“Score one for the good guys,” as the saying goes. The IRS has reported a nearly fifty percent decrease in the numbers of identity theft complaints from taxpayers, as well as a resulting decrease in a number of fraudulent returns that get paid out to scammers.

According to IRS Commissioner John Koskinen, there were around 700,000 victims of identity theft involving tax returns and the IRS in 2015, and in 2016, that number was only 377,000. So far, though, the IRS has only identified 107,000 reports of identity theft in the first five months of 2017.

The IRS has long been a target for identity thieves because of the massive payouts involved. With more than $300 billion a year being issued in refunds, there’s a perception that it’s easy to slip a few phony returns through the cracks. Where a crime like credit card account theft only nets a thief a relatively small amount of money before the stolen card number is canceled, a tax return for a single individual could run well into the tens of thousands of dollars without really raising any red flags.

As noted in the ITRC Data Breach Report on U.S. breaches, some 60 percent of the total breaches in 2017 involved the exposure of Social Security numbers.  A consumer’s SSN is somewhat permanent, enabling tax return fraud to be repeated year after year., Additionally, it can also be used to file fraudulent tax returns in multiple states, raking in yet another payday from each state’s internal revenue service.

This significant victory for the IRS involved working in a targeted way with tax preparers in order to fight fraud, but it didn’t come without costs. The IRS is seeing an increase in businesses who are scammed now that security protocols are having a positive impact on individual taxpayers.

One of the main tactics for targeting a business for tax fraud involves accessing their employee payroll records and W2 forms, a feat that is accomplished through methods like spear-phishing, or “boss phishing.” In those cases, a hacker gains access to an email account with a company or makes a copycat account, then poses as the CEO or another executive to request sensitive files. Employees are likely to fall for it and comply with the request for the information because, after all, when the boss tells you to do something, you do it.

Now that word is reaching consumers about protecting their individual tax returns, businesses would do well to ensure that all employees within a company know how to spot a phony request for sensitive data. Policy manuals concerning data storage and computer use must include a provision that no one is to ever send sensitive files to another person—even a person within the company, and even the boss—without verbal confirmation.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.