How would you respond to receiving an $800,000 notice of deficiency requiring immediate payment for unpaid payroll taxes for 100 employees who never even worked for your company? This scenario is exactly what happened to a Captain D’s Seafood franchisee in Georgia. Thieves stole his Employer Identification Number (EIN) and used it in a tax refund scheme reporting more than $4 million in fictional salaries to the IRS and state tax agencies.

An EIN is a business form of a Social Security number. It is commonly required and used to uniquely identify each business. EINs are readily available in public documents such as business filings and business credit reports.

For the tax refund scheme to work, the fraudulent wages and withholding on the phony W-2 must appear to come from a legitimate employer, requiring an employer’s business name, address and EIN. With the increase of e-filing and electronic tax filing software, an actual W-2 document is not even required.  The criminal simply enters the information into the form, electronically submits the fraudulent return, then waits to collect the refund check.

The IRS does have an employee/employer matching process in place to reduce this type of fraud; however, it doesn’t begin until after the January 31 deadline for W-2 distribution to employees. Criminals file these fraudulent returns as early as possible, allowing them to receive the refunds before the matching process even begins.

In 2013, the Treasury Inspector General for Tax Administration (TIGTA) estimated that the IRS may have issued nearly $2.3 billion each year in potentially fraudulent tax refunds based on stolen EINs and estimates $11.4 billion over the next five years. In 2011 alone, 277,624 EINS used were stolen from legitimate businesses.

Other ways your stolen EIN can be used:

  • Establish fraudulent corporate credit cards accounts.
  • Establish fraudulent business banking accounts.
  • Establish fraudulent personal credit.
  • Employees can fraudulently use it to purchase tax-free wholesale goods.  If your business is audited by the IRS, you can’t account for these goods or for not paying taxes on them.

Business identity theft is one of the newest threats to businesses across the country. Once a business’ identity has been compromised, the criminals can go on a spending spree buying electronics, office equipment, gift cards, liquidating lines of credit or opening new lines, filing fraudulent tax returns and more. In severe cases, businesses have even had to close their doors because of insolvency caused by these criminal activities. It takes vigilance and proactive steps to combat these criminals.

The best way to minimize the threat of this happening to your business or organization is by addressing any weaknesses in your security practices. Both physical security and cybersecurity must be considered. This dual approach provides the best protection against a growing threat.

From the physical security front, the following steps are recommended:

  1. Protect company documents by limiting their access to only authorized personnel. Keep them in a secure environment and shred before disposing of them.
  2. Never provide your business’ Employer Identification Number (EIN) unless you made the initial contact. Protect it like you would your Social Security number.
  3. Annually monitor business credit reports with the credit bureaus: Dun & Bradstreet; Equifax; Experian; and Transunion.
  4. Review your commercial banking agreements. Know your bank’s policies for fraudulent transactions and how it would impact your business’ liability.
  5. Consider online banking. It provides the opportunity to daily monitor your accounts and quickly discover any fraudulent activity.  Make sure you use strong passwords. Also consider email or text alerts for real time notification of banking activity.
  6. Keep all banking and checking supplies in a secure location and only accessible by authorized persons.
  7. Review banking statements as soon as they arrive. Even the smallest transaction could be fraudulent. Criminals commonly start with small purchases to see if the transaction is caught before graduating to larger purchases.
  8. Keep your company and personal finances separate. Most banks and credit card issuers exclude business-related purchases made with a personal card from their "100 percent fraud protection" guarantees.
  9. Annually check with your Secretary of State to ensure that your business entity’s details are current. Update changes as soon as they happen.

From the cybersecurity side, consider the following practices:

  1. Have your server in a locked room with access only for authorized personnel.
  2. Install a security system with monitoring.
  3. Install both hardware and software firewalls.
  4. Encrypt your data.
  5. If your employees take their laptops outside of the office, encrypt their hard drives.
  6. Use strong passwords with 8+ elements including upper and lowercase letters, numbers and characters.  Update them once per quarter.

With the sophistication of technology and the progress at which it is improving, implementing effective security systems is a necessary cost of doing business. While there is no such thing as a system that cannot be hacked, many criminals who desire profit won’t waste time or resources going after a difficult target; instead, they will move on to easier ones.

Business identify theft, like most kinds of fraud, thrives in an environment of complacency. To avoid the potentially devastating repercussions of it, you need to take proactive steps to combat these criminals.

{{ articles_remaining }}
Free {{ article_text }} Remaining
{{ articles_remaining }}
Free {{ article_text }} Remaining Article limit resets on
{{ count_down }}