IR-2017-132, Aug. 22, 2017
WASHINGTON – The IRS, state tax agencies and the tax industry today reminded tax professionals that they are responsible for protecting access to their IRS e-Services account and safeguarding their Electronic Filing Identification Number (EFIN) from thieves.
National and international criminal syndicates routinely attempt to steal tax professionals’ usernames and passwords so they may access IRS e-Services to obtain the EFIN, which allows a criminal to steal clients’ sensitive information.
Increasing awareness about protecting e-Services and EFINs is part of a “Don’t Take the Bait” campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to protect themselves from password thefts. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
“For tax professionals working with the IRS, protecting these account numbers is critical,” said IRS Commissioner John Koskinen. “Practitioners should maintain, monitor and protect their Electronic Filing Identification Number. Failing to do so can be disastrous for their business and their clients.”
Protecting Clients and Their Businesses from e-Services/EFIN thieves
Cybercriminals routinely use spear phishing emails to target tax practitioners. The emails impersonate IRS e-Services, trying to trick practitioners into disclosing their username and password. Once the thieves have these credentials, they access e-Services accounts and steal EFINs to file fraudulent tax returns. Cybercriminals also are savvy enough to know to steal Centralized Authorization File (CAF) numbers, which are unique, nine-digit ID numbers assigned to those who represent others before the IRS. The con artists also know how to file fraudulent powers of attorney documents to access clients’ accounts.
Password thefts are one reason the IRS has moved to Secure Access, a two-factor authentication process, to offer more protection for online tools. Secure Access requires not only a username and password but also a security code that is sent to a mobile phone previously registered with the IRS. The IRS is moving toward multi-factor protections for e-Services as well, and hopes to have this system in the near future.
In addition, the IRS is working with Security Summit partners in the states and the private-sector tax industry to help protect taxpayers and their tax filings against these threats.
Once the EFIN application process is complete and an EFIN has been issued, it is important to keep accounts up-to-date. This includes:
- Review the e-file application periodically. The e-file application must be updated within 30 days of any changes, such as individuals involved, addresses or telephone numbers. Failure to do so may result in the inactivation of the EFIN.
- Ensure proper individuals are identified on the application and update as necessary. The principal listed on the application is the individual authorized to act for the business in any legal or tax matter. Periodically access the account.
- Add any new principals or responsible officials.
- Update any business address changes, including adding new locations.
- An EFIN is not transferable; if selling a business, the new principals must obtain their own EFIN.
- There must be an EFIN application for each office location; if expanding a business, an application is required for each location where e-file transmissions will occur.
Tax Professionals: Monitor EFINs
Help safeguard the EFIN. During the filing season, check on the EFIN’s status to ensure that it is not being used by others. The e-Services account will give practitioner’s the number of returns the IRS received, which can be matched to practitioner records. The statistics are updated weekly. Contact the IRS e-help Desk at 866-255-0654 if there’s a higher volume shown than the number transmitted by the practitioner.
After logging into the e-Services account, follow these steps to verify the number of returns electronically filed with the IRS:
- Select practitioner name,
- In the left banner, select ‘Application,’
- In the left banner, select ‘e-File Application,’
- Select name again,
- In the listing, select ‘EFIN Status,’ and on this screen the number of returns filed based on return type is displayed.
Increasingly, identity thieves are targeting tax professionals to gain access to client data or other sensitive information. A common scam involves efforts by criminals to steal the tax professional’s e-Service account password and EFIN. Here are some steps to protect the EFIN:
- Learn to recognize and avoid phishing scams that claim to be from the IRS or e-Services.
- Do not open any link or attachment received in a suspicious e-mail.
- Periodically change the e-Service password and use a strong password consisting of letters, numbers and special characters.
- Periodically change the password to the email address used to correspond with clients.
Please note: The IRS continuously reviews EFINs and takes the necessary actions to inactivate any EFINs that are found to be compromised by an un-authorized firm or individual. The firm using the invalid EFIN will encounter Business Rule 905 when it e-files returns. The firm must call the e-help Desk at 866-255-0654 to request a new one.
Maintain Contact with the IRS
Authorized IRS e-file providers should maintain contact with the IRS to learn of any e-file updates. E-Service users can subscribe to Quick Alerts. Tax practitioners also can sign up for e-News for Tax Professionals or e-News for Payroll Professionals.