Many businesses have embraced remote work as a key strategy in slowing the spread of COVID-19. Even the Internal Revenue Service has sent its staff home as a result of this outbreak. Unfortunately, scammers have moved quickly to deploy phishing scams that target the growing at-home workforce, prompting the IRS and its Security Summit partners to publish five data security tips.

The Security Summit is a group of public and private members of the tax industry—the IRS, state tax authorities, and tax software developers, to name a few—that formed in 2015 in response to the growing number of identity theft tax refund fraud incidents. While the Summit’s latest recommendations were compiled in response to COVID-19 and Economic Impact Payment scams, these tips can serve as cornerstones of any data security plan.

What programs and services can I use to protect my office and home computers?

Three of the Security Summit recommendations involve using security software and services for protecting your data from scammers: data security software, multi-factor authentication (MFA), and Virtual Private Networks (VPNs).

Data security software like antivirus, anti-spyware, and firewalls are the cornerstones of protecting your computers from criminals. Specifically, the Summit recommends programs that are designed to protect all of your devices by including “security features [that] will help identify and stop potentially dangerous malware that can infect digital networks.”

MFA is an additional layer of security beyond a username and password that is required to access a protected account, program, or service. As the release explains, “Multi-factor authentication means a returning user to the software product must enter not only their credentials … but also a security code, generally sent as a text to a mobile phone.” This type of security measure should be familiar to anyone who has used popular, web-based email platforms (Gmail, Hotmail, or Yahoo! Mail), and it is an option in most tax preparation software.

Of all the items on this list, Virtual Private Networks might sound the most alien. Think of a VPN as a bank-teller tube specifically designed to protect the data you send and receive online: “[They provide a secure, encrypted tunnel to transmit data between a remote user … and the company network.” If you’re not sure how to start looking for a VPN, the Summit suggests asking other preparers or searching online. That said, they caution against pop-up ads for VPNs.

What are the latest phishing scams?

The other two recommendations involve learning to identify the types of phishing scams targeting both taxpayers and tax professionals that are making the rounds.

When it comes to taxpayers, scammers are generally using phone-, email-, and text message-based phishing attacks focusing on the CARES Act-authorized Economic Impact Payments. In the EIP scams, criminals impersonate government representatives, claiming they are trying to confirm information that is required to receive the payment.

Tax professionals, on the other hand, are being targeted by “emails from criminals posing as potential clients.” These scams try to use CDC recommendations for social distancing to convince tax pros to click embedded links that can contain malware, often requesting the preparer review attached financial information. “Thieves also seek to impersonate tax software providers, cloud storage providers, banks, and others,” the Summit warns.

What else can I do to protect my data?

In addition to learning to identify phishing scams and resisting the urge to click on links and attachments embedded in electronic messages, there are a few other things you can do to protect your data. Good data security habits include password-protecting all devices, accounts, and Wi-Fi access points that you own, keeping all installed software up to date, and using a password manager.

Source: IR-2020-71