The Internal Revenue Service and its Security Summit partners are warning tax professionals that cybercriminals are targeting them with new ways to get taxpayer information.
The alert says thieves are readying scams that capitalize on tax professionals working from home due to the pandemic.
The Security Summit, comprised of IRS officials, state tax agency representatives and leaders in the national tax industry, closed out its weeklong National Tax Security Awareness Week by issuing this new warning. The annual security event aims to heighten awareness about identity theft and data security measures among taxpayers, businesses and tax practitioners.
"When the Security Summit formed five years ago to fight identity thieves it was clear that the IRS, the state and industry could not be successful without the help of taxpayers and tax professionals. Everyone has a role to play in protecting sensitive financial data," said IRS Commissioner Chuck Rettig. "We've made tremendous progress in the past five years, but we still have work to do. The coronavirus and the increase in teleworking creates new ways for these sophisticated cybercriminals to scam people out of their money or their sensitive tax and financial information."
As the IRS and Security Summit partners took steps to strengthen defenses against cybercriminals, the identity thieves were turning their focus from individual taxpayers to tax professionals, targeting their offices and data systems.
Data thefts from tax pros can provide a wealth of valuable information to thieves trying to file fraudulent tax returns.
Security Summit partners remind all tax professionals to review their security measures. IRS Publication 4557, Safeguarding Taxpayer Data, provides tax pros with a starting point for basic steps to protect clients.
Also available is the “Taxes - Security - Together” Checklist created by the Security Summit to help tax practitioners identify the basic steps they should take. As more tax pros work from home or from remote locations because of COVID-19, these measures are even more critical for securing tax data.
Don’t forget the “Security Six!”
Easy steps that can make a big difference, both for tax pros and taxpayers:
- Use anti-virus software and set it for automatic updates to keep your systems secure. This includes all digital products, computers and mobile phones.
- Use firewalls. Firewalls help shield computers from outside attacks but cannot protect systems in cases where users accidentally download malware, for example, from phishing email scams.
- Use multi-factor authentication to protect all online accounts, especially tax products, cloud software providers, email providers and social media.
- Back up sensitive files, especially client data, to secure external sources, such as external hard drive or cloud storage.
- Encrypt data. Tax professionals should consider drive encryption products for full-drive encryption. This will encrypt all data.
- Use a Virtual Private Network (VPN) product. As more practitioners work remotely during the pandemic, a VPN is critical for secure connections.
Use multi-factor authentication
In 2021, all online tax preparation products for tax professionals will include an option to use multi-factor authentication. All tax pros are being urged to use this option.
Remember, however, that cheap over-the-counter, hard-disk products may not include an option to use multi-factor authentication.
Of the numerous data thefts reported to the IRS from tax professional offices this year, most could have been avoided had the practitioner used multi-factor authentication to protect tax software accounts.
Using Google Play or the Apple Store, practitioners can download readily available authentication apps to their smartphones. These apps will generate a security code. Codes also can be sent to the practitioner's email or text but the IRS notes those are not as secure as the authentication apps. Go online and search for "Authentication apps" to learn more.
Use VPNs to protect remote worksites
A virtual private network, or VPN, sets up a secure, encrypted tunnel to transmit data between a remote user and the company network via the internet. As teleworking or working from home continues during the pandemic, VPNs are critical to protecting and securing internet connections.
Offices that fail to use VPNs can open themselves up to risks of remote takeovers by cyber-thieves, giving criminals access to the tax pro’s entire office network simply by accessing an employee’s remote internet connection.
Practitioners shouldn’t be shy about seeking out professional technical help in this area. Seek out cybersecurity experts whenever possible.
Tax pros can also search for "Best VPNs" to find a legitimate vendor, or major technology sites often provide lists of top services. Remember, never click on a "pop-up" ad that's marketing a security product. Those generally are scams.
Defending against phishing scams
Phishing emails generally have an urgent message, such as "your account password expired." They direct you to an official-looking link or attachment. But the link could take you to a fake website made to appear like a trusted source, where it requests your username and password. Or, the attachment may contain malware that secretly downloads software tracking keystrokes and allowing thieves to eventually steal all the tax pro's passwords.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning to all organizations to educate employees, especially those who are teleworking, about increased activity related to phishing scams.
The IRS often sees thieves posing as potential clients, trying to trick tax pros into opening an embedded link or attachment. Scams involving COVID-19 and the Economic Impact Payments also have been common.
It’s the law: Write your security plan!
The IRS and Security Summit strongly remind tax professionals that federal law requires tax practitioners to have a written information security plan. The Federal Trade Commission has enforcement authority—by federal law—over this provision.
Tax pros can learn more about the FTC’s “Safeguards Rule” from IRS Publication 4557.
In addition to the required information security plan, tax professionals should also consider drawing up an emergency response plan should they suffer a breach and data theft. Such a plan can save valuable time, providing contact information for the IRS Stakeholder Liaisons who are the first point of contact for data theft reporting to the IRS and the states.
IRS Publication 5293, Data Security Resource Guide for Tax Professionals, provides a wealth of data theft information available on IRS.gov, including the reporting process.
For more information on the partners of the Security Summit and other steps to secure tax information, check out IRS.gov/securitysummit.
(If you're looking for a sample written information security plan, download the Drake Software Tax Office Security Plan.)