Common Tax-Time Scams Targeting Businesses

During tax season, cybercriminals increasingly target small businesses with sophisticated scams. Valuable data and limited cybersecurity protections put many businesses at risk. Understanding these threats in the era of AI is key to protecting your business.

Why Scammers Focus on Small Businesses

Cybercriminals see small businesses as low-hanging fruit because they often store sensitive data, such as employee Social Security numbers, bank details, and tax information, without the security barriers common with most larger companies. So hackers see them as easy wins: valuable data, minimal defense. In addition, many small businesses also lack dedicated IT staff or regular cybersecurity training, making it easier for phishing scams, malware, and data breaches to slip through unnoticed. The latter part of the year is a great time to hack given all the personally identifiable information (PII) available in year end tax reporting of W-2s and 1099s.

Common Scams to Watch For

In recent years, the IRS has reported a rise in phishing scams targeting small businesses, and especially during tax season. These scams often attempt to steal sensitive information such as login credentials, W-2 forms, and employer identification numbers (EINs). Criminals can use this data to file fake tax returns or open lines of credit in the business’s name. Here are some of the more common tax-related scams to watch out for:

• Phishing emails pretending to be from the IRS, tax software providers, or financial institutions
• Fake refund notifications prompting you to click malicious links or share banking details
• Business Email Compromise scams where attackers pose as executives requesting W-2s or wire transfers
• Ransomware disguised as tax document attachments
• Calls or texts claiming to be from the IRS threatening audits or legal action unless you provide sensitive info
• Spoofed websites that mimic legitimate tax platforms to steal login credentials

How to Protect Your Business From Tax-Time Scams

The good news is you don’t need a huge IT budget to reduce your risk. Strong cybersecurity comes down to consistency, awareness, and a few essential tools and practices. Here’s a checklist to help safeguard your business during both the upcoming tax season and throughout the year:

Start with a Written Information Security Plan or (WISP). It will guide you through the steps required to make your firm more secure. The IRS has a great checklist available in Form 4557. So review the document as it relates to your business. Here are some of the basic ideas of any WISP.

• Update all software regularly, including tax software, operating systems, and antivirus tools.
• Use strong, unique passwords and enable multi-factor authentication (MFA) for all key systems.
• Secure your Wi-Fi networks, especially if employees are working remotely.
• Back up data routinely and store backups offline or in a secure, encrypted cloud service.
• Limit access to sensitive data. Only give access to employees who need it.
• Train your team on phishing and social engineering regularly and with real-world examples.
• Verify email requests for W-2s, tax forms, or financial transfers, especially those that seem urgent.
• Use secure file-sharing methods. Never send tax forms over email without encryption.
• Shred physical documents containing sensitive data before discarding.
• Monitor your business credit reports for unusual activity or new accounts you didn’t open.

No one can guarantee complete security for your business. But with the advent of hackers using AI tools, they look and act like real players. Your number one defense is a WISP and constant awareness of the risk.