Day at the breach: Counseling clients on data theft
Preparers can remind clients that the Internal Revenue Service never initiates contact with a taxpayer using email, to never click on unfamiliar links in an email and that hackers have even recently been able to turn Alexa and Echo devices into eavesdropping microphones. What else can preparers do to stem rampant and tidal-wave data breaches?
“I took a proactive step on Equifax and advised my clients to review their credit and bank statements diligently, sign up for Credit Karma, review their credit card benefits and pay attention to their FICO scores and place a freeze on their credit information, especially if they are not going to be applying in the near future,” said Morris Armstrong, an Enrolled Agent and registered investment advisor with Armstrong Financial Strategies in Cheshire, Conn.
“Then I pointed out that the danger is not that someone is going to charge a new TV on your credit card,” he added. “The danger is that someone will impersonate you and take out loans or file a tax return under your name. Obviously, the latter does not receive any protection from your proactive steps.”
“Since this is not the first data breach for many clients – Target is a big one that comes to mind – many of my clients are asking for confirmation that they’re doing the right thing to protect themselves, more than asking for advice,” said Kerry Freeman, an EA with Freeman Income Tax Service in Anthem, Ariz. “Many are telling me of freezing accounts and taking advantage of monitoring programs being offered by the credit companies.”
Late last fall the IRS transitioned most of its e-Services user applications to a new platform involving authentication technology. The agency also faced a flap earlier in 2017 after news that it inked – then suspended – a contract with credit bureau Equifax for identity verification. Equifax recently suffered a headline breach that put the personal and financial information of more than 140 million people at risk.
The IRS has also faced problems in recent years from data breaches in some of its e-Services, such as the Get Transcript and Identification Protection PIN apps, allowing cybercriminals to access taxpayer information and file fraudulent tax returns.
Some of the agency’s cybersecurity also isn’t always practical. “The news is saying that people should file early. While it’s good advice, if taxpayers have investments, it’s not practical,” said Laurie Ziegler, an EA at Sass Accounting in Saukville, Wis. “I know this will sound self-serving, but it’s best for taxpayers to go to a tax professional. If the return is rejected, a professional will know how to help them get through it.”
If giant agencies and companies are at risk, what can the average prep practice and its clients do?
Terry Bakker, an EA in Vancouver, Wash., is advising clients to go online with Social Security and set up a MySSA account and to set up an account with IRS. “Get your annual free credit report and look for any discrepancies,” she said. “After that, place credit freezes on all three credit reporting agencies. The credit freezes will lock your accounts and make it almost impossible for anyone to open credit in your name. It also protects your credit reports from unauthorized releases – right now, consumers have no protection against the bureaus releasing their information.”
“Once that is done,” she added, “place credit freezes for all minor children and encourage elderly parents to place freezes, also. Children under age 18, the disabled, and the elderly are the most likely to have their identities stolen.”
“Check to see if you have indeed been compromised by logging into the website provided by Equifax. Change passwords for all online accounts, and close all dormant financial-related accounts,” particularly accounts for such retailers as department and clothing stores, said John Dundon, an EA and president of Taxpayer Advocacy Services in Englewood, Colo. He also recommends clients establish a Get Transcript account with the IRS to monitor activity, and resist taking online polls or social media polls, as this has proven to be scammers fishing for passwords.
“We continually communicate with our clients about cyber issues including discussing protection against emerging threats like WannaCry and NotPetya, developing a practical cybersecurity program and how to respond in the event of a breach,” said IT service manager Tom Hasard of CPA firm Wilkin & Guttenplan in Martinsville, N.J.
“As evident from the last few months, it’s dangerous for anyone to consider themselves safe from cyber-attack,” he said. “Identifying where your sensitive data lives, identifying risk and enhancing protection should be an ongoing process for organizations of all sizes. Even with a cybersecurity program in place, preparing for a breach before it happens is a critical step.”
Hasard recommends three protective steps firms can take for little or no cost.
- Use a password manager to help create unique and strong passwords for every online account. If one website you use is breached, this means that an attacker doesn’t have access to all of your accounts on other sites.
- Ensure that no financial transactions are authorized only via email to prevent fraudulent wire requests.
- Make sure all of your technology is up to date with the security updates, preferably using a tool to help ensure their prompt deployment. (Many recent attacks, including the Equifax breach, could have been avoided by installing software updates as they were released, he claimed.)