Identity theft information for tax professionals

 

Cybercriminals target tax professionals because you are custodians of highly sensitive client data.

They attempt to steal your client's personal financial information so they can create fraudulent tax returns and claim fake refunds.

Report suspected identity theft or data loss

Your clients

If your clients need assistance preventing, reporting, or recovering from identity theft, review our information for:

You or your firm

If you or your firm are the victim of data theft, immediately:

  • Report it to your local stakeholder liaison
    Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names and will assist you through the process.
  • Get information on how to report victim information to state tax agencies.

    Visit the Federation of Tax Administrators "Report a Data Breach" to find state contact information.

Find more information at Data Theft Information for Tax Professionals.

Protect your clients and prevent data loss

You are the first line of defense against identity theft. You must be alert and on guard at all times. In addition to trying to steal client data, thieves may try to steal your identity as well, using your PTINs, EFINs and CAF numbers to file fraudulent returns or steal even more information.

Know your responsibilities

Federal law requires you to create, implement and maintain an information security plan to protect client data, no matter the size of your firm.

  • Have your cybersecurity staff develop a data security plan
  • Contact a cybersecurity consultant

If you can’t afford a cybersecurity staff or consultant, review and act using these materials:

Additionally, tax professionals generally can find cybersecurity support through their professional insurer if they have data theft coverage.

Note: the IRS can’t recommend security products.

The Federal Trade Commission (FTC) administers the law and created the Safeguards Rule.

Know the signs of data theft

You or your firm may be a victim and not even know it. Here are some common clues to data theft.

You notice that:

  • Client e-filed returns reject because we received another return with a client’s Social Security Number
  • You receive more e-file acknowledgements than returns you know you filed
  • Your clients respond to emails that you didn’t send
  • You experience slow or unexpected responsiveness from your computer or network such as:
  • Software or actions take longer to process than usual
  • The cursor moves or changes numbers without you touching the mouse or keyboard
  • You get locked out of your network or computer

Your clients tell you that they receive:

  • Authentication letters (5071C, 4883C, 5747C) from us even though they haven’t filed a return
  • A refund even though they haven’t filed a return
  • A tax transcript they didn’t request
  • Emails or calls from you that you didn’t initiate
  • A notice that someone created an IRS online account for them without their consent
  • A notice they weren’t expecting that:
    • Someone accessed their IRS online account
    • We disabled their IRS online account

An estimated 91 percent of all data breaches and cyber attacks begin with a spear phishing email that targets you. Their objective is to get you to click on a link or open an attachment (ex. PDF, Word Doc, Excel file, Image). This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer.

The criminal poses as a trusted source. Examples include:

  • IRS eServices
  • A tax software company you do business with
  • A cloud-storage provider
  • A potential client
  • A professional colleague

Here are two clues that an email is a targeted scam. The email:

  • Appears to be from a trusted source or potential client but seems a bit off
  • Has an urgent message to bait you into opening a link or attachment. (ex. Update your account now!)

Prevent identity theft

Stay vigilant. You may not know about a data theft until your clients receive a notice or can’t e-file because we already received a return with their Social Security Number.

All online tax preparation products for tax professionals offer the option for multi-factor authentication as an additional protection for accounts. The IRS strongly urges all tax professionals to use this option. Many data thefts from tax pro offices could have been stopped had preparers used this tool.

Multi-factor authentication means returning users must enter their username and password plus one or more other items, for example a security code sent as a text to a mobile phone. Tax professionals should use multi-factor authentication wherever it is offered, especially for cloud storage providers, email providers, financial institutions and social media.

Here are some things you can do:

  • Track returns you filed through your daily e-file acknowledgements. If you receive more acknowledgements than returns you know you filed, dig deeper
  • Track your weekly EFIN usage. We post the number of returns filed with your Electronic Filing Identification Number (EFIN) weekly
    • Log into your e-Services account
    • Access your e-file application and check “EFIN Status”
    • If the numbers are off, contact the e-Help desk
  • Keep your EFIN application up-to-date with all phone, address or personnel changes
  • Check your PTIN account for a weekly report of returns filed with your Preparer Tax Identification Number (PTIN) if:
    • You are a ‘Circular 230 practitioner’ or an ‘annual filing season program participant,’ and
    • You file 50 or more returns a year

These are the most basic steps to take:

  • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update
  • Use responsible passwords:
    • Create passwords of at least eight characters (longer is better)
    • Use special and alphanumeric characters
    • Use passphrases instead of passwords
    • Use a different password for each account
    • Password protect wireless devices
    • Consider a password manager program
  • Encrypt all sensitive files/emails and use strong password protections
  • Back up sensitive data to a safe and secure external source not connected fulltime to a network
  • Wipe clean or destroy old computer hard drives and printers that contain sensitive data
  • Limit access to taxpayer data to individuals who need to know

Your systems are only as safe as the least informed employee. Follow these simple steps also can help protect against stolen data:

  • Use separate personal and business email accounts
  • Protect email accounts with strong passwords and two-factor authentication if available
  • Install an anti-phishing tool bar to help identify known phishing sites
  • Anti-phishing tools may be included in security software products
  • Use security software to help protect systems from malware and scan emails for viruses
  • Never open or download attachments from unknown senders, including potential clients; verify the email is authentic by calling them
  • Send password-protected and encrypted documents only
  • Do not respond to suspicious or unknown emails; if the email is IRS-related, forward it to phishing@irs.gov

See the Security Summit’s recent summer campaigns:

How we help

We never:

  • Initiate contact with taxpayers by email, text or social media to request personal or financial information.
  • Call taxpayers with threats of lawsuits or arrests
  • Call, email or text to request taxpayers’ Identity Protection Pins

We alert you as quickly as possible when we learn of a new scam, Scams are especially common during the filing season. Sign up so you can stay up to date with the latest alerts and tax administration issues: