Identity theft. Just the mere mention of this mayhem masquerade is enough to make the blood of tax professionals everywhere run cold.
As keepers of our clients’ most precious information, we are at once the target to identity thieves, and the solution for our customers' protection.
Sometimes it seems as if the scammers are winning. But we already have the tools that can help keep the bad guys at bay.
Identity theft is evolving (again)
Historically, most identity theft attacks are phishing emails, though scammers have begun using text messages. Whatever form these scams take, the Internal Revenue Service says they share a few characteristics:
- They appear to come from a known or trusted source, such as a colleague, bank, credit card company, cloud storage provider, tax software provider or even the IRS and other government agencies.
- They create a false narrative, often with an urgent tone, to trick the receiver into opening a link or attachment.
If successful, the “link” could install malware in the background, unknown to the personnel on the receiving end. Many times, a nasty "remote access trojan" (or RAT), is installed, allowing attackers to return to the system and gain ongoing access.
This software can take over a tax pro’s office system, identifying and completing pending tax returns, then e-filing them after changing the banking information to steal the refund.
Similar scenarios can be used to employ ransomware that holds an office’s data hostage until a ransom is paid.
Use multi-factor authentication to protect your accounts
Even the safest platforms can put data at risk when used improperly, and identity thieves are adaptable. Lately, the IRS has seen evidence that cloud-computing systems are being targeted by identity thieves. These breaches are often suffered by smaller tax offices that don't take advantage of security measures like multi-factor authentication.
Multi-factor authentication requires additional user-provided information to access an account, like a remotely generated code or answers to questions. This additional layer of security can stymie identity thieves attempting to log in fraudulently as office employees.
The Security Summit, a panel of IRS officials, state and local taxing agency representatives, and tax industry partners, has some recommendations about how multi-factor authentication should be constructed to be most effective.
First, whenever two-factor (2FA) or multi-factor (MFA) options are offered by storage providers or other cloud providers, use it. Either option could protect client accounts - even in the event that passwords become compromised.
Second, never use email as one of the additional methods of validating the user. Email is less secure and can be an easier nut to crack for the attacking identity thief. Text, phone calls or tokens are all a better choice.
Other good practices to follow include using encryption on critical drives and backing up files regularly. Don’t forget to update your anti-virus software on a regular basis.
As tax professionals, it’s up to us to secure our systems to protect the sensitive customer data.
For more information on protecting your office from scammers and identity thieves, see Publication 4557, Safeguarding Taxpayer Data and Small Business Information Security: The Fundamentals.
Other resources include Publication 5293, Data Security Resource Guide for Tax Professionals and the Identity Theft Central webpages on the IRS website.