IRS makes summertime push for tax pro cybersecurity
The Internal Revenue Service and its partners in the Security Summit, which include state tax agencies and the private sector tax industry, have started a summertime awareness campaign to encourage tax professionals to secure their client data, with a newly expanded guide.
To mark the start of the summer awareness campaign, the IRS has revised Publication 4557, Safeguarding Taxpayer Data, to better reflect the latest threats to tax professionals. The guide spells out the basic steps tax pros should take, along with how to take them, and offers details on how to comply with requirements for a data security plan. The IRS has also created a new document, Publication 5293, Data Security Resource Guide for Tax Professionals, which includes a compilation of IRS.gov resources for tax preparers.
Cybersecurity has become a major issue for tax preparers, as cybercriminals have increasingly targeted tax professionals’ computer systems in an effort to get their clients’ data and use it for tax fraud and identity theft. As the IRS has beefed up its defenses to safeguard against fraudulent tax filings by using multifactor authentication, cyberthieves have targeted tax pros to assemble the pieces of information they need about potential victims.
The IRS pointed to continued security threats to the tax and financial data held by tax professionals. It noted that data thefts at tax practitioners’ offices are continuing to rise and leading to fraudulent tax returns that can be especially difficult for the IRS and states to detect.
“The IRS and the Security Summit partners urge all tax professionals to take stronger security steps to protect themselves and their clients,” said Acting IRS Commissioner David Kautter in a statement Tuesday. “With the help of the Summit partnership, the IRS has made major progress protecting taxpayers in the battle against tax-related identity theft. But the threat remains, and we need the help of tax professionals to take basic steps to safeguard their systems and taxpayer data.”
The Security Summit awareness campaign aims to provide tax pros with the basic information they need to better protect taxpayer data and prevent the filing of false tax returns. The first in a series is called "Protect Your Clients; Protect Yourself: Tax Security 101."
This series builds on and expands on earlier Security Summit awareness campaigns for tax pros and taxpayers. The campaign follows recommendations made by the Electronic Tax Administration Advisory Committee in June, which said tax professionals “are at increasing risk” of security vulnerability.
While the Security Summit is making progress in battling tax-related identity theft, cybercriminals’ efforts are continuing to evolve, and data thefts at tax pros’ offices are on the rise. Cyberthieves use stolen taxpayer data to create fraudulent returns that are more difficult to detect. The identity thieves are technically sophisticated, helped by well-funded and tax-savvy criminal syndicates based in the U.S. and overseas.
Earlier this year a sophisticated cybercriminal gang breached numerous practitioner offices by getting remote control access of their computers and stealing taxpayers’ 2016 tax information. The identity thieves used the information to file 2017 tax returns using the taxpayers’ actual data, including their bank accounts for direct deposit.
The thieves then called the taxpayers, attempting to fool them into returning the fraudulent refunds. In some cases, the thieves had stolen so much information, they could access the clients’ bank accounts online and steal the fraudulent refunds. In many cases, the tax professionals never even knew their client data was stolen.
Tax professionals can help stop the common tactics used by cybercriminals, but even with the most robust security measures, the key is to be trained and alert to potential risks and threats.
The IRS is also reminding tax pros that the Financial Services Modernization Act of 1999, also known as Gramm-Leach-Bliley Act, requires certain financial entities – including professional tax return preparers – to create and maintain a security plan for the protection of client data. The Federal Trade Commission administers this law and its “Safeguards Rule” regulations.
• Learn to recognize phishing emails, especially those pretending to come from the IRS, a tax software company, cloud storage provider or state tax agencies. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax professional via email.
• Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
• Review internal controls, such as installing anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update. Create passwords of at least eight characters, although longer is better. Use different passwords for each account, including special and alphanumeric characters and phrases. Password-protect wireless devices and consider a password manager program.
Encrypt all sensitive files and email messages and use strong password protections. Back up sensitive data to a safe and secure external source not connected full-time to a network. Wipe clean or destroy old computer hard drives and printers that contain sensitive data. Limit access to taxpayer data to only those employees who need to know it. And check the firm’s IRS e-Services account weekly for number of returns filed with EFIN. Report any data theft or data loss to the appropriate IRS Stakeholder Liaison. Also stay connected to the IRS through subscriptions to e-News for Tax Professionals newsletters, Quick Alerts and IRS social media.
Tuesday also marks the beginning of the 2018 IRS Nationwide Tax Forums, where data security will be featured prominently at all five forums, including a workshop by cyber experts.
The IRS is urging tax practitioners to attend the sessions. There’s still time to sign up for a Tax Forum. The Protect Your Clients, Protect Yourself: Tax Security 101 campaign will run for 10 weeks through September. A free data security webinar will be available at the end of it for all tax professionals in the fall.