IR-2018-150, July 17, 2018 WASHINGTON – The Internal Revenue Service and the Security Summit partners outlined critical steps for tax professionals to protect their computers and email as well as safeguarding sensitive taxpayer data. The “Security Six” protections fall into several major security categories. The Security Summit partnership urges tax professionals across the nation to avoiding overlooking these basic security details as identity thieves increasingly target practitioners in search of valuable taxpayer data. There is a dizzying array of cyber threats that confront tax professionals and many others. It’s not easy to keep up with all the viruses, worms, Trojan horses, bots – or even the terminology. That’s why it’s essential that all tax professionals deploy strong security software that will do the job for you. The Internal Revenue Service, state tax agencies and the private-sector tax industry – known as the Security Summit partners – today are trying to help tax professionals decipher the confusing world of security software that is key to safeguarding taxpayer data stored on practitioner’s computer networks. This is the second in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns. Although the Security Summit is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices is on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect. Here are the “Security Six,” the must-have areas to secure taxpayer data on computers. All tax professionals, whether part of a large firm or a one-person shop, must enact security safeguards. Many of these steps are a good idea not just for tax professionals but for any taxpayer or small business: Antivirus software Although details may vary between packages, anti-virus software scans files or computer’s memory for certain patterns that may indicate the presence of malicious software (i.e., malware). Anti-virus software (sometimes more broadly referred to as anti-malware software) looks for patterns based on the signatures or definitions of known malware. Anti-virus vendors find new and updated malware daily, so it is important that users have the latest updates installed on their computer, according to the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security. Once users have installed an anti-virus package, they should scan their entire computer periodically: Automatic scans – Most anti-virus software can be configured to automatically scan specific files or directories in real time and prompt users at set intervals to perform complete scans. Manual scans – If the anti-virus software does not automatically scan new files, users should manually scan files and media received from an outside source before opening them. This process includes: Saving and scanning email attachments or web downloads rather than opening them directly from the source. Scanning portable media, including CDs and DVDs, for malware before opening files. Sometimes the software will produce a dialog box with an alert that it has found malware and ask whether users want it to “clean” the file (to remove the malware). In other cases, the software may attempt to remove the malware without asking first. When selecting an anti-virus package, learn about its features so you know what to expect. Keep security software set to automatically receive the latest updates so that it is always current. A reminder about spyware: Strong security software should protect against spyware. But remember, never click links within pop-up windows, never download “free” software from a pop-up, never follow email links that offer anti-spyware software. The links and pop-ups may be installing the spyware they claim to be eliminating. A reminder about phishing: A strong security package also should contain anti-phishing capabilities, but an email provider and browser provider also should include anti-phishing protections. Never open an email from a suspicious source, click on a link in a suspicious email or open an attachment – or else you could be a victim of a phishing attack. Firewalls Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary network traffic and preventing malicious software from accessing the network. Firewalls can be configured to block data from certain locations or applications while allowing relevant and necessary data through, according to US-CERT. Firewalls may be broadly categorized as hardware or software. While both have their advantages and disadvantages, the decision to use a firewall is far more important than deciding which type you use. Hardware – Typically called network firewalls, these external devices are positioned between a computer and the internet (or other network connection). Many vendors and some internet service providers (ISPs) offer integrated small office / home office (SOHO) routers that also include firewall features. Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them. The advantage of hardware-based firewalls is that they are separate devices running their own operating systems, so they provide an additional line of defense against attacks when compared to system or host-level protections. Software – Most operating systems include a built-in firewall feature that should be enabled for added protection even if using an external firewall. Firewall software can also be obtained as separate software from a local computer store, software vendor or ISP. If downloading firewall software from the internet, make sure it is from a reputable source (i.e., an established software vendor or service provider) and offered via a secure site. While properly configured firewalls may be effective at blocking some attacks, don’t be lulled into a false sense of security. Firewalls do not guarantee that a computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (malware), and may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures (such as anti-virus software and safe computing practices) will strengthen resistance to attacks. The Security Summit reminds tax pros that anti-virus software and firewalls cannot protect data if computer users fall for email phishing scams and divulge sensitive data, such as usernames and passwords. The user, not the software, is the first-line of defense in protecting taxpayer data. Two-factor authentication Many email providers now offer customers two-factor authentication protections to access email accounts. Tax professionals should always use this option to prevent their accounts from being taken over by cybercriminals and putting their clients and colleagues at risk. Two-factor authentication helps by adding an extra layer of protection. Often two-factor authentication means the returning user must enter credentials (username and password) plus another step such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal the username and password but it’s highly unlikely they also would have a user’s mobile phone to receive a security code and complete the process. The use of two-factor authentication and even three-factor authentication is on the rise, and tax preparers should always opt for a multi-factor authentication protection when it is offered, whether on an email account or tax software account or any password-protected product. IRS Secure Access, which protects IRS.gov tools including e-Services, is an example of two-factor authentication. Check email account settings to see if the email provider offers two-factor protections. Backup software/services Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive that now comes with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted. Drive encryption Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for the unauthorized person accessing the computer. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data. Data security plan The Security Summit also reminds tax professionals of several other important steps. All professional tax return preparers must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Tax professionals also can get help with security recommendations and creating a data security plan by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer DataPDF, and Small Business Information Security: the FundamentalsPDF by the National Institute of Standards and Technology.Publication 5293, Data Security Resource Guide for Tax Professionals PDF, provides a compilation data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.