Keep your clients' information safe If you use an online product to manage your clients’ information or file their taxes, you can now log in with your username, password and a third factor like a phone number. Using all 3 will keep your clients’ data safer. Cybercriminals target tax professionals because you are custodians of highly sensitive client data. They attempt to steal your client's personal financial information so they can create fraudulent tax returns and claim fake refunds. Report suspected identity theft or data loss Your clients If your clients need assistance preventing, reporting, or recovering from identity theft, review our information for: Individuals Businesses You or your firm If you or your firm are the victim of data theft, immediately: Report it to your local stakeholder liaison Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names and will assist you through the process. Get information on how to report victim information to state tax agencies. Visit the Federation of Tax Administrators "Report a Data Breach" to find state contact information. Find more information at Data Theft Information for Tax Professionals. Protect your clients and prevent data loss You are the first line of defense against identity theft. You must be alert and on guard at all times. In addition to trying to steal client data, thieves may try to steal your identity as well, using your PTINs, EFINs and CAF numbers to file fraudulent returns or steal even more information. Know your responsibilities Federal law requires you to create, implement and maintain an information security plan to protect client data, no matter the size of your firm. Implement a data security plan Have your cybersecurity staff develop a data security plan Contact a cybersecurity consultant If you can’t afford a cybersecurity staff or consultant, review and act using these materials: Publication 4557, Safeguarding Taxpayer Data PDF This publication provides an overview of tax professionals legal obligations to protect taxpayer information and provides a step-by-step checklist for how to create and maintain a security plan for your digital network and office NIST’s Small Business Information Security – The Fundamentals PDF The National Institute of Standards and Technology (NIST) is a branch of the U.S. Commerce Department. It sets the information security framework for federal agencies. It also produced this document to provide small businesses with an overview of those steps to security data. Its focus is on five principles: identify, protect, detect, respond and recover Taxes-Security-Together Checklist A quick overview of security steps tax professionals should take Protect Your Clients; Protect Your Business Our awareness campaign aimed at practitioners Additionally, tax professionals generally can find cybersecurity support through their professional insurer if they have data theft coverage. Note: the IRS can’t recommend security products. The Federal Trade Commission (FTC) administers the law and created the Safeguards Rule. Know the signs of data theft Identify suspicious activity You or your firm may be a victim and not even know it. Here are some common clues to data theft. You notice that: Client e-filed returns reject because we received another return with a client’s Social Security Number You receive more e-file acknowledgements than returns you know you filed Your clients respond to emails that you didn’t send You experience slow or unexpected responsiveness from your computer or network such as: Software or actions take longer to process than usual The cursor moves or changes numbers without you touching the mouse or keyboard You get locked out of your network or computer Your clients tell you that they receive: Authentication letters (5071C, 4883C, 5747C) from us even though they haven’t filed a return A refund even though they haven’t filed a return A tax transcript they didn’t request Emails or calls from you that you didn’t initiate A notice that someone created an IRS online account for them without their consent A notice they weren’t expecting that: Someone accessed their IRS online account We disabled their IRS online account Identify spear-phishing scams An estimated 91 percent of all data breaches and cyber attacks begin with a spear phishing email that targets you. Their objective is to get you to click on a link or open an attachment (ex. PDF, Word Doc, Excel file, Image). This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer. The criminal poses as a trusted source. Examples include: IRS eServices A tax software company you do business with A cloud-storage provider A potential client A professional colleague Here are two clues that an email is a targeted scam. The email: Appears to be from a trusted source or potential client but seems a bit off Has an urgent message to bait you into opening a link or attachment. (ex. Update your account now!) Prevent identity theft Stay vigilant. You may not know about a data theft until your clients receive a notice or can’t e-file because we already received a return with their Social Security Number. Use multifactor authentication All online tax preparation products for tax professionals offer the option for multi-factor authentication as an additional protection for accounts. The IRS strongly urges all tax professionals to use this option. Many data thefts from tax pro offices could have been stopped had preparers used this tool. Multi-factor authentication means returning users must enter their username and password plus one or more other items, for example a security code sent as a text to a mobile phone. Tax professionals should use multi-factor authentication wherever it is offered, especially for cloud storage providers, email providers, financial institutions and social media. Track your activity Here are some things you can do: Track returns you filed through your daily e-file acknowledgements. If you receive more acknowledgements than returns you know you filed, dig deeper Track your weekly EFIN usage. We post the number of returns filed with your Electronic Filing Identification Number (EFIN) weekly Log into your e-Services account Access your e-file application and check “EFIN Status” If the numbers are off, contact the e-Help desk Keep your EFIN application up-to-date with all phone, address or personnel changes Check your PTIN account for a weekly report of returns filed with your Preparer Tax Identification Number (PTIN) if: You are a ‘Circular 230 practitioner’ or an ‘annual filing season program participant,’ and You file 50 or more returns a year Protect your data These are the most basic steps to take: Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update Use responsible passwords: Create passwords of at least eight characters (longer is better) Use special and alphanumeric characters Use passphrases instead of passwords Use a different password for each account Password protect wireless devices Consider a password manager program Encrypt all sensitive files/emails and use strong password protections Back up sensitive data to a safe and secure external source not connected fulltime to a network Wipe clean or destroy old computer hard drives and printers that contain sensitive data Limit access to taxpayer data to individuals who need to know Protect against spear-phishing scams Your systems are only as safe as the least informed employee. Follow these simple steps also can help protect against stolen data: Use separate personal and business email accounts Protect email accounts with strong passwords and two-factor authentication if available Install an anti-phishing tool bar to help identify known phishing sites Anti-phishing tools may be included in security software products Use security software to help protect systems from malware and scan emails for viruses Never open or download attachments from unknown senders, including potential clients; verify the email is authentic by calling them Send password-protected and encrypted documents only Do not respond to suspicious or unknown emails; if the email is IRS-related, forward it to phishing@irs.gov See the Security Summit’s recent summer campaigns: Don’t Take the Bait Tax Security 101 Taxes-Security-Together Checklist How we help Security Summit Protect Your Clients; Protect Your Business We never: Initiate contact with taxpayers by email, text or social media to request personal or financial information. Call taxpayers with threats of lawsuits or arrests Call, email or text to request taxpayers’ Identity Protection Pins Connect with us We alert you as quickly as possible when we learn of a new scam, Scams are especially common during the filing season. Sign up so you can stay up to date with the latest alerts and tax administration issues: e-News for Tax Professionals A weekly digest of important tax news IRS social media The IRS uses several social media outlets to connect with tax pros and with taxpayers Resources Publication 4557, Safeguarding Taxpayer Data (PDF) Publication 5293, Data Security Resource Guide (PDF) Publication 5199, Tax Preparer Guide to Identity Theft (PDF) NIST’s Small Business Information Security – The Fundamentals (PDF) Identity Theft Central