Practice Management Make your office a “no phishing” zone Read the Article Open Share Drawer Share this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on LinkedIn (Opens in new window) Written by Intuit Accountants Team Modified Jan 21, 2022 3 min read Phishing is a year-round pastime for scammers seeking to steal sensitive data about your clients or your company, but phishing scams inevitably ramp up at tax return time. During the 2021 filing season, for example, the IRS urgently warned tax professionals of a phishing scam designed to steal Electronic Filing Identification Numbers (EFINs). The IRS also warned that the ramp-up of remote transactions during COVID-19 have spawned phishing expeditions by scammers posing as potential clients. Obviously, learning to identify and to avoid these kinds of phishing expeditions is imperative. However, there are other steps you can—and should—take to protect your data. Secure your office. Make sure all physical and virtual client files are protected from unauthorized access. For example: Lock doors to file rooms and computer rooms. Permit access to client files only on an authorized need-to-know basis. Make sure client information, including data on computer hardware or other media, is not left unsecured inside or outside the office, such as on desks or photocopiers, in trash cans, or in employees’ vehicles or homes. Provide for secure disposal of client information, such as by shredding unneeded documents or destroying digital media by incineration, pulverizing, shredding, disintegration, or melting. Secure your systems. While trolling in your trash is not unheard of, your computer systems are likely to be the prime target for identity theft. Here are some steps you can take to prevent a computer data breach: Require separate user names and passwords for each individual with computer access—and disable and remove inactive users. Make sure users set up strong passwords with a combination of numbers, symbols, and upper and lowercase letters—and require periodic password changes every 60 to 90 days. Lock out users after three invalid access attempts—anyone can make a typo, but three strikes and you’re out. Monitor computer systems for unauthorized access by reviewing system logs. Protect internet-connected computers with a firewall or other barrier device. Maintain hardware and software regularly. Secure your storage. IRC Sec. 6107(b) requires you to maintain client data for three years after their returns have been filed, but these records should be separated from your active files. Back up client data regularly and store it on separate secure computers or media that are not connected to the internet. Remove client information once the retention period expires by using software designed to securely remove the data. How to spot a phishing email The IRS offers these tips on how to spot—and avoid—a phishing email. It contains a link. Scammers often pose as the IRS, financial institutions, tax companies, or software providers. They may claim that you need to update your account or change a password. The email offers links to a spoofing site that may look similar to the legitimate official website. Do not click on the link. If in doubt, go directly to the legitimate website and access your account. It contains an attachment. Scammers often include an attachment to an email. This attachment may be infected with malware that can download malicious software onto your computer without your knowledge. If it’s spyware, it can track your keystrokes to obtain information about passwords, Social Security numbers, or other sensitive data. Do not open attachments from unknown sources. It appears to be from a government agency. Scammers attempt to trick people into opening email links by posing as the IRS and other government agencies. The IRS does not initiate taxpayer communications through email. It’s an “off” email from a friend. Scammers also hack email accounts and try to leverage the stolen email addresses. You may receive an email from a “friend” that just doesn’t seem right. It may be missing a subject for the subject line or contain odd requests or language. If it seems off, avoid it and do not click on any links. It has a lookalike URL. A questionable email may try to trick you with the URL. For example, instead of www.irs.gov, it may be a false lookalike. Check out the Intuit® Tax Pro Center’s array of articles on fraud and security for more information and helpful tips. Previous Post Intuit® ProConnect™ Tax sets newly merged firm on path to… Next Post The pros and cons of hiring independent contractors for your… Written by Intuit Accountants Team The Intuit® Accountants team provides ProConnect™ Tax, Lacerte® Tax, ProSeries® Tax, and add-on software and services to enable workflow for its customers. Visit us at https://proconnect.intuit.com, or follow us on Twitter @IntuitAccts. More from Intuit Accountants Team Comments are closed. Browse Related Articles Tax Law and News Annual inflation adjustments for TY24 and TY25 Practice Management Intuit is committed to your success Practice Management Lacerte® Tax spotlight: Karl J. Strube, CPA Practice Management ProConnect™ Tax Online spotlight: Alejandra Matias Practice Management ProConnect Tax Virtual Bootcamp: Jan. 15-16 Webinars Navigating Common IRS Red Flags: Jan. 20 Webinars Pay-by-Refund: Jan. 20 Webinars Practical Security Checklist: Jan. 14 Tax Law and News January 2025 tax and compliance deadlines Workflow tools On the Books podcast: Merry books-to-tax season