Artificial intelligence (AI) is unlocking new efficiencies, smarter customer engagement, and stronger decision-making across industries. It’s also exposing serious new vulnerabilities, especially for small and medium businesses. In short, AI data security risks for medium businesses are on the rise.

With more data, more employees, and more connected systems than ever, medium businesses are increasingly attractive targets for cyberattacks. And while many already invest in security tools and IT providers, the complexity of today’s AI-driven cyber threats demands a new level of awareness and protection.

Here’s a closer look at the AI data security risks for medium-sized businesses, and how to prepare your company for what’s coming next.

The Expanding Role of AI in Business Operations

Mid-sized businesses are adopting AI to gain competitive advantages in areas like:

• Automated customer support and chatbots
• Predictive sales analytics
• Smart inventory and supply chain forecasting
• Natural language tools for HR and internal communication
• AI-enhanced data protection and monitoring

While these tools support growth, they also increase your attack surface and expose sensitive data across departments and systems.

AI-Powered Risks You Can’t Ignore

The following threats represent the most pressing cybersecurity risks for mid-sized companies using AI:

• Deepfake Executive Impersonation. AI-generated deepfakes are becoming a popular tool for cybercriminals. A realistic video or voice recording impersonating an executive can be used to trick employees into wiring funds or sharing sensitive information. When leadership is remote or less visible, the risk of unauthorized access spikes.
• AI-Enhanced Phishing Attacks. Phishing is nothing new, but AI has supercharged it. Hackers now use generative AI to craft emails that mimic your internal language, making them harder to spot. These phishing attacks are often paired with social engineering tactics and may target endpoints such as laptops, mobile devices, or Wi-Fi-connected systems. Here is a chilling article from Malwarebytes on how to recognize AI-generated phishing emails.
• Ransomware-as-a-Service (RaaS). Criminal networks now offer plug-and-play ransomware kits powered by AI. These kits allow less-skilled actors to launch complex ransomware attacks, targeting mid-sized businesses with limited in-house resources. These attacks can lead to catastrophic data loss and financial losses, especially if backups aren’t properly secured.
• Vulnerable Internet of Things (IoT) Devices. From smart thermostats to connected security systems, AI-powered malware can exploit overlooked vulnerabilities in IoT devices. Once inside, attackers can move laterally through your network, bypassing firewalls and accessing confidential data.
• Shadow IT and Third-Party AI Tools. Departments may deploy AI tools without proper vetting. These apps often have unclear security policies or insufficient access control, putting your cybersecurity posture at risk. Without a formal risk assessment, even a well-intentioned tool can become a gateway for unauthorized access or data breaches.
• Internal Weak Points You Can’t Ignore. Several in-house dynamics increase AI-related cybersecurity risk:
  • Security measures vary across departments, with no unified oversight
  • Lack of consistent employee training in AI threats or incident response plans
  • Overreliance on outdated antivirus software or inconsistent use of VPNs
  • Growing endpoint sprawl: more devices, more risk

Strengthening Your Cybersecurity Strategy

A strong cybersecurity strategy doesn’t have to mimic a Fortune 500 blueprint. These steps can significantly improve your security posture:

• Create standardized AI usage policies. Apply uniform security measures for all departments using AI.
• Conduct regular updates and patching. Apply updates to all operating systems, apps, and firmware.
• Require multi-factor authentication (MFA). Combine strong passwords with MFA to secure employee accounts.
• Use layered defenses. Combine firewalls, real-time threat detection, encryption, and access control.
• Train employees continuously. Help them identify phishing attacks, deepfakes, and suspicious activity.
• Verify vendors. Choose security services with a track record in AI and mid-market protection.
• Secure backups. Keep backups offsite or in a segregated cloud location to recover quickly from cyberattacks.

Don’t Forget Physical Security

Many medium-sized businesses still handle sensitive information in printed form, such as client records, financial documents and employee data. Improper disposal of this paperwork creates real-world vulnerabilities.

Include secure document destruction in your overall risk management strategy. Professional shredding reduces your exposure and supports compliance.

