 60 days of discovering the breach. In the event the affected class exceeds 500 residents, the Attorney General must be notified.

The legislation also requires breached entities to provide a year’s worth of identity protection services to affected residents, if Social Security numbers were compromised. Delaware would become just the second state to extend identity theft protection services, by law, to residents affected by a security breach.

“The unfortunate increase of cyber-attacks and data breaches across public and private sectors necessitates additional legal safeguards for victims and raising the bar on organizations by requiring cybersecurity measures be in place to guard personally identifiable information,” said James Collins, Chief Information Officer at the Delaware Department of Technology and Information. “This legislation adds provisions to the law to protect citizen information commonly used by criminals to perpetrate identity theft and fraud. The bill also strengthens the state’s position when working with vendors of cloud and hosted solutions by consistently ensuring Delawareans are notified and afforded credit monitoring in the event of a cyber incident.”

###

The Division of Revenue wants to provide Delawareans with information about one of the most common and costly forms of identity theft – tax return fraud. Tax return fraud occurs when someone uses your Social Security number to file a tax return, and claims a fraudulent refund.

It’s important that citizens be aware of the steps they can take if they suspect or have been informed that they have been a victim of tax-related identity theft.

“As criminals continue to develop increasingly sophisticated ways to steal your personal information, our goal is to identify and apply safeguards that will better protect taxpayers and fight identity theft,” said Division of Revenue Director, David Gregor. “Identity theft places a burden on its victims, and presents special challenges for businesses, organizations and government agencies.”

The Division of Revenue has provided a new web resource that can help citizens who believe they may have been a victim of a tax-related identity theft.

The Warning Signs of Identity Theft

• You receive correspondence requesting tax return information for a return that you have not filed yet.
• You are notified that a return has already been filed using your name or social security number.
• You receive a balance due or refund offset notice for a tax year in which have not yet filed a tax return.

To learn more, visit the Identity Theft and Victim Assistance page at revenue.delaware.gov.