Cybercriminals target tax professionals to steal sensitive client data that allows them to file fraudulent tax returns using your clients’ identities.
Think it can’t happen to you? It can – and it does.
The IRS receives reports from tax professionals each week who experience a data theft or loss. Thieves also steal your identities by taking and using EFINs, PTINs, powers of attorney and other items. We all must do more to protect taxpayer data. If you suffer such a data loss, review Data Theft Information for Tax Professionals for your next steps.
Get Started with Data Protection
Creating and maintaining a data security plan is key. If you can afford it, contact a cybersecurity consultant. If you can’t afford a cybersecurity consultant, review these two publications:
- IRS Publication 4557, Safeguarding Taxpayer Data
This publication provides an overview of tax professionals legal obligations to protect taxpayer information and provides a step-by-step checklist for how to create and maintain a security plan for your digital network and office.
- NIST’s Small Business Information Security – The Fundamentals
The National Institute of Standards and Technology (NIST) is a branch of the U.S. Commerce Department. It sets the information security framework for federal agencies. It also produced this document to provide small businesses with an overview of those steps to security data. Its focus is on five principles: identify, protect, detect, respond and recover.
Educate Yourself and Your Staff on Common Tactics Used by Cybercriminals
The Security Summit maintains an ongoing awareness effort called Protect Your Clients; Protect Yourself. Your data security is only as good as your least informed employee. All employees in your office must be familiar with the schemes used by cybercriminals. For example:
- Spear phishing email – An estimated 91 percent of all data breaches and cyberattacks begin with a spear phishing email that targets an individual. The criminal poses as a trusted source, perhaps IRS e-Services, a tax software company or a cloud-storage provider, or the criminal poses as a potential client or professional colleague. The objective is to get the tax professional to open a link or PDF attachment. This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer.
Take Simple Security Steps
Sometimes, tax professionals suffer data thefts because they failed to take the most basic and simple of security steps. These simple steps should not be overlooked:
- Secure your devices with antivirus software that can scan and detect malware on your computer; let the antivirus automatically update to stay current.
- Deploy firewall protections to secure your network from Internet intrusions.
- Use strong passwords or phrases that you can remember, password protect all wireless devices and accounts, use multi-factor authentication whenever its available.
- Backup sensitive data to a safe and secure external source not connected fulltime to your network.
- Encrypt all sensitive files/emails and use strong password protections.
- Create and secure Virtual Private Networks remote workers may access your system securely.
Remember: If you are changing computers or devices such as printers, confidential information may remain. Before disposing equipment, wipe clean or destroy old device hard drives that contain sensitive data.
You may be unaware of a data theft until clients begin receiving notices from the IRS or are unable to e-file because a return already is on file using their Social Security numbers. Here are a few other tips:
- Track your daily e-File acknowledgements. If there are more acknowledgements than returns you know you filed, dig deeper.
- Track your weekly EFIN usage. The number of returns filed with your Electronic Filing Identification Number (EFIN) is posted weekly. Go to your e-Services account, access your e-file application and check “EFIN Status.” If the numbers are off, contact the e-Help desk. Keep your EFIN application up-to-date with all phone, address or personnel changes.
- If you are a ‘Circular 230 practitioner’ or an ‘annual filing season program participant’ and you file 50 or more returns a year, you can check your PTIN account for a weekly report of returns filed with your Preparer Tax Identification Number (PTIN.)
The IRS attempts to alert tax professionals as quickly as possible when it learns of a new scam, which are especially common during the filing season. Sign up so you can stay up to date with the latest alerts and tax administration issues:
- e-News for Tax Professionals – A weekly digest of important tax news.
- Quick Alert – An urgent messaging system for tax professionals who have e-Services accounts.
- IRS social media – The IRS uses several social media outlets to connect with tax pros and with taxpayers. You can follow us at: