National Tax Security Awareness Week, Day 5: Security Summit alerts tax professionals to potential telework scams during COVID-19, urges all practitioners to use multi-factor authentication

Notice: Historical Content

This is an archival or historical document and may not reflect current law, policies or procedures.

IR-2020-271, December 4, 2020

IRS YouTube Video:

WASHINGTON — The IRS, state tax agencies and the tax industry marked the final day of National Tax Security Awareness Week with a warning to all tax professionals that they face additional challenges from cybercriminals seeking to exploit COVID-19 fears.

The partners, working together as the Security Summit, today closed a week-long effort to heighten awareness about identity theft and data security measures among taxpayers, businesses and tax practitioners. This was the fifth annual National Tax Security Awareness Week.

"When the Security Summit formed five years ago to fight identity thieves it was clear that the IRS, the state and industry could not be successful without the help of taxpayers and tax professionals. Everyone has a role to play in protecting sensitive financial data," said IRS Commissioner Chuck Rettig. "We've made tremendous progress in the past five years, but we still have work to do. The coronavirus and the increase in teleworking creates new ways for these sophisticated cybercriminals to scam people out of their money or their sensitive tax and financial information."

As the IRS and Security Summit partners took important steps to strengthen defenses against cybercriminals, identity thieves increasingly turned to tax professionals, targeting their offices and systems. Data thefts from tax professionals can provide valuable information to thieves trying to file fraudulent tax returns.

The Summit partners remind all tax professionals to review their security measures. IRS Publication 4557, Safeguarding Taxpayer Data PDF, provides practitioners with a starting point for basic steps to protect clients.

The Security Summit also created the "Taxes-Security-Together" Checklist to help tax practitioners identify the basic steps they should take. As more tax preparers work from home or remote locations because of COVID-19, these measures are even more critical for securing tax data.

Basic protections - the "Security Six" measures

These easy steps can make a big difference, both for tax pros and taxpayers:

  • Use anti-virus software and set it for automatic updates to keep your systems secure. This includes all digital products, computers and mobile phones.
  • Use firewalls. Firewalls help shield computers from outside attacks but cannot protect systems in cases where users accidentally download malware, for example, from phishing email scams.
  • Use multi-factor authentication to protect all online accounts, especially tax products, cloud software providers, email providers and social media.
  • Back up sensitive files, especially client data, to secure external sources, such as external hard drive or cloud storage.
  • Encrypt data. Tax professionals should consider drive encryption products for full-drive encryption. This will encrypt all data.
  • Use a Virtual Private Network (VPN) product. As more practitioners work remotely during the pandemic, a VPN is critical for secure connections.

Use multi-factor authentication to protect tax accounts

In 2021, all online tax preparation products for tax professionals will include an option for using multi-factor authentication. The Security Summit urges all tax professionals to use this option. Multi-factor authentication may not be available on all over the counter, hard-disk products.

Of the numerous data thefts reported to the IRS from tax professional offices this year, most could have been avoided had the practitioner used multi-factor authentication to protect tax software accounts.

Practitioners can download to their mobile phones readily available authentication apps offered through Google Play or the Apple Store. These apps will generate a security code. Codes also may be sent to practitioner's email or text but the IRS notes those are not as secure as the authentication apps. Use a search engine for "Authentication apps" to learn more.

Virtual private networks to protect remote sites

A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. As teleworking or working from home continues during COVID-19, VPNs are critical to protecting and securing internet connections.

Failing to use VPNs can add risks to remote takeovers by cyberthieves, giving criminals access to the tax professional's entire office network simply by accessing an employee's remote internet.

Tax professionals should seek out cybersecurity experts whenever possible. Practitioners can also search for "Best VPNs" to find a legitimate vendor, or major technology sites often provide lists of top services. Remember, never click on a "pop-up" ad that's marketing a security product. Those generally are scams.

Phishing scams, including COVID-19 and Economic Impact Payments

Phishing emails generally have an urgent message, such as "your account password expired." They direct you to an official-looking link or attachment. But the link may take you to a fake site made to appear like a trusted source, where it requests your username and password. Or, the attachment may contain malware, which secretly downloads software that tracks keystrokes and allows thieves to eventually steal all the tax pro's passwords.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning to all organizations to educate employees, especially those teleworking, about increased activity related to phishing scams.

The IRS often sees thieves posing as potential clients, trying to trick tax pros into opening an embedded link or attachment. Scams involving COVID-19 and the Economic Impact Payments also have been prevalent.

Protect yourself: The need for a security plan and data theft plan

The IRS and Security Summit partners remind tax professionals that federal law requires them to have a written information security plan. Federal law gives the Federal Trade Commission enforcement authority over this provision. Practitioners can learn more about the FTC's "Safeguards Rule" from IRS Publication 4557 PDF.

In addition to the required information security plan, tax pros also should consider an emergency response plan should they experience a breach and data theft. This time-saving step should include contact information for the IRS Stakeholder Liaisons who are the first point of contact for data theft reporting to the IRS and to the states.

IRS Publication 5293, Data Security Resource Guide for Tax Professionals PDF, provides a compilation of data theft information available on, including the reporting processes.

The IRS, state tax agencies, the private sector tax industry, including tax professionals, work in partnership as the Security Summit to help protect taxpayers from identity theft and refund fraud. This is the last of a week-long series of tips to raise awareness about identity theft. See for more details.