IRS Security Summit members working on payroll fraud recommend that businesses take preventative measures and have plans in place to deal with fraud, two payroll professionals said March 15.
The Security Summit is a collaboration between the Internal Revenue Service, state tax departments, and practitioners that works to prevent tax fraud, said Jenine Hallings, a payroll tax compliance manager at Paychex Inc.
The summit is an “integral part for the prevention and detection of security threats,” said Luanne Brown, CPP, director of payroll at Grand Valley State University.
One of the Security Summit’s work groups is known as Strategic Threat Assessment and Response, which identifies vulnerabilities and creates strategies to close them, and which has a subgroup focusing on payroll fraud, said Hallings, who along with Brown spoke at the American Payroll Association’s online Capital Summit.
The group worked with payroll departments to identify common scams, which include social engineering, stealing credentials, and hijacking accounts, Hallings said. Identity theft is common among small businesses, but account hijackings are common for medium or large businesses, she said.
Fraud is often self-reported, but warnings of suspicious activity can include direct deposit changes; transfers over a set amount; employees who never take vacation or are active in areas of the employer’s system not required for their job; high employee turnover; or password or access changes followed by suspicious transactions, Hallings said. Businesses should set up systems to automatically detect these activities, she said.
The group recommends that all payroll organizations have a plan to deal with incidents, including points of contact in the company, third-party services, and with law-enforcement agencies, Hallings said.
Ways to prevent fraud can include backing up data, updating antivirus programs and other software, implementing two-factor authentication or other forms of identity verification, and training employees and limiting their access to sensitive data, Hallings said.
Employee training and two-factor authentication were emphasized as starting points for improving data security.
“For me, it’s awareness training, it’s awareness for how somebody might look to exploit you, I think that’s really the starting point,” Hallings said.
Recommendations for IRS
The federal Electronic Tax Administration Advisory Committee, which includes Brown and Hallings as members, makes recommendations to the IRS regarding data security, fraud, and the agency’s electronic tax filing systems.
The committee, which also includes representatives of employers and payroll service providers, tax practitioners, software developers, academics, consumer advocates, and government agencies, was established by the IRS Restructuring and Reform Act of 1998 (Pub. L. No. 105-206). It originally focused on the IRS’s online filing programs, but now also focuses on preventing tax-related identity theft and fraud, Brown said.
The ETAAC provides an annual report to Congress regarding IRS progress in meeting its goals for electronic filing, Brown said. The 2020 report recommended, among other points, that the IRS budget request be fully funded; that the agency should identify threats to the tax system and study information security practices; and that the IRS should consider implementing measures like two-factor authentication and account locking, Brown said. Allowing users to lock and unlock tax accounts would be similar to how banks allow individuals to freeze and unfreeze credit cards if fraud is suspected, she said.
The report additionally recommended that the IRS expand collaboration on the online Form 1099 portal required by the Taxpayer First Act (Pub. L. 116-25), which should also integrate with future IRS online systems, Brown said. The law requires the IRS to develop a portal allowing users to prepare, distribute, and file Forms 1099 online by Jan. 1, 2023.