Tax-based identity theft is bad, and it’s getting worse.

After only a quarter of the way through this year’s tax season, the rate of identity theft increased by 400% over last year. 

Phishing and malware assaults top the list of a new group of e-mail scams directed at consumers and tax preparers.  The IRS says that the total number of these assaults break down as follows:

• There were 1,026 incidents reported in January, up from 254 from a year earlier.
• The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015.
• This year's 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.

Nor is it just e-mail scams.  The IRS has suspended use of its Identity Protection (IP) PIN tool on IRS.gov, pending a review of the system’s security in the wake of allegations that some of the numbers have been stolen by identity thieves.  In addition, the agency has revised upward the number of consumer accounts stolen during last year’s hacking of the IRS Computer System.

And the IRS isn’t the only government entity facing a massive increase in identity theft tax fraud. Due to increased federal agency security, scammers have turned to fraud involving state income tax returns, believing that the state systems are not as secure.  The same hold true for tax preparation professionals, who have been subjected to malware and phishing attacks as well as attempts to hack into client records.

Federal and state agencies have powerful resources they may tap in order to reinforce their security.  Tax preparation services, particularly small services, do not.  But they can do more to protect themselves without a major disruption of the tax preparation work flow or a massive draw on limited resources.  Here are five steps to consider immediately:

• Know the ebb and flow of tax fraud. Preparers know that there is a timing cycle for tax season itself.  In late January the IRS begins accepting returns, and some tax clients immediately file their taxes.  For the next six weeks or so, this keeps the firm extremely busy with both preparing the return and helping to shepherd refunds to their clients.  The middle part of the cycle is slower, with time to perform some catch-up chores, staff meetings, and other activities.  The third part of the cycle, from approximately March 15 to April 15, is very busy with late filers and filing extensions.  Tax fraud likewise has its own cycles. The highest levels occur at the beginning and end of the tax season, with less fraud in mid-cycle.  This is due to the perception that high volumes of returns will mean less inspection of each return and therefore a greater opportunity for theft.

• Batten down the hatches. Check all aspects related to the physical security of the building and its contents.  Run an anti-malware program on all of the computers.  Ensure that any paper not needed for client records or workflow is being shredded and properly disposed of, daily. Review your insurance policies, particularly liability policies that might become central to any data security problems.

• Secure the networks. In addition to physical security, it is critical to know that the Data Networks are also secure. This means using a client portal for all communications, not using e-mail for any client communications, ensuring your data is backed up to a secure facility, and halting all use of Wi-Fi.  It will also mean an anti-malware scan of all servers.  Finally, and most critical of all, make sure that your hardware and software is up to date.  Remember that Windows XP is no longer supported by Microsoft, and future faults will not be fixed.  Note:  Rather than trying to upgrade the operating system on a computer still in use, take it out of use and instead live without that workstation or replace it with a new PC.

• Hold a staff meeting. Even if the owners or partners are living and breathing examples of security perfection, it is likely that the staff – particularly temporary workers – is not.  As part of the meeting, review the basics of security for client data – including any discussion of client business outside of the office.  Also review the fundamentals of “scam calls” and how to avoid them.
• Know the steps to take if you are victimized. This information should be given to the staff and also provided to clients who are victimized. These are the most immediate steps victims of fraud need to take:

1. File Form 14039, Identity Theft Affidavit, with the IRS.
2. Check to determine reporting and validation for state returns.
3. File a police report.
4. File an identity theft report with the Federal Trade Commission.
5. Check credit reports through one of the major credit bureaus for unauthorized activity.
6. Request that a fraud alert flag be placed on their accounts, or that a freeze be placed on requests for credit reports from third parties.

Identity theft has become the most common consumer complaint about criminal activity in the United States today.  According to The Bureau of Justice Statistics, 16.6 million American adults were victims of identity theft in 2012, while just 6.8 million total non-fatal violent crimes occurred in the same period.  Of these 16 million, an estimated 14 percent suffered a financial loss – with losses for tax fraud growing from $6.4 billion to $21 billion in just the past two years.

If we are to make progress in curbing this form of crime and its negative impact on our industry, tax preparers must be engaged in the fight – both for themselves and their clients.