Karen Brehmer: Welcome, everyone, and thank you for joining us for today's webinar. "Quick Security Tips from the IRS: Businesses at Risk for Identity Theft".

My name is Karen Brehmer and I'm here with my colleague, Evette Davis. We're both Senior Stakeholder Liaisons in the Communications and Liaison Division. We work with tax professionals and small business owners we do outreach and education. And we identify ways the agency can be more responsive to customers' needs.

We'll cover a few things about this webinar system, and then we'll move on to today's topic. In case you experience a technology issue, this slide shows some helpful tips and reminders. We've also posted a technical help document that you can download from the materials section on the left side of your screen. It provides the minimum system requirements for viewing this webinar, and it also has some best practices and quick solutions.

If you have completed and passed your system check, and you're still having problems, try one of the following. The first option is to close the screen where you're viewing the webinar, and relaunch it. And the second option is to click on settings in your browser viewing screen, and select HLS. Closed captioning is available for today's presentation. If you are having trouble hearing the audio through your computer speakers, click the closed captioning drop-down arrow located on the left side of your screen. And this feature will be available throughout the webinar today. If you have a question for us, and we certainly hope that you do, please submit your questions by clicking the Ask Question drop-down arrow and that will reveal a text box.

Type your question in the text box and click send. This is really important in that question and answer, or ask question box, please do not enter any sensitive or taxpayer specific information, no names, no SSNs, nothing like that and if you have questions for us today feel free to enter them at any time during the presentation today. Okay. Let's get started with today's topic. Quick Security Tips from the IRS: Businesses at Risk for Identity Theft. This is our fourth webinar, as part of our National Tax Security Awareness Week. This is a five-day effort by the IRS, state tax agencies, and the tax industry to encourage the public to take the strongest security measures possible. And at this time I will turn it over to my colleague Evette. EVETTE: Thank you, Karen. Okay, folks, you've probably heard of the Security Summit. And the Security Summit consists of the IRS, state tax agencies, and the tax community. The Security Summit is working in partnership to combat identity theft refund fraud, all to protect the nation's taxpayers. The Security Summit members have made great progress in the fight against identity theft and stolen identity refund fraud. But folks we still have a lot more work to do. So we need your help. We need everyone to do everything possible to protect their sensitive, personally identifiable information and personally identifiable data. Our focus today is on small businesses. So let me ask you a question. Did you know that more than 70% of cyberattacks are aimed at businesses with 100 or fewer employees?

These cyberthieves are smart and they're probably targeting credit card information, business identity information like the employer identification number, or employee identity information, like their Social Security numbers. Cybercriminals may assume small businesses don't have the same type of security protections for their systems that the larger businesses do. The IRS and its partners highly recommend the small business owners review and implement the recommendations from the Federal Trade Commission. The FTC's cyber security for small business can be found at FTC.gov, and it provides some great easy-to-understand tips for small businesses. Here's just a glimpse of what the resource looks like on FTC's website. If you want to find this, simply go to the Federal Trade Commission's website at www.FTC.gov. Enter the following phrase in their search box, Cybersecurity for Small Business. That is where you'll find these resources on the screen.

Karen, let me turn it over to you. KAREN: Great, thank you, Evette. So here are a few of the cyber security basics that are suggested by the FTC or Federal Trade Commission. To protect your files, you need to keep your security software updated. So this means your apps, your web browsers, your operating systems, and you want to set updates to happen automatically. You also need to secure your important files. You want to back up your important files offline, maybe to an external hard drive or maybe in the cloud. And also you need to think about storing your paper files securely too. Make sure they're in a locked cabinet. You want to require strong passwords for all devices. Think about all the places you have passwords. Laptops, tablets, and smartphones. You want to have passwords for all those things, and also you want to make sure you don't leave those devices unattended in a public place. You also need to encrypt devices, and by encrypting devices and other media that have sensitive personal information, that's an important step, that would again include laptops, tablets, smartphones, removable drives, backup tapes, cloud storage solutions, and also use multi-factor authentication, we actually talked about that earlier this week. It's a good idea to require multi-factor authentication to access areas of your network with sensitive information. And multi-factor authentication requires additional steps beyond logging in with a password, for example, you might need a temporary code sent to your smartphone, or a key that's inserted into a computer. Another thing to think about is to protect your wireless network. So step one would be secure your router. Did you know that your router comes with a default name and a default password, the same password for every router? You want to make sure you turn off remote management, and you want to change that password to something unique, and you want to log out at the, as the administrator once the router is set up. Another thing about routers is to check what kind of encryption they have. You want to use at least WPA2 encryption. There's actually WPA2 encryption on routers, and there's WPA3 encryption on routers. So find out which one you have, it should be at least WPA2, and make sure that encryption is turned on. And the whole point of encryption is that it protects the information that is sent over your network, so it can't be read by outsiders. So I'll turn it back over to Evette now. EVETTE: Thank you, Karen. Okay, everyone, so we want you to make smart security your business as usual. Require strong passwords. A strong password is at least 12 characters and they are a mix of numbers, symbols, capital and lower case letters. Never reuse passwords, and I am guilty of doing that, okay? Never reuse passwords, don't share them on the telephone, in a text message, or even by email. Limit the number of unsuccessful log-in attempts, this is going to limit password guessing attacks. Those, that scheme is out there as well. You should train all your staff members. Create a culture of security by implementing a regularly scheduled employee training. Update employees as you find out about new risk and vulnerabilities. And folks, this might sound a little extreme, but it is also recommended that if your employees fail to attend these meetings for whatever reason, you might have to consider blocking their access to the network. Because that's going to leave it wide open for someone to actually get into your computer system and could cause some huge, huge issues.

Ultimately you want to have a plan. Have a plan for saving your data. Running the business, and then notifying customers if you happen to unfortunately experience some type of a data breach.

The Federal Trade Commission's Data Response, which is a guide for businesses, gives you some steps that you can actually take, and you can find that guide and a ton of other resources at www.FTC.gov/databreach. Now, one of the most common ways that businesses are attacked by cybercriminals is through phishing scams. And phishing scams are emails or text messages, and they appear to be from someone you know. So you're more likely to open it up, right? It could be a vendor, a customer, or even the IRS. There are some common traits that you're going to notice about these phishing scams. They usually have an urgent message, and they ask you to take immediate action. For example, they may say something like, your bank account password has expired! And you must reset it immediately. The scam also will include either some type of a link, or an attachment and it's going to ask you to open it. The link itself, or the attachment will probably take you to a site that looks familiar, but is actually a part of the scam. And if you enter your user name and password, it goes directly to the thief. If the scam includes an attachment, it could actually secretly download malware when you open it. And folks, malware, as you may or may not know, is just a simple software, and that software can damage your computer system and perhaps even give the thieves access to your computer. All right? Unauthorized access. So do not open suspicious emails with links or attachments. Just don't do it. Karen, what do you think? KAREN: Actually, I'm going to make a clarification on the last thing you just said. People ask about that. If you get a phishing email in your in box, it is okay to open it, just don't click on the links in the email or open up those attachments to the email.

Sometimes you do have to open the email, just to find out if it's a legitimate email or not, right? EVETTE: That's a good point. Okay to open it, don't click on the links. Okay let's continue here. We do want businesses especially to be alert to any COVID-19 or tax-related phishing email scams. We have heard about quite a few phishing emails that are being sent to businesses.

And these phishing emails are trying to trick businesses into maybe applying for assistance related to COVID-19, but instead of being from a legitimate organization, it's from a scammer trying to get them to click on those links. If you as a business owner get any phishing emails, and you know it's a phishing email, even if you think it's a phishing email and it's related to COVID-19, or it's related to taxes in some way or related to the IRS, you can send those to the IRS at phishing@irs.gov. Also we want you to know that businesses, just like individuals, can also be victims of tax-related identity theft. And these thieves can sometimes steal enough information about your business to file a fake business tax return either trying to get a refund, or some other kind of scam using the company's identity. So we're trying to help businesses be protected from this. So the IRS and its partners, we're taking additional steps to protect businesses from tax-related identity theft. And one thing we're doing is this is starting on December 13th, coming up pretty quick, December 13th, 2020, the IRS will begin masking business tax transcripts. And we're also going to mask the summary of corporate tax returns, and the goal of doing this masking is to help prevent identity thieves from obtaining identifiable information that would allow them to file a fake business tax return. And when we say masking, what we mean is that only financial entries will be fully visible. Other information will have varying masking rules. Here's an example. The first four letters of each first and last name of the individuals or of the businesses will display. So just the first four letters, but not the entire name. And only the last four digits of the employer identification number will be visible.

And I'll turn it back to you, Evette. EVETTE: Thank you, Karen. Okay folks, so the IRS is doing a lot to try to assist our businesses with identity theft, so the IRS is actually publicly launched the Form 14039-B as in Business Identity Theft Affidavit. And this affidavit will allow companies to proactively report possible identity theft to the IRS when, for example, their e-file tax return is rejected. Businesses should file the Form 14039-B if it receives a rejection notice for an electronically filed return because the return has already been filed for that same period. Or if the business receives a notice of a tax return that the entity did not file, or if the business receives a notice about Form W-2 filed with the Social Security Administration that the entity did not actually file. And then you're going to also file the Form 14039-B if you receive a notice of a balance due that is not actually owed. And you know it's not owed. This form will enable the IRS to respond to the business much faster than in the past.

Which means the IRS will be able to quickly respond and work to resolve issues created by a fraudulent tax return. I want to emphasize that businesses should not use the form if they simply experience a data breach, but no tax related impact. See more about that at the IRS website, www.IRS.gov and just do a word search of "identity Theft Central" and click on the business section for more information on that. Now, also these scams, they wax and wane, they're forever evolving, they're up and they're down, they change. One thing that's constant is this Form W-2 theft scheme. All employers should remain alert on high alert for this Form W-2 theft scheme. In this particular scheme, a theft basically poses as high-ranking company executive, and this executive emails payroll employees and they will ask for a list of the employees and their W-2s. Businesses unfortunately often don't know they have been scammed until a fraudulent return shows up in an employee's name. There is a special reporting procedure for employers who experience the W-2 scam, and that too can be found at the Identity Theft Central Business Section that I just mentioned. All right, Karen, I'm going to throw it to you. KAREN: Okay, thanks. Hey, folks, we've gotten a lot of good questions from you. And if you have questions for us, feel free to enter them at any time, you don't have to wait until the end. Let's talk more about Identity Theft Central. We've talked about that a few times, but we want to tell you more about it. It's on IRS.gov, and on the slide you can see what it looks like. You can find this page by going to www.IRS.gov, and entering the phrase "identity Theft Central" in the search box. And what you're going to find here are resources for individuals, resources for tax professionals, and resources for businesses. One of the things you'll find here is that stuff Evette was just talking about. If your business is the victim of that W-2 scam, you'll find information here on what you should do if your business did become a victim of that W-2 scam. And all of these resources can help you to avoid becoming a victim of I.D. theft in the first place, and it can also help you if you do become a victim of I.D. theft or data theft.

Another tip for businesses, to keep your EIN information current. This is a tip from the Security Summit partners, we're urging businesses to keep their EIN information current. If your business has a change of address, or a change of the responsible party, you can inform the IRS of that by using Form 8822-B. And just in case you're not sure what we mean by responsible party, let's take a second to define it. The responsible party is the person who ultimately owns or controls the entity. And the responsible party does need to be an individual, not another entity. If you do have any changes in responsible party for your business, that needs to be reported to the IRS within 60 days. And one of the benefits of having that current information on file, it can help the IRS find a point of contact at your business if we need to contact you to resolve identity theft or other issues. And Evette, I'll turn it back to you. EVETTE: Alright. Thank you, Karen. Alright, folks, so this went by rather quickly. Let me just do a quick recap, okay? Visit the FTC, that's the Federal Trade Commission, FTC.gov for a host of resources, and also recommendations to keep small businesses safe from cyber threat. Folks, beware of phishing scams. Especially those related to COVID-19, and there are a ton of them, and any tax benefit related to the economic stimulus payment. There are thousands of variations, so again, please be on guard. Businesses also can be victims of tax-related identity theft, and have fraudulent tax returns filed under their name.

If this happens, then you should file the Form 14039-B as in business. This concludes today's presentation. And day four of our National Tax Security Awareness Week activity. We're going to answer some of your questions next, so again, take a moment, if you haven't entered your question, now is the time to enter that question. So please don't leave us just yet. Before we answer any questions we want you to know what is on tap for the rest of the week. On tomorrow, Friday. [no audio] KAREN: I can't hear you, Evette, is that just me? I'm going to take over for Evette. We want you to know what's on tap for the rest of the week. Friday we're going to review some of the latest scams that we're seeing that are targeting taxpayers and tax preparers.

Especially during the pandemic. It is time for questions. And right now it's just me, because we're waiting for Evette to be able to come back. So we'll, I'll start and we'll wait for Evette to join us. Somebody asked, what's the email address for phishing emails? If you get an email that you think is a phishing email, that's related to the IRS, or it's related to taxes, or maybe it's one that was addressed to you as a business owner, and it was trying to get you to sign up for some kind of COVID-19 relief, but it was, but you think it's a phishing email, that kind of phishing, both kinds of phishing emails, send them to this address. It's phishing, you know P-H-I-S-H-I-N-G.

That's how phishing is spelled for this, Phishing@irs.gov. So another question is, we're going to review what the IRS is doing to protect businesses. That Form 14039-B, that we mentioned, is kind of new. And it's for businesses who believe they have become a victim of I.D. theft, it's when the business thinks, wait a minute, I think something funky is happening, and I want to inform the IRS that my business might be at risk. That's the business owner telling the IRS, I think I've got a problem. Another thing that happens is the IRS might get a return from a business and we think this looks kind of funky.

We should inform the business owner that we got a return that doesn't smell right. So we send out two different letters. If you want to write down these numbers you can, but if you don't catch it, it's okay, because it's on IRS.gov in the Identity Theft Central. One letter we might send to a business is Letter 6042-C, if we need to validate the return. Another letter we might send is letter 5263-C. If we need to validate the entity. And the letter number is important, but really the point is, what we've seen sometimes is a business owner gets a letter from the IRS, and they think, that letter doesn't even make sense. I didn't file that rush, why is the IRS sending me a letter about my tax returns? But really it's where the IRS is trying to say, hey, business owner, we got this tax return, it's got your name and your EIN, we're not sure you sent it in to us, was it you or was it a scammer, a hacker who sent it in to us? So it is important for you to respond to those letters. That's really the point. If you get one of those letters that says, hey, business owner, we got this return, is it really you, then please respond to that letter. I'm going to pause for a minute and I just want to see if my colleague Evette has been able to join us. Evette, are you here? EVETTE: I'm here, Karen! [laughter] KAREN: Okay. Do you want to take one of the questions? EVETTE: Technology, I love it. KAREN: Do you want to take one of the questions or do you want to take a moment to collect yourself? EVETTE: I would love to take one of the questions. I'm not sure which one you've answered but I do see something here, talk about the one with, where they're asking about the guide to show businesses how to create a security plan. KAREN: We did not talk about that. That is all yours. EVETTE: Alrighty then. Okay. So the question simply states, does the IRS, does the IRS have a guide to show businesses how to create a security plan?

Because you know we kind of mentioned in the presentation that, about a security plan, and how to share these things with your employees to protect your business, your data, that data, your employees' Social Security numbers, and your clients, customers' information. So creating and maintaining a data security plan is key. For tax professionals, if any of you are on the line, you know for a fact that having a plan is a requirement. It's a federal law. But we don't actually have a guide that says, this one you have to use. But we've got some great examples out there that you can actually create a security plan as a business and as a tax preparer. Actually we have Publication 4557, which is Securing Taxpayer Data. And within that, there is this great checklist and it kind of takes you through some questions and some answers and things that you look at when you plan or prepare or create a plan for your business. The Federal Trade Commission, we mentioned them a lot, they've got a ton of great information, one thing that I really appreciate is they have a guide that says start with security and it's a guide specifically for businesses, again, this is from the Federal Trade Commission, so go to their website, at FTC.gov, to pull down that particular guide and a ton of others that may be helpful to you as you create your security plan. Okay, Karen. Let me throw it back to you. KAREN: Okay. A number of people asked if today's webinar and the webinars this week will be available to listen to later. And the answer is yes. If you missed the webinars earlier this week, if you're not able to catch the one we're doing tomorrow, all five of them will be available. They're going to be available on the IRS Video Portal, and the web address for the IRS Video Portal is www.IRSvideos.gov. The videos will be, the webinars from this week will be available on the IRS Video Portal about three weeks from now, three weeks, four weeks. You will get a notification once they're available. I'm going to mention something else, another question that came in, and it was about something we talked about earlier in the week about IP-PINs, and that is the person is asking, will everybody be required to get an IP-PIN starting in 2021? And the answer is no, you will not be required to, but you have the opportunity to opt in. We didn't cover IP-PINs today, that wasn't the point of today's presentation. So if you want to learn more about IP-PINs, please go to IRS.gov, enter IP-PIN in the search box and you can learn more. Did you have one you want to take Evette? EVETTE: Yeah, let me see, I do have one here. Someone is actually asking about what, as you may have talked about in already, what the IRS is actually doing to protect businesses. Have you already talked to them about that? KAREN: I did do that one, yeah.

