Tax Security 101 – IRS, Security Summit partners launch new awareness campaign; Urge tax professionals to step up protections for client data

Notice: Historical Content

This is an archival or historical document and may not reflect current law, policies or procedures.

IR-2018-147, July 10, 2018

WASHINGTON — The Internal Revenue Service and its Security Summit partners today kicked off a summertime security awareness campaign for tax professionals with a new, expanded guide providing critical steps to protect client data and highlighting available resources.

The new effort by the IRS, state tax agencies and the nation's private-sector tax industry follows continued security threats to tax and financial data held by tax professionals. Data thefts at tax practitioners’ offices continue to rise and result in fraudulent tax returns that can be especially difficult for the IRS and states to detect.

"The IRS and the Security Summit partners urge all tax professionals to take stronger security steps to protect themselves and their clients," said Acting IRS Commissioner David Kautter. "With the help of the Summit partnership, the IRS has made major progress protecting taxpayers in the battle against tax-related identity theft. But the threat remains, and we need the help of tax professionals to take basic steps to safeguard their systems and taxpayer data."

This marks the first in a series called "Protect Your Clients; Protect Yourself: Tax Security 101." The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.

This series builds on and expands on earlier Summit awareness campaigns aimed at tax professionals and taxpayers. In addition, this campaign follows recommendations made by the Electronic Tax Administration Advisory Committee (ETAAC) in June, which noted tax professionals “are at increasing risk” of security vulnerability.

Although the Security Summit effort is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices are on the rise. Thieves use stolen taxpayer data to create fraudulent returns that are harder to detect. Identity thieves are technically sophisticated, helped by well-funded and tax-savvy criminal syndicates based here and abroad.

To mark the start of this awareness campaign, the IRS revised Publication 4557, Safeguarding Taxpayer DataPDF, to better reflect the current threats to tax professionals. The guide outlines basic steps tax professionals should take, how to take them and provides details on how to comply with requirements for a data security plan. The IRS also created a new product, Publication 5293, Data Security Resource Guide for Tax ProfessionalsPDF, which highlights a compilation of resources for tax preparers.

The IRS reminds professional tax preparers that the Financial Services Modernization Act of 1999, also known as Gramm-Leach-Bliley Act, requires certain financial entities – including professional tax return preparers – to create and maintain a security plan for the protection of client data. The Federal Trade Commission administers this law and its “Safeguards Rule” regulations.

Both Publication 4557PDF and Publication 5293PDF promote the basic security steps endorsed by the Security Summit partners for tax professionals. These include:

  • Learn to recognize phishing emails, especially those pretending to be from the IRS, a tax software provider, cloud storage provider or state tax agencies. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax professional via email.
  • Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer DataPDF, and Small Business Information Security – The FundamentalsPDF, by the National Institute of Standards and Technology.
  • Review internal controls for their business: 
    • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
    • Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
    • Encrypt all sensitive files/emails and use strong password protections.
    • Back up sensitive data to a safe and secure external source not connected fulltime to a network.
    • Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
    • Limit access to taxpayer data to individuals who need to know.
    • Check IRS e-Services account weekly for number of returns filed with EFIN.
  • Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
  • Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alerts and Social Media.

The importance of these basic steps was highlighted yet again this year when a sophisticated cybercriminal gang breached numerous practitioner offices by gaining remote control access of computers and stealing taxpayers’ 2016 tax information. The thieves used that information to file 2017 tax returns using all the taxpayer real data, including their bank accounts for direct deposit.

The thieves then called the taxpayers, trying to trick them into returning the fraudulent refunds. In some cases, the thieves had stolen so much information, they could access the clients’ bank accounts online and steal the fraudulent refunds. In many cases, the tax professionals never even knew their client data was stolen.

By taking the steps outlined here and in Publication 4557PDF, tax professionals can help prevent the common tactics used by cybercriminals. But even with the strongest security measures, the key to good security is an individual trained and alert to potential risks and threats.

Today also marks the start of the 2018 IRS Nationwide Tax Forums. Data security will be featured prominently at all five Tax Forums, including a workshop by cyber experts.

Practitioners are urged to attend these sessions, and there’s still time to sign up for a Tax Forum. The Protect Your Clients, Protect Yourself: Tax Security 101 campaign will run for 10 weeks, through September. The campaign will be capped off by a free data security webinar for all tax professionals in the fall. 

Additional resources: