California Accountants Hacked To File Fraudulent Tax Returns.

Time has shown that all types of businesses are targets for hacking. The big ones, because they have money. The small and medium-sized businesses, because they have money, although less of it than big enterprises. Stories of phishing or hacking into computers that host electronic banking activities have popped up in the news frequently.

Here’s a new twist: According to, a CPA firm in California has filed a data breach notice with the authorities, reporting that it was hacked and that fraudulent tax returns were filed for over 40 of its clients. There is some ambiguity surrounding the situation, as it could be read as (a) hackers stealing the CPA’s client data and filing tax returns online, using the hackers’ own computers or (b) hacker’s filing the returns using the CPA’s own computers, which would be quite novel.

The latter interpretation is quite far-fetched, I admit, because the prior makes much more sense. Hackers tend to hit fast and exit a breached network even faster. On the other hand, hackers “lounging around” is not unheard of. Small businesses have run into problems because sizable wire transfers were initiated from their own computers (that is, hackers remotely operated these devices); the banks, in turn, accepted these transfers as legal transactions specifically because it came from a trusted computer.

If I recall correctly, the IRS also accepts certain filings as non-fraudulent over others because they come from a trusted source such as a well-known tax preparation firm, for example. All the more reason for hackers to target such firms, especially small ones that usually don’t spend as much on data security, if looking to avoid the IRS’s scrutiny. With limited funds, it makes sense for an organization to focus less where the chances of fraud are low.


The Weakest Link

This case is a classic illustration of how the weakest chain in the link will be targeted when it comes to security. The IRS has taken quite a bit of flak in recent years because of their seeming inability to stop (or even significantly stem) fraudulent tax returns. Some experts blamed the IRS for not having enough security on their site. Others blamed the IRS’s seeming lack of proper security checks in its operations.

However, even if the IRS were to completely eliminate any security weaknesses, the above case shows that there’s still other ways to successfully file fraudulent returns. For example, the hackers had access to the following data:

[For individuals] this information may have included their name, gender, birth date, telephone number(s), address, social security number, all employment (W-2) information, 1099 information, direct deposit bank account information including account number and routing information (if provided to them), and supporting documentation including brokerage statements and other documents you may have provided to [the CPAs].

Even if the IRS were to receive perfect marks when it comes to the technical aspects of data security, it would be unable to fight off fraud if criminals have access to detailed information that we normally associate with the true “owners” of said data. How is any organization supposed to tell apart the impostor from the real person if they can both present the same information?


Small is not Secure

Practicing data security at all levels is the only way to turn the tide. If you’re a small business that deals with extremely sensitive information, it behooves you – by law as well as ethics – to ensure that your security is up to par. Some – nay, many – small businesses think that their relative size is protection, that it’s the whales that get harpooned while they go unnoticed.

Howver, being small fish affords protection only if predators cannot find you; but in the world of business, if people can’t find you, that’s a death knell for your business. Are you listed anywhere on the internet? Is your business associated with certain keywords that reflect the industry you’re in? Do you use any form of electronic communication that’s known to be a vector for hacking, like email or using a browser for visiting a website?

If the answers to these questions are “yes,” then you’re “harpoon-able” no matter what your size.


Related Articles and Sites:

Comments (0)

Let us know what you think