Cybersecurity for Taxpayers and Tax Professionals

Cybersecurity is now a universal concern in every walk of life. What are the risks to tax professionals and their clients, and how can both parties mitigate them?

Data security is a major consideration for any industry and, unfortunately, tax preparation is no exception. Tax professionals need to ensure that appropriate safeguards are in place so that their business and clients are protected from cyberattacks, and individual and business filers need to remain equally vigilant.

Progress has been made to combat taxpayer identity theft. The IRS reported that the number of reported identity theft victims fell 71 percent between 2015 and 2018. However, identify theft tactics continue to evolve and pose risks to the data of the entire tax community regardless of this progress since scammers change their approaches when security is improved.

The 2019 Identity Fraud Study from Javelin found that while fraud overall was down 15 percent in 2018, more victims of the fraud were paying out of pocket to deal with it. These avoidable costs can add up fast for an individual and a business.

The most common types of fraud may change each year, but time and again attackers wait for tax season—and big impacts are felt by taxpayers and tax professionals alike.

Understand the risks and update safeguards

Tax season is one of the most common times that scams occur. Consider all of the data that’s shared online during this time: a host of financial information and personal details, like dates of birth, account statements, and Social Security numbers. Cybercriminals love to attack during tax season.

Identify thieves often use stolen information to file fraudulent tax returns or try to claim tax benefits. And they file as soon as they can since their scam will only work with returns that haven’t yet been filed by the people they’re claiming to be.

Start by reviewing your current security practices, whether you’re an individual or a business. Even if you’ve taken steps to better protect data, there are still recommendations that the IRS has made as a checklist to ensure that you’re doing everything you can to mitigate risk.

The checklist applies to both tax professionals and taxpayers since both groups are impacted by tax fraud and “everyone has a responsibility to protect sensitive data,” as the IRS says.

Employ the following recommended six security measures as the baseline for a cybersecurity plan:

  1. Anti-malware software
  2. A firewall
  3. Two-factor authentication
  4. Backup software or services
  5. Drive encryption
  6. Virtual private networks

Train yourself and other team members

Next, learn how to watch for phishing attempts and other scams that aim to collect personal information.

There are many red flags for tax professionals and taxpayers to watch out for, including if an individual receives an IRS letter that questions their tax return, if there are more tax returns filed than submitted for a given Electronic Filing Identification Numbers, and if tax transcripts are sent to clients when they didn’t request them.

Common tax scams that target taxpayers include phone scams, in which a scammer impersonates the IRS and tries to get personal information; phishing emails and malware schemes from cyber criminals; and fraudulent tax returns. Note that the IRS will never contact a taxpayer through the common phone and email methods with questions about an individual tax return.

Implement a recovery plan

In the instance that you become a victim of data theft, you’ll want to have a plan in place already to deal with this. The IRS offers this guidance:

  • Individuals and tax professionals must contact the local IRS Stakeholder Liaison right away.
  • Tax professionals must help the IRS in protecting all of their client accounts.
  • Implement cybersecurity measures—business professionals should engage the services of cybersecurity professionals to help set up a plan.

A data security plan should be revisited and updated regularly. Because identity theft adapts to new technologies, this isn’t something you can put together once and move on. The plan must also change with shifting scam tactics.

Some of the key areas of a business that a data security plan needs to address are:

  • HR: employee management and training
  • Information systems
  • System failure management and detection

While the number of tax-related identity theft cases has fallen a bit, it’s still crucial that tax professionals, other business owners, and individual taxpayers alike are aware of the risks and remain educated about how to both protect against them and deal with breaches if they should occur. By going through the checklist from the IRS and continuing to stay vigilant, the risks can be vastly mitigated during tax season.

The professionals at Provident CPA & Business Advisors implement strong security procedures while offering a range of tax planning services to a host of businesses and individuals. To discuss how our services can help you come tax time, get in touch with the Provident team today.

Cybersecurity Best Practices for Taxpayers: How to Stay Safe

When it comes to cybercrime, nobody is safe. From government agencies to senior citizens, online scams surge around tax time to exploit human and digital vulnerabilities.

April is a busy month for law-abiding taxpayers and the individuals who help them file. It’s also the busiest month for criminals out to exploit the personal data and finances of millions of Americans. According to the Federal Trade Commission (FTC), scam attempts peak in the days between April 15 and April 21 and gradually tail off toward the end of the month.

