It used to be that the only certainties in life were death and taxes. Now, with malware spam, identity theft and fraud becoming so pervasive, it seems inevitable that we will each experience some form of cyber attack in our lifetime. While death and taxes remain unavoidable realities, the good news is that you can protect yourself, your data and your ID.
Sure, bad guys always have motive, means and opportunity, but at tax time you should be on even higher alert to safeguard your personal data and ID. Cyber threats are pervasive, sophisticated and more organized than ever before.
More than 17 million U.S. residents age 16 or older — or about 7 percent — were victims of ID theft in 2014, according to the Bureau of Justice Statistics. And nearly half of small businesses have experienced cyber attacks, according to the BJS.
Cyber thieves can piece together your personal information from accessible public records, social media accounts and more. With that in mind, here is a three-step guide for consumers and small businesses to maintain privacy, security and trust during tax season.
1. Who wants to know.
Determine whether you actually need to provide sensitive information such as your Social Security number to someone. If they're doing your taxes, of course you do. Tax authorities and some other government agencies including state Departments of Motor Vehicles, can require it. Others might request it, but that does not mean you must provide it.
The federal Privacy Act says you can't be denied a local government service if you refuse to provide your SSN, but there are restrictions. The Privacy Rights Clearinghouse has a good FAQ on the topic.
Similarly, there aren't as many private businesses entitled to your SSN as you might think. You must provide it in the case of a transaction that involves an IRS notification, or for a financial transaction that's subject to federal customer ID program rules (like for a home or auto loan, credit check, etc.) but that's it.
The federal Affordable Care Act requires SSNs as part of IRS notification rules in the healthcare industry. But cyber-attacks are growing into a major issue here, as well, to the point that companies including Aetna are advocating a reduction in the use of SSNs. (Aetna has some helpful guidelines for providing private information securely.)
The bottom line is you must provide an SSN when: 1) dealing with the IRS 2) completing a credit application 3) dealing with some government agencies including Medicare, state DMVs and public schools and universities. Otherwise, private entities are free to ask you for an SSN, but that doesn’t mean you have to provide it. Instead, ask why it’s needed, and don’t give out your SSN unless it is required or to your benefit.
2. Who can you trust.
Organizations should earn your trust in order for you to share your sensitive personal information with them.
Take a few minutes to check on:
- Web site security. Banks, major e-commerce sites and most social network sites use encryption. You can easily see if the site you're on is encrypted. Is there a small image of a padlock in your browser when you are on the site and does the web address begin with "https"? Both are indications that the site you are on encrypts your information in order to protect it. Some sites may appear similar to trusted sites by using similar names in their links, sometimes changing the .com for another domain, so make sure to verify the correct URL before entering passwords or sensitive data.
- Suspicious emails. Don’t click on links in emails from untrusted email senders. And be wary of emails that look like those that come from a trusted source but in fact are "phishing" attempts to get at your personal information. Big red flags include misspellings in the body or subject header of the email, or an attempt to pressure you into responding "immediately."
- If you are going to be transacting with a website, you’ll want to make sure it is a trusted steward of your data. Take a few minutes to research how the entity you’re engaging with will protect your data. the best websites, and especially those who deal with your private information, data and documents,, have sections devoted to privacy, security and/or trust
3. Passwords and authentication.
Be an active manager of your login and credentials for the sites where you transact business:
- Enable multifactor authentication when it's available. Major financial institutions and web services including Google and Microsoft offer two-factor authentication before permitting a log-in. It's not as complicated as it sounds. Essentially, the site will send a text code to your mobile device which you use to authorize and complete your log in.
- Use different passwords for each website, online service and platform. Come up with several strong, differing passwords that you can adjust across the sites you frequent. You can write these down to keep track of them, but keep the list away from your computer and store it somewhere safe in your home or office (e.g. in a safe).
- Consider a password-management app. If keeping up with multiple passwords feels like too much work, use one of the popular password management apps available for your browser or mobile device.
Taxes are one of life’s certainties. ID theft doesn’t have to be. With a few simple steps to safeguard your own sensitive data, documents and passwords – and ensure that others do too.