IR-2022-209, November 30, 2022 WASHINGTON — With tax season quickly approaching, the Internal Revenue Service and the Security Summit partners today urged tax professionals to remain focused on security issues and to review resources available to them, including sample security plans and checklists. During National Tax Security Awareness Week, now in its seventh year, the Security Summit partnership of the IRS, state tax agencies and the tax software and tax professional communities work to highlight data security and provide scam prevention tips. Part of the Summit's effort continues to be focusing tax professionals, including smaller practices, on ways to protect themselves and safeguard client information. Day three of this special week focuses on several important aspects for the tax community to keep in mind. "Taxpayer information can be a gold mine for identity thieves. As the Security Summit partners strengthened our internal defenses in recent years, we've seen identity thieves shift their focus onto the tax professional community and their client information," said IRS Acting Commissioner Doug O'Donnell. "Specific taxpayer information can help a scammer prepare a more authentic looking tax return, so tax professionals maintaining strong security is a critical line of defense for themselves, their clients and the nation's tax system." Written Information Security Plan (WISP) The IRS and Security Summit partners remind tax professionals that federal law requires them to have a written information security plan. Earlier this year, members of the Summit's tax professional team developed a special document that allows practitioners to quickly develop their own written security plans. This sample document, a Written Information Security Plan (WISP)PDF, can be scaled for a company's size, scope of activities, complexity and customer data sensitivity. There's not a one-size-fits-all WISP. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm, which is reflected in the sample WISP from the Security Summit group. There are many aspects to running a successful business in the tax preparation industry, including reviewing tax law changes, learning software updates and managing and training staff. But an often overlooked but critical component is creating a WISP. "There's no way around it for anyone running a tax business. Having a written security plan is a sound business practice – and it's required by law," said Jared Ballew of Drake Software, co-lead for the Summit tax professional team and chair of the Electronic Tax Administration Advisory Committee (ETAAC). "The sample provides a starting point for developing your plan, addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data losses and theft." Security issues for a tax professional can be daunting. The Summit team worked to make this document as easy to use as possible, including special sections to help tax professionals get to the information they need. Here are a few WISP considerations for tax pros: Save the WISP in a format others can easily access and read, such as a PDF or Word document. Make the WISP available to all employees for training purposes. Store a copy offsite or in the cloud in the event of an incident or natural disaster. Taxes-Security-Together Checklist Unfortunately, tax practitioners remain high-value targets of cybercriminals seeking to steal sensitive tax information. With this in mind, the Security Summit created the "Taxes-Security-Together" Checklist to help tax professionals identify basic cybersecurity measures to implement. These six easy steps can make a big difference in protecting information, both for tax pros and taxpayers: Use anti-virus software and set it for automatic updates to keep systems secure. This includes all digital products, computers and mobile phones. Use firewalls. Firewalls help shield computers from outside attacks but cannot protect systems in cases where users accidentally download malware, for example, from phishing email scams. Use multi-factor authentication to protect all online accounts, especially tax products, cloud software providers, email providers and social media. Back up sensitive files, especially client data, to secure external sources, such as external hard drive or cloud storage. Encrypt data. Tax professionals should consider drive encryption products for full-drive encryption. This will encrypt all data. Use a Virtual Private Network (VPN) product. As more practitioners work remotely during the pandemic, a VPN is critical for secure connections. For more information on how to protect client information, tax professionals should look to Publication 4557, Safeguarding Taxpayer DataPDF. Phishing scams, malware and ransomware present risks For both tax professionals and taxpayers, phishing emails generally have an urgent message and try to direct users to an official-looking link or attachment. But the link instead may take users to a fake site made to appear like a trusted source where it requests a username and password. The attachment may also contain malware, which secretly downloads software that tracks keystrokes and allows thieves to eventually steal all the tax professional's passwords. Some thieves also pose as potential clients and may interact repeatedly with a tax professional and then send an email with an attachment that claims to include their tax information. The attachment may contain malware that allows the thief to track keystrokes and eventually steal all passwords or take over control of the computer systems. The IRS warns tax pros not to take any of the steps demanded in these types of email, and to delete the email. Recipients of these IRS-related scams can report them to firstname.lastname@example.org. Sometimes, phishing scams are ransomware schemes in which the thief gains control of the tax professional's computer systems and holds the data hostage until a ransom is paid. The Federal Bureau of Investigation (FBI) has warned against paying a ransom because thieves often leave the data encrypted. Security plan requirement and recommended data theft plan In addition to the required information security plan, tax pros also should consider an emergency response plan should they experience a breach and data theft. This time-saving step should include contact information for the IRS Stakeholder Liaisons, who are the first point of contact for tax professional data theft reporting to the IRS and to the states. IRS Publication 5293, Data Security Resource Guide for Tax ProfessionalsPDF, provides a compilation of data theft information available on IRS.gov, including the reporting processes. In addition to reviewing IRS Publication 4557, Safeguarding Taxpayer DataPDF, tax professionals can also get help with security recommendations by reviewing Small Business Information Security: The FundamentalsPDF by the National Institute of Standards and Technology. The IRS Identity Theft Central pages for tax pros, individuals and businesses have important details as well. Employers can share Publication 4524, Security Awareness for TaxpayersPDF, with their employees and customers and tax professionals can share with clients. For more details on National Tax Security Awareness Week, visit IRS.gov/securitysummit.