EVETTE: Okay. So let me scratch that. So what about this one, there's someone asking about the IRS masking business transcripts. I don't know that, did you talk about that one?

KAREN: No, go for it. EVETTE: Okay. So kudos to those of you who may already, already may be receiving E-News for Small Businesses and you may have seen information about IRS and how we're doing, what we're doing to actually protect our businesses once again. So the question is simple, IRS decided to, well, we found it necessary to mask key business transcript details and protect taxpayers from identity theft. And in this move to protect businesses and taxpayers from identity theft, the IRS again announced, and Karen mentioned this, starting on next week, December 13th, it will be masking sensitive data on business tax transcripts. All this is basically an attempt, again, to help protect our businesses and make sure, just like with individuals, that they are able to make sure that they are secure in as much as possible. And basically with this, a text transcript is just what they're going to be masking, and it's just like a summary of the tax return itself. And the transcripts themselves are often used by tax professionals, but sometimes as an individual, as a business you're going to need to get that transcript as well. And especially if you're talking about, talking with lenders or others who may have to do some type of income verification. Just to go a little bit other in-depth about what you can actually see on these transcripts, I know Karen went over a few of those things, but what you'll be able to see is the last four digits of any employer identification number listed on the transcript, the last four digits of any Social Security number or ITIN, Individual Tax Identification Number listed on the transcript, you'll also be able to see the last four digits of any account or telephone number, and then the first four characters of the first and last name of any individual, and then the first three characters if the name only has four letters is what you'll see. You'll also see the first four characters of any name on the business name line, the first six characters of the street address including spaces, and all money amounts, including wage and income, balances due, interest and penalties. So although those will be masked, you'll still see some key information on these transcripts. Alright, back to you, Karen. What do you have? KAREN: Okay, great, thanks. Somebody asked about the Form 14039-B. The question was, will you be able to fax that to the IRS? And the answer is yes. If you look at the Form 14039-B, you can mail it to the IRS, you can fax it to the IRS, and you could make an appointment to go into a Taxpayer Assistance Center and submit it in person if you wanted to. I guess if it was up to me I would probably fax it, but you do have those three choices. Another person asked the question, how do you receive a secure email account with the IRS? That's a good question. The answer is, there isn't a way to do a secure email account with the IRS. I guess it depends on what you mean by that. I'm with the IRS, I can't send an email to a tax professional or to an organization that helps small business owners that is secure. So if I were to email a tax professional from my IRS email address to the tax professional, I can't have any taxpayer names, taxpayer Social Security numbers, EIN, none of that stuff. So you can't send and receive secure email with an IRS employee. But the IRS is working on a couple of things in that direction. One thing we already have is IRS online tools like View your Tax Account. And that is a way to get information about your tax account. You have to do some steps to get an account. So if you're curious to know more about that, either go to IRS.gov and type in "online tools" or type in "view your tax account." We're running out of time, aren't we? EVETTE: We are. Let me answer this one, because someone is asking about the IP-PIN and I know you talked about this yesterday, I don't know if you covered this already. It says, the question pertains to the earlier meeting and I must have missed it.

They're asking, will everybody, every taxpayer be required to get an IP-PIN starting in 2021?

And the answer is no. You will not be, everyone will not be required to get an IP-PIN in 2021.

They're just opening it up as an option to opt in to requesting an IP-PIN for, starting in 2021. But no, it is not going to be a requirement. And just, this is just a little side note, they're going to be asking some pretty rigorous questions about this to determine whether or not they will actually assign you an IP-PIN unless you are actually, truly, a victim of tax identity theft. So, tax-related identity theft. So I just wanted to get that one in real quick, Karen KAREN: Thank you, you know folks, that's all the time we have for questions. It drives us nuts, because we'd love to stay on for an hour and a half, but we can't do that. So we're going to wrap it up now. We would appreciate it if you would take a few minutes to complete a short evaluation before you exit. If you would like to have more sessions like this one, please let us know. If you have thoughts on how we can make them better, please let us know that as well. If you have any requests for future webinar topics or pertinent information, maybe something you would like to see in an IRS Fact Sheet or a Tax Tip or Frequently Asked Question on IRS.gov, you can include those suggestions in the comments section of the survey. All you need to do is click on the survey button on your screen to begin. If it doesn't come up, check to make sure you have disabled your pop-up blocker. It has been a pleasure to be here with you today. And we would like to thank you for attending today's webinar. You may exit the webinar at this time.