How to Protect, Prevent, and Report Identity theft in the Tax Profession

Cyberattacks are very prevalent in the age of the internet. Cybercriminals and account hijackers are always on the lookout to explore the slightest of the loopholes in order to get access to important data. Accounting and tax professionals are the prime target of these cyber threats as they are the curators of some of the most sensitive client information. With the aim of creating fraudulent tax returns and claiming fake refunds, cybercriminals try to steal your clients’ critical financial and personal information.

With the increasing integration of smartphones and IoT (Internet of Things) devices in the tax and accounting profession, cybersecurity threats are becoming even more prominent. The latest trends reveal a huge increase in the number of cybersecurity breaches with industries like finance and healthcare being the biggest targets.

• A report on cybersecurity facts released by the University of Maryland claims that cybercriminals and hackers carry out an attack every 39 seconds, about 2244 times a day on average.

• Another report by Verizon claims that about 10 percent of all the security breaches involved the financial industry.

Protecting your Clients against Data Loss

Tax professionals and accountants are the first lines of protection versus information theft. You, as a tax professional, need to be vigilant and keep a close eye on your as well as your clients’ data all the time. Small negligence in defense may lead to huge information theft. The attackers or cybercriminals not only try to steal your clients’ valuable data, but also try to loot your identity in order to file fraudulent tax returns and gain access to even more information with the help of your EFINs, PTINs, and CAF numbers.

In order to protect your identity as well as critical clients’ data you must take care of the following things:

• Know Your Duties Well

It is extremely important for an accounting and tax professional to be aware of his/her responsibilities in order to safeguard important client data. A tax professional needs to abide by the federal law which states that it is necessary for one to create, execute, and maintain a data security strategy to preserve clients’ data. The Federal law requires all tax firms, irrespective of their sizes, to have a sound data security plan in place.

If you are a tax professional, you can ask your cybersecurity team to develop an effective information security plan. In case you don’t have a cybersecurity squad, you can approach a cybersecurity consultant.

Further, if one is incapable of affording an in-house cybersecurity team as well as a consultant, he/she can refer to the guide on Safeguarding Taxpayer Data by the Internal Revenue Service (IRS). The guide helps tax professionals with how to take basic steps to safeguard one’s own identity as well as his/her clients’ data.

• Implement Information Security Plan

The following are some of the most important protective measures you must consider to ensure information safety and security:

1. Installing anti-virus and anti-spyware security applications on all of their devices including desktops, laptops, routers, smartphones, tablets, etcetera. It is further recommended to use the latest versions of the applications by setting them to automatic updates.
2. Using strong, unique passwords having at least 8 characters, including special characters, alphanumeric keys, and phrases. Using a password manager program adds an extra layer of security.
3. Encrypting and password protecting critical business files and emails containing sensitive information.
4. Backing up sensitive information to a secure external server that is not connected with the regular, full-time network. Tax professionals can consider using the latest cloud-based backup strategies to protect themselves against information loss.
5. Limiting access to avoid information being shared with individuals who are not entitled to know.
6. Destroying old, obsolete hard drives and printers having sensitive information.
7. Regularly checking the IRS e-services account to confirm there are no fake or fraudulent returns filed using your EFIN.
8. Reviewing your final return information before e-filing, particularly direct deposit information.

Additionally, tax professionals can refer to the security steps mentioned by the National Institute of Standards and Technology (NIST) in one of their guides for small businesses. The NIST, a branch of the United States Commerce Department, sets the data security structure for federal agencies. Their security document focuses on five security principles: identifying, protecting, detecting, responding, and recovering.

The tax professionals can also look for the cybersecurity support offered by many of professional insurers. You can ask your insurer if they have data theft coverage in place or not.

Moreover, if you are making use of one of the cloud-based tax and accounting tools, you can ask your service provider about all the security measures it implements in order to ensure data safety and privacy.

