Sophisticated data theft scams and identity fraud continue to run rampant, as the Internal Revenue Service warns practitioners to be vigilant as part of their summer special awareness series in conjunction with the Security Summit—a coalition by the IRS with representatives of the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators. The Security Summit was created in 2015 to help combat identity theft refund fraud and protect taxpayers by sharing information about emerging fraud and cyber schemes.
Although not related to the IRS or a tax return, a recent personal encounter highlights just how prevalent and sophisticated scams are becoming. Just last week I received a supposed call from my bank, from their actual 1800 number, with a well-spoken sounding individual on the phone advising me someone was attempting to make large-scale transactions using my account. The “representative” on the phone seemed to know my full name and even past cities I lived in. My skepticism and awareness of phone scams luckily got the best of me, and I decided to hang up the call and call back the bank myself. When I did reach an actual representative, they informed me that they have no record of anyone contacting me and that there were no suspicious or flagged transactions on my account. Apparently, these scammers are even able to spoof real customer service numbers these days, to make it appear like a legitimate call.
Maintaining Robust Security Measures
In the IRS press release, the last of a five-part series, tax pros are urged to “maintain robust security measures and take important steps to protect themselves and their taxpayer clients against identity theft.” Previous presentations in the series discussed identity theft red flags from clients that practitioners should be on the lookout for and warned tax professionals to be aware of evolving phishing scams and cloud-based schemes, but the IRS reiterates that strong security at a tax practice and taking necessary precautions when handling data and security at a business or home is paramount to safeguarding sensitive taxpayer information.
The presentation also reminded tax professionals about the importance of having a Written Information Security Plan in place, a special 28-page template designed to help tax professionals, especially those with smaller practices, make data security planning easier.
Important Reminders for Professionals
The IRS reiterated some important tips for tax professionals when it comes to protecting taxpayer information:
- Be cautious of email attachments and web links. Many scammers can imitate legitimate businesses, taxpayer clients and government agencies, including the IRS.
- Don’t send sensitive business information to personal email devices. Don’t conduct business, including online business banking, on a personal computer or device. Don’t engage in web surfing, gaming or video downloading on business computers or devices, as these can add to security risks.
- Don’t share USB drives or external hard drives between personal and business computers or devices.
- Be careful with downloads. Don’t download software from an unknown web page. Always exercise caution with freeware or shareware.
- Use strong passwords. Never give out usernames or passwords to others. Ideally, passwords should be at least 14 characters long. For systems or applications that have sensitive information, use multiple forms of identification (multifactor or dual-factor authentication).
- Change default passwords. Many devices come with default administrative passwords. Change them immediately and regularly thereafter. Default passwords are easily found or known by hackers.
- Change passwords often. Every three months is recommended. Consider using a password management application to store passwords. Passwords to devices and applications that contain business information should not be reused.
Lastly, if data theft or identity fraud is suspected, reporting it immediately to a local IRS Stakeholder liaison is critical. If reported quickly enough, the IRS can take the necessary steps to block fraudulent returns in the clients' names and will assist tax pros through the process. Most states also require that the state attorney general be notified of data breaches.
More resources on data theft information are available on the IRS’ website.