Most small business owners think fraud happens somewhere else.
To bigger companies. Sloppier companies. Companies with weak systems.
But let’s be honest. That kind of thinking is exactly what leaves the door wide open.
According to a March 19, 2026 Malwarebytes article, cybercriminals are buying stolen tax forms and personally identifiable information on dark web forums for shockingly low prices. In one example, 100 complete tax forms were listed for $2,000, which means a fully documented stolen identity was going for about $20. Malwarebytes also reported that attackers are buying direct access to tax and accounting firms because it is far more efficient to breach one business holding a large volume of sensitive records than to chase individuals one by one.
That is the part small business owners need to stop and really hear.
This is not just a tax season problem.
This is not just an IT problem.
This is not just a “be careful online” problem.
This is a fraud problem.
And if your business handles payroll, tax returns, W-2s, 1099s, employee files, or client financial records, you are sitting on exactly the kind of information criminals want most. Malwarebytes describes this as Stolen Identity Refund Fraud, or SIRF, where criminals use stolen data like Social Security numbers and dates of birth to file fake tax returns before the real taxpayer does. Victims often discover it only when their legitimate return is rejected or they are told a refund has already been issued in their name.
So no, this is not somebody else’s problem.
It is a small business problem too.
Why criminals love small businesses
Why would a fraudster target a small business?
Because small businesses are often busy, understaffed, and moving fast.
There may be no internal IT department. The owner may be wearing ten hats. Employees may share files too freely, reuse passwords, or send sensitive forms through plain email because it feels quicker.
That is not a character flaw. That is real life.
But criminals love real life because real life gets rushed.
Malwarebytes reported that threat actors listed access to a compromised US tax service firm and were auctioning database access containing highly sensitive personal data for more than 1,600 clients. The article specifically notes that small businesses are typical targets because they can provide easy access to exploitable information.
Read that again.
A small business was not ignored.
A small business was the opportunity.
What criminals are really buying
It is easy to think, “Okay, they stole a tax form.”
No. They stole leverage.
A tax form is not just paper. It is identity. It is income history. It is address data. It is employer data. It is often enough to help a criminal impersonate a person, pass verification checks, or build a much larger fraud scheme.
Malwarebytes found that underground sellers were offering not only W-2s and 1040s, but also complete stolen identity packages, sometimes called “fullz,” for as little as $0.75 per set. They also reported that forged tax-related documents, including customized W-2s and realistic bank statements, were being sold for roughly $20 to $40.
That means criminals are not just buying data.
They are buying shortcuts.
They are buying tools.
They are buying ways around your controls.
And if your controls are weak, they do not need much.
What this means for small business owners
Here is the mistake too many owners make: they treat tax data like paperwork.
It is not paperwork.
It is inventory for fraud.
Would you leave cash sitting in an unlocked room?
Would you hand out bank login credentials because somebody asked nicely?
Would you let everyone in the company download payroll files just because it is easier?
Of course not.
So why do so many businesses treat W-2s, tax returns, Social Security numbers, and employee records like ordinary documents?
That mindset has to change.
Because once that information gets exposed, the damage does not stop with one false tax filing. It can turn into identity theft, payroll fraud, account takeovers, phishing attacks, fake vendor changes, and a very expensive cleanup process.
How small businesses can prevent this
You do not need to panic. But you do need a plan.
Here are the practical steps that actually matter.
1. Limit access to tax and payroll data
Not everyone needs access to everything.
Review who can see:
- payroll records
- employee files
- Social Security numbers
- tax returns
- W-2s and 1099s
- client tax documents
- exported reports with personal data
If someone does not need it to do their job, they should not have access to it.
Fraud prevention starts with reducing opportunity.
2. Turn on multi-factor authentication everywhere
If your email, payroll platform, accounting system, document storage, or tax software is protected by only a password, you are relying on a weak lock.
Passwords get reused.
Passwords get guessed.
Passwords get stolen.
Multi-factor authentication helps stop a stolen password from becoming a full-scale breach.
Start with these systems first:
- payroll
- accounting software
- tax software
- document portals
- banking access
This is one of the simplest ways to make your business a harder target.
3. Stop emailing sensitive tax documents like they are harmless attachments
If your team sends W-2s, tax returns, or spreadsheets full of personal data through regular email without added protection, that is a risk.
Use secure portals.
Use encrypted file-sharing tools.
Use password-protected documents with separate password delivery.
Why? Because one compromised inbox or one mistyped email address can expose a lot more than one file.
Convenience is great right up until it becomes evidence.
4. Train your team to slow down and verify
Malwarebytes noted that tax season gives scammers an advantage because people are already expecting tax-related messages, refunds, and filing notices, which makes phishing emails and fake IRS alerts easier to believe.
That should be a wake-up call for every small business.
Your employees need to know this:
No one sends payroll data, tax forms, banking changes, or login credentials based on email alone.
Not the owner.
Not the office manager.
Not the outside accountant.
Not the “IRS.”
Verify first.
Pick up the phone.
Use a known number.
Confirm the request.
One five-minute pause can prevent months of cleanup.
5. File early and watch for warning signs
Malwarebytes recommends filing taxes early, monitoring accounts and credit reports, and paying attention to rejected returns or unexpected tax notices. They also point to the IRS Identity Protection PIN as an added safeguard against fraudulent filings.
For small business owners, that means:
- prepare tax filings early
- reconcile payroll before forms go out
- track who prepared and reviewed each filing
- investigate every odd notice right away
- consider an IP PIN where appropriate
Messy records make fraud easier to hide.
Clean records make suspicious activity easier to catch.
6. Treat employee data like cash
Because to a criminal, that is exactly what it is.
Wage information, dates of birth, Social Security numbers, and addresses are valuable because they can be used to impersonate someone, open accounts, or support false tax filings.
Ask yourself one simple question:
If someone got into our systems today, what would they find in the first ten minutes?
That answer will tell you where your biggest risk lives.
7. Review your outside providers
If you use a payroll processor, outsourced bookkeeper, tax preparer, or IT vendor, ask better questions.
Ask them:
- How is our sensitive data stored?
- Who has access to it?
- Is multi-factor authentication required?
- How are documents transmitted?
- What happens if there is a breach?
- How quickly would we be notified?
Outsourcing can be smart. But outsourcing is not the same thing as eliminating risk.
You still need to know how your data is being protected.
8. Build fraud prevention into your routine, not just tax season
This cannot be a once-a-year conversation.
Review access regularly.
Train your team regularly.
Test your procedures regularly.
Watch for unusual activity regularly.
Fraud rarely starts with fireworks. It starts with something small that gets ignored because everybody is busy.
That is how good people miss bad actors.
The real takeaway
Here is the bigger truth.
Fraud prevention is not paranoia.
It is leadership.
You do not put controls in place because you are expecting the worst.
You put controls in place because your business, your team, and your clients are worth protecting.
Criminals do not care that you are a small business.
They care that you are accessible.
And when stolen tax forms are selling for about $20 each, no business should assume its data is too boring, too small, or too unimportant to steal.
Final word
Small businesses do not need more fear.
They need better process.
Lock down access.
Use multi-factor authentication.
Secure your document sharing.
Train your people.
Verify requests.
Monitor the warning signs.
Treat tax data like the high-value asset it is.
Because when fraudsters are shopping, your goal is simple:
Make your business the harder target.
