The most wonderful time of the year — for hackers
The period between February 1 and April 15 is truly remarkable. Not only do we see the seasonal transformation from winter to spring, but we also get to witness the mass anxiety and panic that comes from the payment of the annual tax bill. No one knows better than the tax preparer, who works the longest hours under the tightest deadlines to make sure his or her clients come out clean — and hopefully with a little bit left over.
And generally there is a collective sigh of relief come mid-April when we all get to kick the can down the road for another year.
But there is an increasingly grim reality that might end up making this time of year an unforgettable nightmare for both tax preparers and their clients: This is the time of year when we all seem to collectively forget that email is not a secure way to share information.
Talk to almost any tax preparer and they’ll blame their clients who want convenience. Talk to their clients and they’ll say they didn’t know the risks. Regardless of who is to blame, literally tens of millions of Americans will send pay stubs, tax documents, social security numbers, bank account information, health records and a lot more incredibly important and sensitive information back and forth over email between now and the tax deadline.
The trend that matters here is that hackers have begun shifting their crosshairs away from large corporations and toward small businesses and individuals. Hacking into email accounts is mostly automated now — a simple script can launch a personalized phishing attack to thousands of email accounts. And the information found in those tax-time emails is some of the most valuable information you can sell on the dark web.
Most of us know we shouldn’t be sending this kind of information in an email. Most obviously, Google isn’t one bit shy about telling its Gmail customers that they read every single email you send in order to learn more about their customers’ wants and needs so they can and improve their ability to show relevant ads.
But more importantly, email was never meant to be secure. Security was an afterthought and is still, frankly, a total disaster. Any system that allows any sender to send to any recipient makes encryption practically impossible, because it is very difficult to manage and control the decryption keys.
And so when you ask your clients to send their information to you over email, their plain text data and documents are out there for the hacker world to see the minute they hit the “send” button.
It’s certainly possible that your clients’ email accounts won’t be hacked. And it’s possible that you’ll get through another year without some catastrophic breach. But everyone’s luck will run out at some point, especially when there is so much to gain with so little effort on behalf of the perpetrator.
Smart money is on the survival of those businesses that make just a little bit of effort to take care of their clients’ data. This means no more email. It means using a secure service for sharing documents. It means educating employees about security and phishing. And the toughest pill to swallow will be insisting that your clients use a secure system when they share, even if they claim they’re not worried, and even if they claim they don’t care. It becomes imperative that the professional tax preparer takes steps to protect their clients even when their clients don’t want to protect themselves.