Final Thoughts: Own the Risk Before It Owns You

AI presents exciting opportunities, but also introduces new and fast-evolving cyber threats. By investing in your people, your policies, and your protections, you can take control of your cybersecurity posture and protect what matters most.

Whether you’re protecting internal systems or guarding customer trust, a strong AI-aware cybersecurity foundation is no longer optional. It’s your frontline defense against tomorrow’s risks.

If you own or manage a smaller company, the AI threat landscape looks a little different. Explore our Guide to AI Threats for Small Businesses.

With technology becoming more complicated every day, understanding data privacy regulations for businesses is critical for businesses of all sizes, but especially so for small and medium-sized businesses (SMBs).

As technology emboldens criminals, regulations evolve trying to keep up and the volume of data increases, SMBs are often left to adapt on their own. It’s a slippery slope to try to protect sensitive information, maintain customer trust and avoid legal penalties. This guide explores the key data privacy challenges SMBs face, the role of emerging technologies in this digital age, and the best practices to ensure compliance with current data privacy laws.

Key Data Privacy Challenges for SMBs

SMBs often struggle with data privacy due to limited resources and expertise. Here are some common issues they face:

1. Inadequate Data Protection Policies: Many SMBs lack comprehensive policies for handling personal data. For instance, a small business might not have clear guidelines on how to manage and store customer information securely.
2. Inconsistent Employee Training: Without proper training, employees are likely to mishandle sensitive data or fall victim to phishing scams. For example, an employee might unknowingly click on a malicious link, opening the company to hackers and compromising its data security.
3. Insufficient Security Measures: SMBs often don’t invest enough in robust cybersecurity infrastructure, leaving them vulnerable to attacks. A common scenario is using outdated software that lacks the necessary security updates to fend off new threats.
4. Poor Document Disposal Practices: Improper disposal of physical and electronic documents can lead to data breaches. An example is throwing old customer records into the trash without shredding them, which could allow unauthorized access to personal information. This is not the way to build trust with customers.
5. Failure to Stay Updated on Regulations: With data privacy laws constantly changing, SMBs may struggle to keep up. This could result in non-compliance, as seen when businesses are unaware of new state-specific laws taking effect.

The Role of Emerging Technologies in Data Privacy

Emerging technologies significantly impact data privacy, adding complexity to how businesses manage and protect information.

The rapid advancement of technology brings both opportunities and challenges for SMBs in safeguarding data. Here is how some of these technologies are influencing data privacy:

• Internet of Things (IoT) Devices: These devices collect vast amounts of data, often without clear guidelines on data usage. For example, a small retail store using smart sensors to track customer behavior must consider how this data is stored and protected to prevent unauthorized access.
• Artificial Intelligence (AI): AI systems process large datasets to provide insights, but without adequate safeguards, they can expose sensitive information. A medium-sized marketing firm utilizing AI to analyze customer trends must ensure that personal data is anonymized and securely handled to avoid data breaches.
• Advanced Cyber Threats: As technology evolves, so do cyber threats. SMBs must be vigilant against sophisticated attacks like ransomware and data breaches. A small healthcare provider could face severe consequences if patient data is compromised due to inadequate security measures.

These technologies demand that SMBs stay updated on the latest developments and adopt robust data protection strategies to mitigate risks.

Overview of Current Data Privacy Laws

GDPR and Its Global Impact

The General Data Protection Regulation (GDPR) in the European Union has a global impact, even on SMBs in the U.S. It applies to any business that processes the personal data of individuals in the EU, regardless of the business’s location. 

U.S.-based SMBs offering goods or services to EU residents or monitoring their behavior must comply with GDPR. Moreover, GDPR has set a high standard for data protection, influencing other jurisdictions, including U.S. states, to adopt similar stringent regulations.

U.S. Data Privacy Regulations

In the United States, data privacy laws vary by state, creating a complex landscape for businesses to navigate. SMBs in Missouri and Illinois must pay particular attention to their respective state laws, as well as to broader trends in U.S. privacy regulations.

