Security Summit partners conclude special campaign with reminders to protect tax professionals from identity theft, security threats
Issue Number: IR-2024-224
Week 8 of “Protect Your Clients; Protect Yourself” series focuses on important steps to protect data
WASHINGTON — Concluding a special summer awareness campaign, the Internal Revenue Service and the Security Summit today urged tax professionals to maintain strong safety measures to protect themselves and their taxpayer clients against evolving data security threats.
In this eighth and final installment of the “Protect Your Clients; Protect Yourself” series, the IRS and Security Summit partners strongly recommended tax professionals to embrace critical and necessary steps to protect sensitive information, including taking extra care with how they handle data and security.
“Tax professionals remain a tempting target for identity thieves and cybercriminals,” said IRS Commissioner Danny Werfel. “They face countless attacks from those hoping to harvest valuable personal and financial information that can be used to file an authentic-looking tax return and slip through the tax system’s defenses. By taking some basic steps, tax professionals at firms both large and small can protect their clients and protect themselves from these relentless security threats.”
The Security Summit is a public-private coalition started in 2015 with tax professionals, industry partners, state tax groups and the IRS to guard the tax system against tax-related identity theft and fraud. The Summit group succeeded in bolstering internal defenses to protect against identity theft, a collective effort that has protected millions of taxpayers through the years.
But as the IRS and the Summit partners increased their vigilance, identity thieves shifted their attention to collect better data and focused on targeting tax professionals and businesses to clandestinely harvest information to file authentic-looking tax returns. With this shift in focus, the Summit partners have worked for the past nine years to raise awareness in the tax professional community through the “Protect Your Clients; Protect Yourself” campaign. Stronger tax pro defenses protect not just their firms, but also their clients and the greater tax system.
Tax pros can see the entire summer series on a special page at IRS.gov.
Identity thieves continue to change their tactics, and security threats against tax professionals remain a daily threat. In the first half of the year, IRS Stakeholder Liaisons have already received reports of nearly 200 tax professional data incidents potentially affecting up to 180,000 clients.
This summer’s special awareness campaign coincided with the IRS Nationwide Tax Forum, which visited four cities this summer and concludes the week of September 9 in San Diego. That final session has already sold out.
Tax pros should remain on the lookout
Tax pros should know identity thieves take many different approaches to steal sensitive information, and there are several common schemes to look out for.
For example, in a presently trending scheme, some scammers pose as new clients reaching out to practitioners to get their sensitive information or client data. In these fake “new client” schemes, a fraudster can send a malicious attachment or include a link to a site that a tax pro wrongly thinks they need to get the supposed new client’s tax information. However, the site is actually collecting information from a tax pro, such as their email and password, or loading malware onto the tax pro’s computer.
Other scammers send phishing emails to trick people into sharing other content, such as Central Authorization File information.
Phishing and related scams are among the most common threats facing tax pros. These are designed to deceive recipients into disclosing personal information such as passwords, bank account numbers, credit card numbers or Social Security numbers, or fool them into clicking a suspicious link, filling out information or downloading a malware file.
Scammers also employ elaborate schemes involving calls, texts and even fake printed correspondence to try to worm their way into tax pros’ sensitive files. Professionals should also watch out for clients being duped by social media scams circulating inaccurate or misleading tax information.
Watch out for warning signs
Tax pros should also learn the signs of data theft so they can act quickly to protect their clients. These red flags can include a notice that an IRS online account was created without their consent, clients receiving a tax transcript they didn’t request or client tax returns being rejected because their Social Security number was already used on another return. Other warning signs can be more technical in nature, like unexpected slowdowns on their computer networks or cursor movements or number changes when no one is touching a mouse or keyboard.
If tax pros encounter situations like these or others, they should contact the IRS immediately when an identity theft issue surfaces.
Helpful tools available
The IRS and Security Summit reminded tax pros that they now need to have a Written Information Security Plan, or WISP. As part of this summer’s awareness effort, the Summit Tax Professionals Working Group released an updated WISP template to help tax and industry professionals keep customer and business information safe and secure.
The requirements include implementing multi-factor authentication or MFA for any individual accessing any information system unless a firm’s qualified individual has approved in writing the use of reasonably equivalent or more secure access controls.
MFA is required for tax pros’ systems under new Federal Trade Commission rules to strengthen account security by requiring more than just a username and password to confirm one’s identity when accessing any system, application or device. Other factors include something users have, like a token or random number sequence sent to their cell phone, or something about them like biometric information, to provide extra assurance that a tax pro’s client is gaining access rather than an impostor.
This summer’s series also highlights for tax professionals the importance of using a set of protections called the Security Six: anti-virus software, firewalls, backup software or services, encrypted drives, MFAs and virtual private networks or VPNs.
The IRS and the Security Summit partners also reminded tax pros and taxpayers about the IRS Identity Protection PIN Opt-In Program and to set up IRS online accounts. Both steps help further protect people against tax-related identity theft.
After a taxpayer gets a six-digit IP PIN, they must include it on their tax return before e-filing. To get one, taxpayers should visit the Get an IP PIN, and after they have it, remember the following:
- Taxpayers should share their IP PIN only with their trusted tax prep provider.
- Tax pros should never store clients’ IP PINs on computer systems. This reduces taxpayer risk if a tax pro’s system is compromised by an identity thief or cyberattack.
- The IRS will never call, email or text either taxpayers or tax professionals to request the IP PIN. This is a sign of a scam.
Tax pro with a security problem? Contact an IRS Stakeholder Liaison, states and FTC
Tax pros who receive scams by email should send the email to phishing@irs.gov.
Those who fall victim to a security breach should report a theft to their IRS Stakeholder Liaison, who will ensure that appropriate IRS offices are alerted. If incidents are reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist tax pros through the process.
Tax professionals can also share information with the appropriate state tax agency by visiting a special “Report a Data Breach” page with the Federation of Tax Administrators.
Tax professionals should also understand the FTC data breach response requirements as part of their overall information and data security plan. The new WISP also includes information on the requirement to report an incident to the FTC within 30 days of the incident when 500 or more people are affected.
Additional resources
- Review Publication 5293, Data Security Resource Guide for Tax Professionals, which provides an overview and resources about how to avoid data theft.
- Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, the IRS’ Identity theft information page for tax pros and Identity theft central page.
- Publication 5709, How to Create a Written Information Security Plan for Data Safety.
- Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice.
- Read Small Business Information Security: The Fundamentals, by the National Institute of Standards and Technology.
Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.