Awareness of ID theft and cybersecurity precautions for tax professionals

For many years, we’ve been hearing about identity theft, and certainly have seen news articles about company database breaches and hacked bank accounts. Most recently, the SBA reported millions of dollars awarded to nonexistent businesses from “fake PPP loan applications.”  

You may have encountered situations in which client notices contradict your records. I recall a case where the spouse of an elderly couple received a notice pertaining to the balance due on her “recently filed” tax return. As I informed the IRS hotline agent that the couple would be filing their joint return once our firm had finalized it, we realized at once that this was a case of identity theft. It seems that the market rate for an elderly person’s Social Security number and basic data is $1,000 a pop. Now, picture the database of an accounting firm – without proper precautions, firm databases afford access to exactly the type of information hackers need to carry out their fraud. 

In our office, we work closely with our IT firm to make sure we have a strong firewall, use secure portals for data transmission to and from clients, set strong passwords, and use multi-factor authentication software products. But, what happens when we are working remotely during COVID-19? Consider the typical household, with numerous people using numerous devices through the same internet connection. Along with our family members, we are working, learning, shopping, connecting, and streaming our favorite movies while accessing the same internet connection. Think about the possibilities for potential security breaches with this model.

The IRS has. Cybersecurity was the focus of their 5^th Annual National Tax Security Awareness Week; you can follow the link to access IRS news releases, tax tips, e-posters, and YouTube videos.

Information from the IRS can help you identify weaknesses in your system and guide you in making a plan to help keep your client data secure. 

• Review the Taxes-Security Together Checklist, which is “intended to help tax professionals review their current security practices, enhance safeguards where necessary, and take steps to protect their businesses from cybercriminals.” 
• Deploy “Security Six” basic safeguards:
  • Use antivirus software and set it for automatic updates to keep your systems secure. This includes all digital products, computers, and mobile phones.
  • Use firewalls. Firewalls help shield computers from outside attacks, but cannot protect systems in cases where users accidentally download malware from phishing email scams, for example.
  • Use multi-factor authentication to protect all online accounts, especially tax products, cloud software providers, email providers, and social media.
  • Back up sensitive files, especially client data, to secure external sources, such as external hard drive or cloud storage.
  • Encrypt data. Tax professionals should consider drive encryption products for full-drive encryption. 
  • Use a virtual private network (VPN) product. As more practitioners work remotely, a VPN is critical for secure connections.

• Create a data security plan:
  • Educate yourself on phishing scams; remind your clients that the IRS and other reputable companies do not demand payment using gift cards, prepaid debit cards, or wire transfers. 
  • Recognize the signs of client data theft.
  • Create a data theft recovery plan.
  • Call the IRS or other agency immediately upon discovering the incident.

Another excellent short data security resource guide is IRS Publication 5293, Protect Your Clients; Protect Yourself.

I am thrilled that the IRS has now allowed tax practitioners to request ID Protection Pins for their most vulnerable clients, and hope that this will curtail some of the tax return-related fraud that has been perpetrated throughout the years. Unfortunately, with current stimulus packages promising millions of dollars come new schemes. For example, our office received an unemployment notice for one of my employees using an out-of-date address associated with her name. She contacted the New York State Department of Labor and reported the error. The process to inform them of the mistake was time consuming and needed to be repeated several times, as payment notices and payments continued for at least three months. We heard of several other individuals whose information was used in a similar manner.

I know what you are thinking: This may be happening to some of my clients, who may first find out about the fraud when they receive a Form CP2000 from the IRS showing an underreporting of income. What can we do to be proactive, and how can we protect our clients or help them resolve this issue? 

• Let’s start by making sure that our system is secure and not a resource for cybercriminals.
• You can also deliver extra peace of mind to your clients by providing them with affordable identity theft coverage. Check out Intuit’s Audit Assistance and ID Theft Restoration. 
• Request proper authorization from your client, so that you can access IRS payee documents and notices, applicable state notices and filing records, and/or applicable department of labor records.
• For those most vulnerable taxpayers, consider putting their 2020 tax return on extension, so that you have time to check for documents and notices that may not have been received by the taxpayer.

If you find that your client is a victim of cybercrime:

• Alert them immediately to the situation.
• If you have not already done so, obtain the proper authorization that will enable you to contact the IRS, their state, applicable department of labor, and other sources.
• Remind them that they will get several notices – some in the next few months, and others a year or two later – unless you catch and resolve the issue.
• Remember that this is a separate engagement, and as such, should be undertaken after receiving a signed engagement letter defining the additional charges for this service.

These are stressful times! Educating your clients to recognize common scams, and appropriate IRS and state contact methods, as well as supporting them when they do fall victim to cybercrime, will go a long way to cementing your relationships. It’s also a great way to show your value as a resource to them.