By: Drew M Smith
Recently, the IRS reported that due to inadequate safeguards and controls in their servers, many tax returns were inadvertently filed fraudulently and as a result millions of dollars in returns and identities were compromised. What this story didn’t tell was that the IRS isn’t the only one that has been compromised for the purposes of filing false tax returns. Many HR and accounting professionals are under attack due to their access to tax return information.
User Error Continues to Evade Internal Controls
Companies spend a lot of money on internal controls, firewalls, passwords and other security measures. However, employee error continues to evade even the most sophisticated controls. According to a recent study by BakerHostetler employee mistakes account for approximately 24% of all system compromises.1 Authorized employees continue to have the ability to accept emails, open documents, transfer files and otherwise circumvent even the best internal controls. This is more than likely caused by lack of education on the part of companies and their employees. Many just don’t know what to do when a breach occurs or what to look for to prevent a breach. Education on this topic is key to preventing millions of dollars of damage and lost returns.2
Claim Example
A cyber thief hijacks an email server or poses as an employee using a similar email address. The payroll clerk or accountant receives an email from the owner of the company requesting copies of all the W-2’s so that he can file the tax returns for the company. The payroll clerk or accounting professional sends the requested forms to the owner. Unfortunately, it was not the owner that requested this information. At this point all of the information filed in the W-2’s was compromised and given to the thief, including Social Security Numbers, home addresses, the Tax ID number of the employer and even the filing numbers of the employees. With all of the information they need, they can use those numbers to file the returns electronically in their names and use the social security and tax ID numbers for other purposes in the future.3 This can be very burdensome for the employee as it could take up to six months to get an actual refund and they might not be able to file electronically for several years to come. Further, because hackers have their social security numbers and addresses they are subject to further exposure due to identity theft.
Some Preventive Measures to Help Prevent Loss of Employee Data
Although no one is immune from a cyber-attack, companies can implement some procedures to help mitigate their exposure to loss.
Privacy Liability Insurance
A properly structured privacy policy can help you not only with the ultimate liability associated with these breaches but can provide you resources upfront to help develop procedures to mitigate exposure. They can also provide you a breach coach in the event of a loss to guide you through the maze of regulations and requirements in the event you do have a breach. No company should be without this coverage.
For more information about email fraud visit the FBI's website:
https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise
About Axis Insurance Services LLC
Axis Insurance Services, LLC (AIS) is a licensed professional liability insurance broker located in Franklin Lakes, NJ with agents licensed nationwide. They offer access to high-quality insurance products in the areas of Errors and Omissions insurance (E&O), Directors and Officers liability insurance (D&O), Crime, Fiduciary, and Privacy/Network security coverage for today’s professional service firms. AIS works with all company types including commercial real estate firms, real estate agents and brokers, property managers, insurance agents, medical groups, practice managers, third party administrators, lawyers, accountants, architects, engineers and many others.
Axis Insurance Services, LLC is not affiliated with Axis Capital, Axis Insurance Company, its subsidiaries or affiliates in any way.
1BakerHostetler Is Your Organization Compromise Ready? 2016
2http://www.forensicmag.com/articles/2016/04/cyber-hygiene-could-prevent-next-attack
3https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise