The IRS and its Security Summit partners have initiated a summertime security awareness campaign for tax professionals with an expanded guide that provides critical steps to protect client data.
“Protect Your Clients; Protect Yourself: Tax Security 101” is an effort by the IRS, state tax agencies and the nation’s private-sector tax industry that follows continued security threats to tax and financial data held by tax professionals. Data thefts continue to rise at tax practitioners’ offices and result in fraudulent tax returns that can be difficult for the IRS and states to detect.
“We need the help of tax professionals to take basic steps to safeguard their systems and taxpayer data,” Acting IRS Commissioner David Kautter said.
The Security Summit awareness campaign provides tax professionals with information to better protect taxpayer data and follows recommendations made by the Electronic Tax Administration Advisory Committee (ETAAC) in June, which noted tax professionals “are at increasing risk” of security vulnerability.
Although the Security Summit effort is making progress against tax-related identity theft, data thefts at tax professionals’ offices are on the rise. Cybercriminals evolve their methods in using stolen taxpayer data to create fraudulent returns that are harder to detect. Identity thieves are technically sophisticated, helped by well-funded and tax-savvy criminal syndicates based here and abroad.
To start the awareness campaign, the IRS revised Publication 4557, “Safeguarding Taxpayer Data,” to better reflect threats to tax professionals. The guide outlines basic steps tax professionals should take and provides details on how to comply with requirements for a data security plan. The IRS also created Publication 5293, “Data Security Resource Guide for Tax Professionals,” which highlights a compilation of IRS.gov resources for tax preparers.
The IRS reminds professional tax preparers that the Financial Services Modernization Act of 1999, also known as Gramm-Leach-Bliley Act, requires certain financial entities – including professional tax return preparers – to create and maintain a security plan for the protection of client data. The Federal Trade Commission administers this law and its “Safeguards Rule” regulations.
- Learn to recognize phishing emails, especially those pretending to be from the IRS, a tax software provider, cloud storage provider or state tax agencies. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax professional via email.
- Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert and Social Media.
Internal controls for business should include:
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update
- Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program
- Encrypt all sensitive files/emails and use strong password protections
- Back up sensitive data to a safe and secure external source not connected fulltime to a network
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data
- Limit access to taxpayer data to individuals who need to know
- Check IRS e-Services account weekly for number of returns filed with EFIN
This year, a sophisticated cybercriminal gang breached numerous practitioner offices by gaining remote control access of computers and stealing taxpayers’ 2016 tax information. The thieves used that information to file 2017 tax returns using all the real taxpayer data, including bank accounts for direct deposit.
The thieves then called the taxpayers, trying to trick them into returning the fraudulent refunds. In some cases, the thieves had stolen so much information they could access the clients’ bank accounts online and steal the fraudulent refunds. In many cases, tax professionals never even knew client data was stolen.
By taking the steps outlined here and in Publication 4557, tax professionals can help prevent common tactics used by cybercriminals. But even with the strongest security measures, the key to good security is an individual trained and alert to potential risks and threats.
The “Protect Your Clients, Protect Yourself: Tax Security 101” campaign will run for 10 weeks, through September. The campaign will be capped by a free data security webinar for all tax professionals in the fall.
With the start of the 2018 IRS Nationwide Tax Forums on July 10 in Atlanta, data security will be featured prominently at all five Tax Forums, including a workshop by cyber experts. Other additional resources include:
- Identity Protection: Prevention, Detection and Victim Assistance
- Protect Your Clients, Protect Yourself – main
- Protect Your Clients, Protect Yourself: Tax Security 101 – 2018 awareness campaign
- Don’t Take the Bait – 2017 awareness campaign
- Security Summit