IRS, Security Summit Partners warn tax professionals of high risk of data theft attacks

December 6, 2018 IRS Newsroom Tax

Cybercriminals stepped up their attacks on tax professionals during 2018, prompting the Internal Revenue Service and the Security Summit partners to urge practitioners to take steps to protect client data and their computer networks from these threats.

The IRS also reminded all professional tax preparers that they are required by federal law to create and maintain a written data security plan. Sole practitioners are just as vulnerable to data theft as practitioners in large firms.

The IRS, state tax agencies and the private-sector tax community -- partners in the Security Summit -- are marking National Tax Security Awareness Week with a series of reminders to taxpayers and tax professionals. In the fifth and final part of the special series, the Summit renewed warnings to tax professionals as the 2019 tax season approaches.

“As the IRS, the states and the tax industry improve our defenses against tax-related identity theft, cybercriminals are looking for better data sources to fill out fraudulent tax returns,” said IRS Commissioner Chuck Rettig. “This makes tax professionals and their client data a treasure trove for cybercriminals to target. Tax professionals are a critical line of defense, and we urge them to protect their data, their systems and their clients. And we want taxpayers to seek out reliable tax professionals who use the latest security features.”

During the 2018 tax filing season, the IRS received five to seven reports per week from tax firms that they have experienced a data theft. Through Nov. 5, 2018, the IRS received 234 reports for the year. That’s a 29 percent increase from the 182 reports received during the same time in 2017. Generally, these are reports filed by firms, which means hundreds more tax practitioners and tens of thousands of clients are affected.

This increase represents a significant trend in tax-related identity theft, and it’s a sign that tax professionals must take stronger measures to safeguard their clients and their business.

Thieves search for client data so they can create a fraudulent tax return that looks legitimate and might bypass IRS filters. They also impersonate tax professionals, using stolen Electronic Filing Identification Numbers (EFINS), Preparer Tax Identification Numbers (PTINs) and Centralized Authorization File (CAF) numbers.

The Gramm-Leach-Bliley Act of 1999 requires all financial institutions, which it also defines as professional tax preparers, to create and maintain information security plans. The Federal Trade Commission, not the IRS, administers this law and created a Safeguards Rule to administer it.

Information about the FTC requirements can be found in IRS Publication 4557, Safeguarding Taxpayer Data. The IRS also created a new Publication 5293, Data Security Resources Guide for Tax Professionals, which compiles numerous resources from IRS.gov.

The Security Summit urges tax professionals to seek out cyber experts for assistance with security but at a minimum should take certain safeguards.

Take basic security steps:

  • Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax pro via email.
  • Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
  • Review internal controls: 
    • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
    • Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
    • Encrypt all sensitive files/emails and use strong password protections.
    • Back up sensitive data to a safe and secure external source not connected fulltime to a network.
    • Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
    • Limit access to taxpayer data to individuals who need to know.
    • Check IRS e-Services account weekly for number of returns filed with EFIN.
  • Report any data theft or data loss to the appropriate IRS Stakeholder Liaison
  • Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert, and Social Media.

For 2019 filing season, many tax software vendors will offer two-factor or even three-factor authentication protections for software access. Tax professionals should opt for multi-factor authentication protections whenever it is available. Multi-factor authentication helps prevent cybercriminals from accessing accounts, even if they steal passwords.

Watch for signs of data theft

Tax professionals or their firms may be a victim and not even know it. Here are some common clues to data theft:

  • Client e-filed returns begin to reject because returns with their Social Security numbers were already filed;
  • Clients who haven’t filed tax returns begin to receive authentication letters (5071C, 4883C, 5747C) from the IRS;
  • Clients who haven’t filed tax returns receive refunds; 
  • Clients receive tax transcripts that they did not request;
  • Clients who created an IRS online services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled or, clients receive an IRS notice that an IRS online account was created in their names;
  • The number of returns filed with tax practitioner’s Electronic Filing Identification Number (EFIN) exceeds number of clients;
  • Tax professionals or clients responding to emails that practitioner did not send;
  • Network computers running slower than normal;
  • Computer cursors moving or changing numbers without touching the keyboard;
  • Network computers locking out tax practitioners.

Data loss reporting

  • Tax professionals who suffer a data theft or loss can assist their clients by immediately reporting the loss to the Internal Revenue Service. The IRS can take steps to either prevent tax-related identity theft or assist taxpayers to recover faster from tax-related identity theft. More information available at Data Theft Information for Tax Professionals.
  • Report client data theft to your local stakeholder liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names and will assist you through the process.

Additional resources:

Recent ASCPA News

December 18, 2018

2019 standard mileage rates announced

December 5, 2018

Security Summit Partners highlight new password guidance, urge taxpayers and practitioners to protect all accounts

December 4, 2018

IRS sees surge in email phishing scams

November 7, 2018

Taxpayers Help the Alabama Department of Revenue Protect Their Identity

November 7, 2018

Tax Relief for Victims of Hurricane Michael in Alabama

November 5, 2018

Renew expiring ITINs now to file a return next year

October 13, 2018

President Donald J. Trump Approves Alabama Emergency Declaration

October 12, 2018

ADOR Providing Tax Relief to Victims of Hurricane Michael

October 12, 2018

IRS extends Oct. 15 and other upcoming deadlines, provides expanded tax relief for victims of Hurricane Michael

October 11, 2018

EXECUTIVE ORDER – Temporary Suspension of Alabama Terminal Excise Tax Requirements (Hurricane Michael)

October 9, 2018

Comment Letter on Proposed Regulations Under IRC Section 170 (REG-112176-18)

September 26, 2018

IRS issues 2018–2019 per-diem rates

September 25, 2018

Rules issued on paid family and medical leave credit

August 28, 2018

IRS proposes regulations that could impact Alabama Accountability Act donors

August 27, 2018

Get your groove back: 4 tips to ramp up for fall busy season

August 13, 2018

Summary of Newly Released ADOR Analysis of Federal Tax Reform's Impact on Alabama Income Tax Laws

August 1, 2018

ADOR Publishes Guidance Related to the Federal Tax Cuts and Jobs Act

July 30, 2018

Could IRS reform mean smoother waters for tax practitioners?

July 27, 2018

Calling all tax CPAs: help quality reviews take center stage

July 12, 2018

ADOR Launches Tax Amnesty Website, Application Period Opened July 1

July 5, 2018

What to Know About Tax Credits for Workers

June 29, 2018

IRS working on a new Form 1040 for 2019 tax season

June 27, 2018

IRS guidance still needed on key tax reform issues

June 27, 2018

Form 1040 to be shorter but with more schedules

June 18, 2018

Need for IRS Guidance on New Pass-Through Deduction a Top Member Concern