The Internal Revenue Service, along with its Security Summit partners, are warning tax professionals to pay close attention to their IRS-issued identification numbers. This includes Electronic Filing Identification Numbers (EFINs), Preparer Tax Identification Numbers (PTINs), and Centralized Authorization File numbers (CAF).
The alert is part of the Security Summit’s “Protect Your Clients; Protect Yourself: Tax Security 101” awareness campaign.
But this is no off-the-shelf warning; the threat is very real.
Cybercriminals can post stolen EFINs, PTINs and CAF numbers on the Dark Web without the rightful owners ever knowing the numbers have been stolen. Sold to the highest bidder, the numbers that are so necessary for their business can then be used to prepare and file fraudulent income tax returns.
EFINs are necessary for tax professionals or their firms to file client returns electronically. PTINs are issued to those who, for a fee, prepare tax returns or claims for refund. CAF numbers are issued when tax practitioners or their firms file a request for third-party access to client files.
In a law-abiding world, these three numbers can only be obtained from the IRS.
The Internal Revenue Service has issued some guidelines on how to keep track of these very important numbers for your practice – and keep them safe from identity thieves.
Maintain Your EFIN
- Review the e-File application periodically. Tax professionals’ e-file application must be updated within 30 days of any changes such as individuals involved, addresses or telephone numbers. Failure to do so may result in the inactivation of an EFIN.
- Ensure proper individuals are identified on the application, and update as necessary. The principal listed on the application is the individual authorized to act for the business in any legal or tax matters. Periodically access the account.
- Add any new principals or responsible officials promptly.
- Update any business address changes, including adding new locations.
- EFINs are not transferable; if the business is sold, the new owners must obtain their own EFIN.
- There must be an EFIN application for each office location; for those expanding their business, an application is required for each location where e-file transmissions will occur.
Monitor your EFIN, PTIN and CAF
You can keep tabs on just what has been e-filed with your accounts; a weekly report is available showing the number of income tax returns on your EFIN and PTIN. For PTIN holders, only those preparers who are attorneys, CPAs, enrolled agents or Annual Filing Season Program participants and who file 50 or more returns may obtain PTIN information. Weekly checks will help flag any abuses by cybercriminals.
For EFIN totals:
- Access the e-Services account and the EFIN application;
- Select “EFIN Status” from the application;
- Contact the IRS e-help Desk if the return totals exceed the number of returns filed.
For PTIN totals:
- Access the online PTIN account;
- Select “View Returns Filed Per PTIN;”
- Complete Form 14157, Complaint: Tax Return Preparer, to report excessive use or misuse of PTIN.
For those with a Centralized Authorization File (CAF) number, make sure to keep authorizations up to date. Tax professionals should make an annual review to identify outstanding third-party authorizations for people who are no longer their clients. It is important that tax professionals remove authorizations for taxpayers who are no longer their clients.
To remove authorization for a client, consult Publication 947, Practice Before the IRS and Power of Attorney. Go to the heading, “Withdrawal of Representation.”
Other sources include the instructions for Form 2848, Power of Attorney and Declaration of Representative; or Form 8821, Tax Information Authorization, for withdrawing representation.
Protect Your EFIN
One rule of thumb is the same good security habits that protect client data can also protect your EFIN. These include using the best anti-virus software you can afford, the use of strong and unique passwords, and using two-factor authorization wherever possible. Here are a few more:
- Learn to recognize and avoid phishing scams; do not open links or attachments from suspicious emails, most data thefts begin with a phishing email.
- Secure all devices with security software and let it automatically update.
- Use strong passwords of eight or more mixed characters; use phrases that are easily remembered and password protect all wireless devices.
- Encrypt all sensitive files/emails and use strong password protections.
- Backup sensitive data to a safe and secure external source not connected fulltime to the network.
- Wipe clean or destroy old computer hard drives that contain sensitive data.
Finally, we remind that all professional tax preparers must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule.
Help is available by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.