The old approach of scam phone calls is still active, but now unsuspecting recipients can fall afoul of year-round emails ready to exploit their lack of awareness. These fake communications come loaded with misleading links and virus-packed attachments that do a lot more than hijack a web browser; they can make off completely with your identity.

The growing danger of cyberattacks on taxes

The IRS issued a warning ahead of the 2019 tax filing period, alerting the public to the huge increase in ever-more-sophisticated scams and highlighting how the holidays are just as likely a time for criminals to strike as April.

Incidents were up 60 percent from the previous year, as phishing scams stole Social Security numbers, bank details and more. The troubling and simultaneously comforting fact is that the public is the only real line of defense against phishing scams—the more we know, the less effective these slippery attacks will be.

It’s not just the public who is being attacked. The IRS itself has been operating with an outdated and overwhelmed cyber framework for years, an issue it vowed to correct in a statement released in April. Page 30 of the full IRS Integrated Modernization Business Plan details the cybersecurity steps they’re taking (as does this shorter IRS factsheet).

Even so, it will take six years to fully roll out and protect the IRS from the 1.4 billion cyberattacks the agency is subjected to every year. What can taxpayers do to be safer in the meantime?

Taxpayers should take these steps

It bears repeating that cyber criminals hunt for targets year-round, not just during holidays and filing time. Everyone should be aware of the hallmarks of fraudulent communications:

  • Beware of tax-related emails which claim to come from legitimate sources like the IRS, business partners, or even friends and family. Cybersecurity experts and the IRS recommend a healthy dose of distrust, no matter who the sender seems to be. A legitimate party could have had their account compromised without their knowledge and it’s now under the control of a scammer.
  • There are usually links and attachments connected to emails that, if followed or opened, will take personal data or infect a device with malicious software that will steal that data. Never click on either of these.
  • These emails are typically overly insistent and even threatening in nature, designed to play on people’s fear of punishment by demanding information or contact.
  • Broken English is another giveaway, but this is a flaw that’s gradually disappearing.

Assuming that a tax payer avoids this particular danger, they’re still taking a huge risk by not operating with security protection like anti-malware/anti-virus software, a strong password, and multi-factor authentication on their accounts and devices. These should be applied wherever possible when dealing with tax-related matters and also to anything related to personal/business finances.

Likewise, the same strict standards should apply to an individual’s entire online life. Never provide personally identifying information or financial data to any website that isn’t trusted or fully security encrypted—at minimum, look for the https prefix (vs. http) on any website address in your browser. It’s a short step from purchasing groceries online to finding your entire identity has been stolen and exploited.

Some cyber criminals aren’t looking to download data; they simply want to destroy it. We recommend that businesses and individuals always back up their tax documents on a secondary, removable or cloud drive to provide a further security layer.

One of the most important pieces of advice we can offer is to thoroughly check the credentials of the tax professionals you’ve chosen to work with. Scammers go so far as to pretend to be established tax agencies offering a helping hand, when they’ve only appeared in time to steal details and exploit them. Worse, some established agencies or their representatives may operate to defraud their clients of funds.

One last tip is a perennial piece of advice from tax pros—file your taxes early. This increases security because the IRS only accepts one tax return per Social Security number, meaning that if the real taxpayer files first, any subsequent attempt by a cybercriminal using stolen details will be rendered impossible.

The bottom line is to stay vigilant, question every tax-related communication, and protect all online activity with the proper cybersecurity measures.

Who should taxpayers tell if they suspect a scam?

Inform the IRS if any digital communications seem suspect—it never hurts to be cautious. If you’ve received a demand for an outstanding amount and aren’t sure if it’s legitimate, then there are two ways to verify without complying with a suspicious request: individuals can view their personal IRS account, and businesses or their designated third party can receive a free transcript of their account on request.

The Federal Trade Commission can and should be contacted via the Complaint Assistant. For further information on crime prevention, businesses can benefit from the National Institute of Standards and Technology’s handbook for data security.

Stay safe out there!

Provident CPA and Business Advisors offer a wide range of services in taxes, accounting, and beyond. Our core focus is to help professionals achieve financial freedom and build a better business. Get in touch today to start strengthening your finances.