• Missouri: While Missouri does not have a comprehensive data privacy law, businesses must adhere to sector-specific regulations and general best practices to protect consumer data. Companies should stay alert for any legislative changes that may introduce more stringent requirements.
• Illinois: Illinois is known for its Biometric Information Privacy Act (BIPA), which regulates the collection, use, and storage of biometric data. SMBs that handle biometric information must ensure compliance with BIPA to avoid legal repercussions.
• Other Notable State Laws: States like California, with its California Consumer Privacy Act (CCPA), set significant precedents in data privacy. While Missouri and Illinois may not have identical laws, understanding and preparing for such regulations can help SMBs remain compliant as laws evolve.

Key Business Obligations Under Data Privacy Laws

Businesses have several obligations under data privacy laws:

• Transparency and Privacy Notices: Businesses must clearly communicate how they collect, use and protect personal data. A local bakery using an online ordering system should provide customers with a detailed privacy notice outlining its data usage.
• Security Measures: Implementing reasonable security measures to safeguard data like credit card numbers and phone numbers is crucial. For instance, encrypting customer data and using secure servers can help prevent unauthorized access.
• Consent and Data Collection: Explicit consent must be obtained for data collection and processing for all types of data. A gym collecting members’ health information should ensure that consent forms are clear and comprehensive.
• Breach Notification: In the event of a data breach, businesses are required to notify authorities and affected individuals promptly. A small law firm experiencing a data breach must follow legal protocols to mitigate damage and maintain trust.

Importance of Compliant Document Disposal Practices

Secure document disposal is essential to prevent unauthorized access to sensitive information. Improper disposal can lead to severe consequences, including data breaches and legal penalties.

• Physical Documents: SMBs should implement secure shredding processes for physical documents. A financial advisor, for example, should use a cross-cut shredder to destroy outdated client records, ensuring they cannot be reconstructed. Or, many businesses simply hire document destruction firms like SDD of St. Louis.
• Electronic Media: Securely wiping and destroying electronic media is equally important. A tech startup decommissioning old hard drives should employ professional data destruction services to ensure complete data elimination.

Best Practices for Ensuring Compliance

To navigate data privacy regulations effectively, business owners should adopt these best practices:

1. Stay Informed: Regularly update privacy practices and your knowledge of data privacy laws and regulations relevant to your business needs. This can involve subscribing to legal updates or consulting with experts. For example, attending industry seminars or workshops can provide valuable insights into upcoming regulatory changes and how they might affect your operations.
2. Develop Comprehensive Data Privacy Policies: Create data protection measures that cover data collection, processing, storage and disposal. A small e-commerce business should have a policy detailing how customer data is handled throughout its lifecycle, from collection to secure deletion, ensuring all stages are compliant with the latest laws and protected from cyberattacks.
3. Employee Training: Conduct regular training sessions to ensure staff understand and adhere to data privacy policies. For example, training customer service representatives on how to handle personal data securely can reduce the risk of data mishandling. Or, a healthcare clinic should train its employees on the importance of patient confidentiality and the specific steps to take in protecting sensitive health information.
4. Conduct Regular Audits and Risk Assessments: Regularly audit data practices and perform risk assessments to identify potential vulnerabilities. For example, a small manufacturing company should periodically review its data storage solutions to ensure they are secure and comply with current regulations, adjusting practices as needed based on audit findings.
5. Implement Strong Access Controls: Limit data access to only those employees who need it to perform their job duties. A retail business could use role-based access controls to restrict sensitive customer information to specific staff members, reducing the risk of unauthorized access.
6. Build an Internal Capability. Depending on your company’s size, having a full-time data protection officer could be money well spent. If not full-time, look for firms who can provide this expertise and help you develop a data privacy program.
7. Partner with Reputable Data Disposal Services: Engage certified professionals such as Secure Document Destruction of St. Louis for secure document and electronic data destruction. This is particularly important for businesses dealing with large volumes of sensitive information, such as legal or financial firms. Read our recent post on the benefits of secure onsite shredding services for businesses.

By understanding data protection laws and the impact of emerging technologies, SMBs can effectively navigate the complex landscape of data privacy regulations. Proactive measures, including secure document disposal and staying informed about regulatory changes, will help businesses safeguard their data and build a reputation for reliability and trustworthiness.

Article updated January 20, 2025

Data security in small business is starting to feel the impacts of artificial intelligence (AI).

AI is rapidly reshaping how businesses operate, bringing both incredible opportunities and significant risks. For small businesses, it’s vital to understand the dual role AI plays in driving innovation in data protection while potentially threatening data security and security practices.

Here’s the harsh truth about AI: it is both a friend and foe to your business. Let’s explore its advantages, the risks of its adversarial role, potential threats and how you can protect your business.

Benefits of AI for Data Security in Small Business

AI’s transformative potential is undeniable, especially for medium and small business owners looking to optimize operations and enhance customer relationships. Here are some key advantages:

• Efficiency and Automation: AI can handle repetitive tasks, allowing you to focus on the most important components of your business.
• Smarter Insights: With its ability to analyze vast amounts of data quickly, AI helps uncover trends and improve decision-making.
• Enhanced Customer Service: AI-powered chatbots and virtual assistants provide 24/7 customer support, improving customer satisfaction.
• Personalized Marketing: AI tailors marketing strategies to individual customers, boosting engagement and sales.
• Cost Savings: Automating tasks with AI can reduce operational costs and free up valuable resources.

Risks of AI for Data Security in Small Business

While AI offers many benefits for data security in small business, it also introduces new security challenges. Below are some of the most pressing concerns for small businesses:

1. AI-Driven Cyberattacks

Cybercriminals are leveraging AI to launch sophisticated cybersecurity and phishing attacks. For instance, AI can create highly convincing phishing emails, mimicking your company’s communications to deceive customers or employees.

Traditional spam filters and firewalls often struggle to detect these advanced tactics. And, the new capabilities of generative AI (e.g. ChatGPT and many others) are making the problems even worse.

To combat this, small businesses need robust cybersecurity tools and security measures, such as AI-driven threat detection systems, that evolve alongside these threats to protect customer information and data loss.

2. Resource Constraints

Investing in AI-enhanced security tools can strain the budgets for data security in small busnesses. However, solutions like managed security services or open-source AI tools can provide cost-effective ways to stay protected from cyber security risks to critical data. Partnering with experienced vendors and security teams specializing in AI-driven cybersecurity can also bridge the resource gap.

3. Data Security in Small Business Privacy Concerns

AI relies on large data sets to function, but mishandling sensitive information can lead to data breaches or regulatory violations. For example, improperly configured AI tools in healthcare or finance could inadvertently expose sensitive data, which will significantly impact your customer trust.

Protect your business from scams by implementing strong encryption, access controls and AI systems designed to prioritize privacy.

4. Lack of Expertise

The use of AI is growing dramatically, and finding skilled professionals to manage and secure AI systems is challenging. Outsourcing to consultants or training existing staff in AI basics can help close this knowledge gap.

5. Insider Threats to Data Security in Small Business

AI technology can monitor employee activity to detect unusual behavior, but implementing these systems without transparency can harm trust. Be clear in your employee training about how and why AI is being used and establish ethical boundaries to ensure employees feel respected.

6. Ethical Challenges are Real with AI

AI isn’t perfect. It can make mistakes or reflect biases embedded in the data it learns from. Small businesses need to ensure that AI tools are used responsibly, avoiding scenarios that could harm their reputation, invite legal consequences or create financial losses.

Emerging AI threats Small Businesses Need to Know

In the last 18 months, new AI-related risks have emerged, including:

• Deepfake Technology: Cybercriminals can use AI to create convincing fake videos or audio, leading to fraud or reputational damage.
• Ransomware-as-a-Service (RaaS): AI is making it easier for less-skilled hackers to launch sophisticated ransomware attacks, targeting SMBs with fewer resources to defend themselves.
• AI Manipulation of IoT Devices: Many small businesses use internet of things (IoT) devices, such as smart cameras or thermostats. AI-powered malware can exploit vulnerabilities in these devices to gain unauthorized access to networks.