Identifying Data Theft

What can be worse than you being a victim of data theft and not even being aware of it? Hence, it is equally important for you and the other tax professionals to be able to identify data theft attempts and suspicious activities in addition to implementing data protective plans. You must know the signs of information theft in order to identify any attempt being made to steal your identity or valuable client data.

The following are the most common clues you can look for to identify data theft:

• Rejection of the client’s e-filed returns as a return with the Social Security Number (SSN) of your client already received by the IRS.
• Receiving more acknowledgments than the number of e-file returns you filed.
• Clients replying to emails that were not sent by you.
• Your system giving unexpected or mysterious responses like:
  • Actions taking longer amounts of time to process than they usually take
  • You are getting locked out of your computer system or network
  • Automatic cursor movements or keyboard actions taking place without you using your keyboard or mouse.

• If your clients receive authentication letters such as 5071C, 5747C, and 4883C from the Internal Revenue Service without any return filed by you.
• Clients receiving refunds for the returns that haven’t been filed.
• Fake emails and calls on your name to your clients.
• Clients receiving tax transcripts that they did not request.
• Notification of one of the following from the IRS:
  • Creation of an online IRS account without your client’s consent.
  • Someone else accessing your client’s account without their knowledge.
  • Deactivation of your client’s online account.

About 91 percent of all the cyber attacks and security breaches start with a spear-phishing scam targeting you or your client. Hence, it is critical for your firm to recognize targeted phishing scams as well. These phishing scams generally make use of suspicious links or attachments that, if opened, end up giving the cybercriminals your passwords. Often, they make you click a link that contains some malware that tracks your cursor movements and keystrokes to help thieves get control of your system.

In most of spear-phishing scams, the criminals present themselves as one of the trusted sources like your tax business partner, IRS eServices, a cloud-based solution provider, and potential client etcetera. It is important for you not to get too excited and end up falling into their traps. There are certain clues that help you identify phishing emails. You can look for:

• An email, though appearing to be from a trusted source, but looks a bit off.
• An email containing an urgent call to action in order to entice you to open a link or attachment.

How to Prevent Identity Theft and Client Data?

While you are always on guard, staying your maximum vigilant self, it is still possible your identity is hijacked or your client’s data is stolen. You always have to look for prevention techniques that help you avoid being a victim of such cybercrime. You can preserve your identity and your client’s information by:

• Regularly checking for the e-file acknowledgments you receive for the returns filed. In case you receive additional acknowledgments, you must start digging deep to find out what’s wrong.
• You must also keep tracking your weekly EFIN usage to confirm the number of returns filed using your EFIN. In case something seems fishy or off, you must immediately get in touch with the e-help desk of the IRS.
• Keeping your EFIN application updated and regularly monitoring your PTIN account also helps you stay in control.
• Knowing that the IRS never:
  • Initiates any contact whatsoever with taxpayers via text, email, or social media, requesting their financial or personal information.
  • Calls taxpayers making lawsuit threats or arrest warnings.
  • Requests Identity Protection Pins of the taxpayers.

Reporting Information Theft

Even after taking all the precautions, or otherwise, you happen to encounter identity theft or information losses, you must immediately report the IRS in order to prevent further losses and fraudulent returns. To report data theft you can:

• Contact and report client information theft to the local stakeholder liaison in the IRS.
• Contact the local police to file a data breach report.
• Report the Federal Bureau of Investigation (FBI) or Secret Service, in case you are directed by the Internal Revenue Service.
• Notify the State Attorney General for the state you are preparing your tax returns for.
• Consult security experts to understand the cause of the breach and avoid the same in the future.
• Report the breach to your insurance company to confirm if the policy covers security breach mitigation costs.

Final Words

Combating modern cybercriminals is not impossible. If you, as a tax professional, take proactive security measures and regularly monitor your activities for identifying the potential threats, it is possible for you to safeguard your identity as well as the honest taxpayers’ data.