IRS, Security Summit Partners warn tax professionals of high risk of data theft attacks

Notice: Historical Content

This is an archival or historical document and may not reflect current law, policies or procedures.

IR-2018-245, December 7, 2018

WASHINGTON — Cybercriminals stepped up their attacks on tax professionals during 2018, prompting the Internal Revenue Service and the Security Summit partners to urge practitioners to take steps to protect client data and their computer networks from these threats.

The IRS also reminded all professional tax preparers that they are required by federal law to create and maintain a written data security plan. Sole practitioners are just as vulnerable to data theft as practitioners in large firms.

The IRS, state tax agencies and the private-sector tax community -- partners in the Security Summit -- are marking National Tax Security Awareness Week with a series of reminders to taxpayers and tax professionals. In the fifth and final part of the special series, the Summit renewed warnings to tax professionals as the 2019 tax season approaches.

“As the IRS, the states and the tax industry improve our defenses against tax-related identity theft, cybercriminals are looking for better data sources to fill out fraudulent tax returns,” said IRS Commissioner Chuck Rettig. “This makes tax professionals and their client data a treasure trove for cybercriminals to target. Tax professionals are a critical line of defense, and we urge them to protect their data, their systems and their clients. And we want taxpayers to seek out reliable tax professionals who use the latest security features.”

During the 2018 tax filing season, the IRS received five to seven reports per week from tax firms that have experienced a data theft. Through Nov. 5, 2018, the IRS received 234 reports for the year. That’s a 29 percent increase from the 182 reports received during the same time in 2017. Generally, these are reports filed by firms, which means hundreds more tax practitioners and tens of thousands of clients are affected. This increase represents a significant trend in tax-related identity theft, and it’s a sign that tax professionals must take stronger measures to safeguard their clients and their business.

Thieves search for client data so they can create a fraudulent tax return that looks legitimate and might bypass IRS filters. They also impersonate tax professionals, using stolen Electronic Filing Identification Numbers (EFINS), Preparer Tax Identification Numbers (PTINs) and Centralized Authorization File (CAF) numbers. 

The Gramm-Leach-Bliley Act of 1999 requires all financial institutions, which it also defines as professional tax preparers, to create and maintain information security plans. The Federal Trade Commission, not the IRS, administers this law and created a Safeguards Rule to administer it. Information about the FTC requirements can be found in IRS Publication 4557PDF, Safeguarding Taxpayer Data. The IRS also created a new Publication 5293PDF, Data Security Resources Guide for Tax Professionals, which compiles numerous resources from 

The Security Summit urges tax professionals to seek out cyber experts for assistance with security but at a minimum, they should take certain safeguards.

Take basic security steps

  • Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax pro via email.
  • Create a data security plan using IRS Publication 4557PDF, Safeguarding Taxpayer Data, and Small Business Information Security – The FundamentalsPDF, by the National Institute of Standards and Technology.
  • Review internal controls:  
    • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
    • Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
    • Encrypt all sensitive files/emails and use strong password protections.
    • Back up sensitive data to a safe and secure external source not connected fulltime to a network.
    • Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
    • Limit access to taxpayer data to individuals who need to know.
    • Check IRS e-Services account weekly for number of returns filed with EFIN.
  • Report any data theft or data loss to the appropriate IRS Stakeholder Liaison
  • Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alerts, and Social Media.

For the 2019 filing season, many tax software vendors will offer two-factor or even three-factor authentication protections for software access. Tax professionals should opt for multi-factor authentication protections whenever it is available. Multi-factor authentication helps prevent cybercriminals from accessing accounts, even if they steal passwords.

Watch for signs of data theft

Tax professionals or their firms may be victims and not even know it. Here are some common clues to data theft:

  • Client e-filed returns begin to reject because returns with their Social Security numbers were already filed;
  • Clients who haven’t filed tax returns begin to receive authentication letters (5071C, 4883C, 5747C) from the IRS;
  • Clients who haven’t filed tax returns receive refunds; 
  • Clients receive tax transcripts that they did not request;
  • Clients who created an IRS online services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled or, clients receive an IRS notice that an IRS online account was created in their names;
  • The number of returns filed with tax practitioner’s Electronic Filing Identification Number (EFIN) exceeds number of clients;
  • Tax professionals or clients responding to emails that practitioner did not send;
  • Network computers running slower than normal;
  • Computer cursors moving or changing numbers without touching the keyboard;
  • Network computers locking out tax practitioners.

Data loss reporting

  • Tax professionals who suffer a data theft or loss can assist their clients by immediately reporting the loss to the Internal Revenue Service. The IRS can take steps to either prevent tax-related identity theft or assist taxpayers to recover faster from tax-related identity theft. More information available at Data Theft Information for Tax Professionals.
  • Report client data theft to local stakeholder liaisons. Liaisons will notify IRS Criminal Investigation and others within the agency. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist in the process.

Additional resources: