Print Edition

  Email News Updates

Avoid cybersecurity risks during tax season

By Traci DeLore


It’s tax season, and that means cybercriminals are out in full force. Fortunately, businesses have steps they can take to protect their information now and throughout the year.

Michael Polce

“Tax season is really just another opportunity for the bad guys,” says Michael Polce, CEO of M.A. Polce Consulting in Rome. Businesses need to be proactive all year, but especially during tax season when the scammers ramp up activity. “All the rules still apply,” he says, but awareness should be enhanced this time of year.

Be skeptical of things you receive via email, text, and sometimes even by regular mail, says Emily Mosack, a security consultant with FoxPointe Solutions at The Bonadio Group, which is based in Rochester and has offices across Upstate, including Syracuse.

Emily Mosack

“That’s an easy way for people to get scammed,” Mosack says. In particular, be wary of anything received via email, text, or even a phone call saying it’s from the IRS. When the IRS does actually reach out, it’s through regular mail, she adds.

Unfortunately, people are more likely to fall for things when it’s about taxes, Mosack says, and the scammers to pick up on it being tax season. “It’s one of the highest times of the year for scammers,” she says.

Tax-related identity theft is a huge cyber issue, Polce says. That’s when cybercriminals gain access to enough of your information and file a tax return in your business name, or even personal taxes in your name. They can file taxes showing a refund due and have that money sent directly to their account, he explains.

Victims typically find out when they go to file their actual taxes and the IRS rejects them with a notice that they’ve already been filed.

The easiest way to safeguard this from happening is to request a Personal Identification Number (PIN) from the IRS. “It’s like two-factor authentication,” Polce says. That way, no one is able to file anything without that PIN. Speaking of multi-factor authentication, Polce adds, it’s still one of the best components of a good cybersecurity policy.

He also recommends never emailing any type of sensitive information without encryption. Even better is if that information can be conveyed in person, Mosack says.

She suggests a few other steps to help keep things secure including having a corporate password policy for all accounts and advising all employees to never use public Wi-Fi when doing secure work.

Advise employees to never click links in emails. “If you think you’re receiving a scam email or even if you’re unsure, you should send it to the IT department,” Mosack adds.

Training for all employees from the CEO and CFO on down is also important, Polce notes. Often the highest-ranking employees are the biggest targets for scammers, so everyone needs to receive security-awareness training, he adds.

Aside from the usual steps like multi-factor authentication and strong passwords, Polce says that if something just doesn’t seem right, trust your gut. If you aren’t sure the callers are actually from where they say they are — your bank or your accounting firm, for example — simply hang up and call the business back directly, he says. “We have to be on guard these days more than ever before.”

Mosack agrees and adds that the consequences of being careless can be significant. Along with losing money, businesses that get hacked also risk exposing their clients’ information. “It’s not just a business,” she says. “Now, it’s everyone else who was involved with that business.”

It’s truly a case where the best defense is a good offense. “Just being aware is the best thing,” Mosack says.

Thank You For Visiting