We recently read a great, but chilling article from Malwarebytes titled: How to recognize AI-generated phishing emails. It’s worth a read to learn more about what to look for and what to do.

How Small Businesses Can Safeguard Their Data

Protecting your business from AI-driven cyber threats doesn’t require a Fortune 500 budget. Here are practical steps small businesses can take can take:

1. Adopt Strong Access Controls: Limit data access to only those employees who need it.
2. Regularly Update Software and Apps: Keep all antivirus software and systems patched to close security gaps.
3. Train Employees: Educate your team on identifying phishing attempts and following data security best practices.
4. Invest in Encryption: Encrypt sensitive customer and business data.
5. Create a Response Plan: Develop a clear strategy for responding to data breaches.
6. Partner with Experts: Work with managed security providers to implement AI-driven cybersecurity solutions tailored to small businesses.
7. Multi-Factor Authentication and Strong Passwords. These are tried-and-true tools that still help today.

The Road Ahead: Data Security in Small Businesses is Under Attack

AI is here to stay, and its role in business will only grow. By understanding its risks and benefits, small businesses can harness its potential while safeguarding their most valuable asset: data. Investing in AI-driven cybersecurity solutions, educating employees and partnering with trusted experts will go a long way in keeping your business secure.

As technology evolves, staying proactive about data security is not just smart—it’s essential. Don’t let your business fall behind. Take action now to protect your company’s future.

If your business is larger, read our recent article on the impacts of AI on medium-sized small businesses.

Revised – March 8, 2024

Crooks are hard at work trying to separate you from your money. The proliferation of identity theft, phishing, data breaches, and more have pushed this kind of criminal activity to an all-time high.

However, one old scheme is also very much alive, and thieves are still using it with alarming regularity.

This oldie but baddie scheme is called “check washing.”

In this article we will take a look at this age-old scheme and we will also update you on some new technological developments in countering check washing fraud.

What is check washing fraud?

In short, thieves will steal a check that’s already been made out to someone and, using simple chemicals, literally wash the name off the check and insert their name into the “pay to” line. Nail polish remover (acetone) and rubbing alcohol (isopropanol) can pull the most common inks away from paper in minutes.

Thieves start by placing a low adhesive protective seal over the signature line. The check is dipped into a pan with a solvent, and once the ink from the check has dissolved completely, the check is hung up to air dry. The result is a clean blank check the con artist can fill in any way they want.

The market for stolen checks sold online has become more widespread and sophisticated as criminals are making a tidy profit by selling “glass” to forgers who are doing the dirty work using state-of-the-art means to defeat security measures by financial institutions.

Of course, the ancillary problem is that thieves aren’t only stealing checks but mail of every kind, which can lead to more significant identity theft crimes or disrupt the delivery of essential and time-sensitive mail to millions of people.

The problem appears to have worsened during the pandemic when the nation was flooded with stimulus checks and unemployment benefit checks, which are tailor-made for fraudsters.

Believe it or not, stolen check transactions take place mainly on the social media app Telegram, and there are even how-to videos on check-washing on YouTube. The most active stolen check locales in the U.S. are California, New York, New Jersey, and Florida, but illicit activities take place all over the nation and throughout the world.

The type of information also being sold with stolen checks has grown considerably. Bad actors now routinely sell the check writer’s Social Security number and account balances stolen from the dark web.

9 Things You Can Do To Avoid Becoming A Check Washing Victim

1. When you write a check, use a black ink gel pen. These are cheap deterrents because checks written in indelible ink can’t be washed. Gel ink resists chemical stripping and contains pigments that permeate the fibers of the check itself. The ink in a standard blue ballpoint pen is easily removed with acetone.
2. Deposit your outgoing mail inside a post office location or deposit it in an outside blue collection box. We recommend not leaving your outgoing mail unattended and attached to your home’s mailbox. That red flag you pop to the “up” position for your mail carrier is also a red flag for thieves. Also, never leave your mail in your home mailbox overnight.
3. If you work in an office, consider bringing your outgoing mail to your office for a more secure chain of custody.
4. When you go on vacation, have your mail held at your post office until you return. Or make sure your mail is picked up daily by a trusted friend or neighbor.
5. When you order checks, pick them up directly from your local bank branch instead of having new blanks mailed to you.
6. Consider buying checks containing anti-fraud elements such as electronic inks, hidden watermarks, or microprinted lines that cannot be photocopied or scanned clearly.
7. Call authorities immediately if you see suspicious activity that looks like mail theft may be taking place. Mail theft is a federal crime and can result in harsh penalties for those who are caught.
8. Shred or burn canceled checks. If you need to save them, put canceled checks in a secured area, such as a bank lockbox or a wall safe. Don’t throw them in the trash.
9. Check bank statements immediately after you receive them. If you fail to report check fraud within 30 days of receiving your monthly statement, your bank does not have to reimburse your loss.

The problem has grown so severe that many local and federal authorities have formed task forces around the country, with agents from the Postal Inspection Service, U.S. attorney’s office, local police forgery units, FBI, and Secret Service.

Banks have also staffed up in check processing and are dedicating a lot more resources, including sophisticated AI technology, to identify washed checks and other identity theft issues.

While these are welcome advancements, the bottom line is that you’re the one who will lose in this type of scam, so it’s up to you to take as many steps as you can to avoid becoming a checking washing victim.

Once again, technology is doing its best to keep up with criminals

Recent developments in technology and countermeasures offer renewed hope in the first against this scam.

Enhanced Ink Technology. This technological advance is significant. Ink manufacturers have devised new formulas that offer greater resistance to chemical stripping. These modern inks deter traditional washing techniques and incorporate features like rapid absorption into paper fibers, making alterations virtually impossible without detection.

Blockchain Verification. Used mostly by financial institutions, this is a promising avenue to combat check washing. By leveraging blockchain’s immutable ledger system, banks can securely record and verify check transactions in real time. This added layer of security enhances fraud detection and enables swift action to prevent unauthorized alterations or forgeries.

Artificial Intelligence (AI)-Powered Detection Systems. These systems are capable of analyzing vast amounts of transaction data for banks in real time. They employ machine learning algorithms to identify suspicious patterns, detect anomalies and flag potentially fraudulent activities.

Secure Check Printing Solutions. Manufacturers now offer checks embedded with advanced security features, including holographic watermarks, microprinted lines and encrypted electronic inks, rendering checks virtually impossible to replicate or alter with detection.

Collaborative Law Enforcement. Local and federal organizations are pooling resources and expertise so agencies such as the Postal Inspection Service, FBI, Secret Service and others can more effectively investigate and prosecute perpetrators.

As the landscape of financial crime evolves, so must our strategies for prevention and detection. However, the rubber really meets the road in our own homes and offices, where we can take active steps to thwart this ongoing threat.

Revised – February 12, 2024

Note to readers: We first authored an article on this subject in 2019. Unfortunately, the problems have only gotten worse, in part because the criminals and scammers have learned how to use more powerful new technology to their advantage. It’s sad to say, but this is a similar story with some new chapters.

If you’re the type of person who takes calls from unknown numbers, there’s a good chance you’ve answered a call that starts with some version of this:

“Hello, Mr. Smith, this is the Internal Revenue Service. I’m calling today because you have back taxes that have not been paid. You are in danger of facing fines if this is not taken care of quickly. We need to verify some of your information to get this taken care of.”

Even if you don’t answer these kinds of calls, the voice on the other end will probably leave an urgent message to call them back, or you could also suffer “dreadful” consequences.

The caller might claim to represent the IRS, Social Security, Medicare, or other government agencies you rely on for benefits.

The calls are often alarming and upsetting. But here’s the good news.

They are all fake.

A fraudster is attempting to scam you by getting you to divulge personal information. They want to wreak havoc on your life, finances, and long-term credit by stealing your Social Security number, bank accounts, pin numbers, and other sensitive details.

