IR-2018-177, Sept. 4, 2018
WASHINGTON — The Internal Revenue Service, state tax agencies and the tax industry today called on tax professionals to be alert to the subtle signs of data theft, noting continuing cases where practitioners are victims of theft and don’t even know it.
Cybercriminals often leave few signs of their burglary until the fraudulent tax returns are filed and clients are harmed. This is one more reason tax professionals should use strong security protections to prevent data theft from occurring.
This is the ninth in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.
Although the Security Summit is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices are on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.
The IRS and Summit partners have created a list of warning signs that an office may have experienced a data theft:
- Client e-filed returns begin to be rejected because returns with their Social Security numbers were already filed;
- Clients who haven’t filed tax returns begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS;
- Clients who haven’t filed tax returns receive refunds;
- Clients receive tax transcripts that they did not request;
- Clients who created an IRS online services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. Or clients unexpectedly receive an IRS notice that an IRS online account was created in their names;
- The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients;
- Tax professionals or clients responding to emails that the firm did not send;
- Network computers running slower than normal;
- Computer cursors moving or changing numbers without touching the keyboard;
- Network computers locking out employees.
Because IRS systems will only accept one unique Social Security number, taxpayers often discover they are a victim when they attempt to e-file and their tax return is rejected because a return with their SSN already is in the system. Or, more commonly, the IRS identifies a return that could be an identity theft return and sends a letter to the taxpayer asking them to contact the agency to let the IRS know if they filed the return.
Earlier this year, tax-savvy cybercriminals stole taxpayer data from a series of tax professionals nationwide, immediately filing fraudulent returns before the tax professionals were aware of the robbery. The crimes were first reported to the IRS by taxpayers who unexpectedly received refunds in their bank accounts. The crooks, posing as IRS contractors, tried calling the taxpayers to get them to forward the fraudulent refund to their accounts.
Identity thieves sometimes try to leverage the stolen data by using taxpayer information to access the Get Transcript system. Taxpayers who receive transcripts by mail but did not order them are sometimes victims of this approach. Get Transcript Online is protected by a robust, two-factor authentication process. But crooks may still try to use stolen identities to try to create Get Transcript accounts, which results in the IRS disabling the account and sending the taxpayer a letter.
During the tax filing season, tax practitioners should make a weekly review of returns filed with the office’s Electronic Filing Identification Number or EFIN. A report is updated weekly. Tax preparers can access their e-File applications and select “check EFIN status” to see a count. If the numbers are inflated, practitioners should contact the e-Help Desk. Tax professionals may also notice IRS acknowledgements for returns they did not e-file. Acknowledgements are sent soon after a return is transmitted.
Tax professionals who fall victim to spear phishing email scams, which are common ways cybercriminal access office computers, may suddenly see responses to emails they never sent. If a practitioner mistakenly provides username and password information to the thief, the thief often harvests the practitioner’s contact list, stealing names and email addresses of colleagues and clients and enabling the crooks to expand their spear phishing scam.
Always be alert to phishing scams, even if the emails appear to come from a colleague or client. If the language sounds a bit off or if the request seems unusual, contact the “sender” by phone to verify rather than opening a link or attachment.
Finally, there are several signs that office computer systems may be under attack or may be under remote control, such as the cursor moving with no one there. The IRS is aware of many examples in which cybercriminals gained access to practitioners’ office computers, complete the pending Form 1040s, change electronic deposit information to their own accounts and then e-filed the returns – all performed remotely.
Tax professionals who notice any signs of identity theft should contact their state’s IRS Stakeholder Liaison immediately. The process for reporting data theft to the IRS is outlined in Data Theft Information for Tax Professionals.
In some states, data thefts must be reported to various authorities. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings. To notify the IRS in case of data theft, contact local Stakeholder Liaisons.
The Security Summit reminds all professional tax preparers to have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. They can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax pros should stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.
To improve data security awareness by all tax professionals, the IRS will host a webinar on Sept. 26, 2018. The focus will be on the same topics as this series: “Protect Your Clients; Protect Yourself: Tax Security 101.” Although tax preparers will be eligible for one CPE credit, the IRS invites others working on tax issues to attend. Protecting taxpayer information takes everyone working together.