Emails and letters are also common and can be just as devastating if you do the wrong things when you get one.

Government agency scams crimes are on the rise

The Office of the inspector General reports it receives 7,000-10,000 complaints a month about a wide range of scam calls related to Social Security. That’s a sobering number, but it is a good warning for consumers.

Add this to a troubling pattern of data breaches in the private sector, and you’ve got a recipe for massive ongoing fraud and financial losses.

(New Information) What new tricks are IRS and Social Security scammers using on consumers today?

Scamming the IRS and Social Security system are year-round businesses. Don’t believe that IRS scams happen only during the rush of tax season.

Scammers evolve like everyone else. They learn new technologies and turn it against us. Here are some of the newer types of scams:

• Text Message Scams. These are popping up daily and they all look so legitimate. They are using many of the tricks that have been played on us all via email. They claim to be from reputable organizations like the IRS (the IRS will NEVER text you with a request for personal information). Scammers will text regarding issues with your bank accounts, credit cards or loans with links to respond to the supposed problem. Don’t fall for these tricks. If the text says it is from a reputable source, check it out first.
• Social Media Scams. Tricksters are using social media platforms like Facebook and others to impersonate individuals, companies, or government agencies. They may create fake profiles to solicit personal information or money. Be extra cautious about accepting friend/follow requests from people you don’t know. If it’s from an official-sounding account, verify before giving them access.
• Cryptocurrency Scams. If you’re an investor of any type you’re aware of the popularity of cryptocurrency. Scammers are exploiting the lack of regulation anonymity of transactions to trick people into fake investments and phishing schemes. Only deal with reputable cryptocurrency platforms.
• Vishing (Voice Phishing). Scammers are still finding new ways to use the phone as weapon. These calls impersonate legitimate organizations, including the IRS, to trick people into providing their personal data. By contrast, some scammers also lie to taxpayers and say they are due a refund. That’s so they can trick victims into giving their bank account information over the phone. Do not give your personal information to anyone you don’t know unless you have initiated the call. If you believe a call might be legitimate, hang up and call the organization to verify.
• Deepfake Scams. This is just coming into the mainstream. Scammers create audio and video impersonations of, well, anyone. There is no limit. They can impersonate a celebrity asking for money for a non-profit or they can impersonate an employee of the IRS or Social Security Administration calling to “verify” your personal information.

Your first line of defense for anything that feels or looks suspicious is to be skeptical. When in doubt, hang up or back out of the text or message. And don’t click links that you are not 100% sure of where they are going. Top of Form

Rather than leap into a big mistake, if a taxpayer isn’t sure whether they owe any tax, they can view their tax account information on IRS.gov to check their status.

Many groups are vulnerable to common scams

Recent immigrants who are not as well versed in IRS and Social Security rules and regulations can be especially vulnerable. Scammers will prey upon their fears and ignorance of U.S. laws. Victims are sometimes threatened with arrest, deportation, or suspension of a business or driver’s license. Often, the caller becomes hostile and insulting. Another troubling aspect is that victims are often approached in their native language, adding to the perceived validity of the call.

Disabled people are not immune from scams, either. Some scammers use video relay services (VRS) to try and scam deaf and hard of hearing people into divulging information. Taxpayers should not trust calls just because they’re made through VRS, because interpreters don’t screen calls for validity.

Some taxpayers receive tax refund emails that appear to be from the Taxpayer Advocacy Panel (TAP). These emails are phishing scams. Perpetrators are trying to trick victims into providing personal and financial information. TAP is a volunteer board that advises the IRS on large scale issues affecting taxpayers. It never requests any taxpayer’s personal and financial information.

Because many taxpayers know the IRS will never call to demand immediate payment over the phone, some scammers send letters instead, hoping folks will take the bait. The letters use realistic looking letterhead and related materials as a way to further deceive people. Phony IRS letters can include facts about real tax debts. That can rattle a taxpayer, but be aware that some tax-related information, such as liens that have been filed against taxpayers, are available to the public.

The IRS has also seen a rise in recent years of scammers calling victims trying to take advantage of their generosity when it comes to disaster relief efforts. They may also offer up the tax-deductible benefit as a way of inducing a victim to turn over private information.

Some scammers will use data on W-2 forms to file fraudulent tax returns in a victim’s name. However, the IRS has established a process that will allow businesses and payroll service providers to report any data losses related to this W-2 scam quickly.

Scammers also target Social Security numbers. In one version, scammers call and claim to be able to suspend or cancel the victim’s SSN. They will leave a message if they don’t talk to you in yet another attempt by con artists to frighten people into returning ‘robocall’ voicemails.

You may also get a phone call saying that you will be charged for services that Social Security provides for free.

What can you do to protect yourself?

If screening all your calls is not an option where you only answer calls from numbers you recognize, there are other ways to protect yourself:

• If you get a phone call from someone purporting to be from the IRS, Social Security, or other government agencies, and they ask you for personal information, hang up immediately.
• Don’t give in to any pressure tactics, whether it’s for a charity donation, an apparent great deal, or other similar offers.
• For suspicious emails, don’t open any attachments or click on any links. These links could have malicious code that will infect your computer.
• Don’t provide your credit card information, bank account information, or other sensitive personal information… ever!
• Don’t trust caller ID. Scammers can change the number you see in a tactic known as spoofing.

You can reduce the number of calls you get proactively by registering your phone number with the National Do Not Call Registry. Register online or call 1-888-382-1222. 

Know under what circumstances the IRS, Social Security, and other agencies will contact you and how they will do it. For example, the IRS will NEVER call to demand immediate payment using a specific payment method such as a prepaid debit card or wire transfer. You have rights as a taxpayer, and it’s critical you understand them.

However, at times, an IRS collections employee may call you or show up at your home or employer unannounced to collect a tax debt. Sometimes, the IRS will assign certain cases to private debt collectors but only after giving the taxpayer written notice. IRS criminal investigators may also appear in your life, but it will be only to conduct an investigation and not to collect any money from you.

Reporting possible illegal scam activities

It’s crucial to report phone scams to federal agencies. They can’t investigate individual cases, but your information can be used to build a more significant case against scammers.

Here’s who to contact:

• For attempted IRS phone scams, contact the Treasury Inspector General for Tax Administration. Use the “IRS Impersonation Scam Reporting” web page. You can also call 800-366-4484. Report unsolicited emails claiming to be from the IRS, or an IRS-related function like the Electronic Federal Tax Payment System, to the IRS at this link: phishing@irs.gov.
• Report telephone scams online to the Federal Trade Commission or call 1-877-382-4357.
• Report all robocalls and unwanted telemarketing calls to the Do Not Call Registry.
• If you think an SSA scammer has contacted you, call the Social Security Fraud Hotline at 1-800-269-0271.

Steps to take if you’re a victim

There are several things you should do if you’ve been scammed, either by telephone, email, or other means.

Place a fraud alert with a Credit Reporting Agency. You reduce the risk of accounts opened in your name without your authorization. If you place an alert with one of the following agencies, they will notify the other two on your behalf.

• Equifax — (888) 378-4329
• Experian — (888) 397-3742
• TransUnion — (800) 680-7289

Monitor your financial accounts for suspicious or unauthorized activities. Close any accounts that weren’t opened with your permission and either freeze or close any account that has unauthorized activity.

Check your computer to see if you have any downloaded malware or viruses. A hacker or scammer may be stealing your personal information straight from your computer.

Secure your Proof of Identity. You’ll probably be required to submit an affidavit and provide proof of your identity. The Federal Trade Commission’s ID Theft Affidavit is widely accepted and can be downloaded here.

File a police report. Law enforcement may or may not take action, but you may need the report as proof that you have taken appropriate steps.

File a complaint with the appropriate state and federal agencies. See the resources listed above.

Order copies of your credit reports and review them thoroughly. If you have placed a fraud alert, you can order a copy of your report for free. If your ID theft happened recently, wait a bit. That is because some creditors only report to agencies once a month, so it may take a while for the activity to show up in your files.