Somewhere in the universe, a tax pro like you is hitting the Enter key on his computer to send a piece-of-cake 1040 on its merry way to the IRS. In return he gets—a rejection. A return using his taxpayer’s name and SSN has already been filed and accepted.

Unfortunately that’s the way a lot of tax practitioners are first alerted to possible identity theft of their client data. All too often practitioners are victims of theft and don’t even know it.

Bad Guys Getting Badder

Even though the IRS and its industry partners on the Security Summit are making progress against would-be identity thieves, the cyber-crooks continue to evolve, and tax-related data thefts at professionals’ offices are on the rise. The thieves use the stolen data from tax offices to create bogus returns that are harder to detect since they contain real data that matches IRS records.

But while cybercriminals may be hard to detect, their activities are not altogether invisible. The IRS and the Security Summit have come up with a list of warning signs that can signal a tax office has been hacked:

• Client e-filed returns begin to be rejected because returns with their Social Security numbers were already filed
• Clients who haven’t filed tax returns begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS
• Clients who haven’t filed tax returns receive refunds
• Clients receive tax transcripts that they did not request
• Clients who created an IRS online services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. Or clients unexpectedly receive an IRS notice that an IRS online account was created in their names
• The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients
• Tax professionals or clients responding to emails that the firm did not send
• Network computers running slower than normal
• Computer cursors moving or changing numbers without touching the keyboard
• Network computers locking out employees.

The reject scenario we used at the beginning comes about because, of course, the IRS system will only accept one unique Social Security number for a return. In our case, the bogus return was filed first, leaving the legitimate return rejected – the SSN was already in the system.

Many times, the IRS identifies a return as a possible identity theft effort and sends a letter to the taxpayer, who is asked to contact the agency to verify identity.

A recent IRS release showed the pressure today’s tax professional is under from identity thieves:

“Earlier this year, tax-savvy cybercriminals stole taxpayer data from a series of tax professionals nationwide, immediately filing fraudulent returns before the tax professionals were aware of the robbery,” the IRS states. “The crimes were first reported to the IRS by taxpayers who unexpectedly received refunds in their bank accounts. The crooks, posing as IRS contractors, tried calling the taxpayers to get them to forward the fraudulent refund to their accounts.”

Phishing – and Worse

Tax pros who fall victim to a spear-phishing email scam (a common way hackers and identity thieves access office computers) may suddenly see responses show up to emails they never sent. If a preparer mistakenly provides username and password information to a scammer, the thief often poaches the tax pro’s contact list. This gives names and email addresses of colleagues and clients to the crook, who then expands the scam.

Every tax professional in every tax prep office should be alert to phishing scams, even if the emails appear to come from a trusted source such as a colleague or client. Look for language that seems a bit “off,” or a request that is a bit unusual. If so, contact the “sender” by phone to verify, but DO NOT open any attachment or link in the email.

Perhaps the scariest revelations are the signs that office computer systems may be under attack or even under remote control. One such giveaway is if the cursor moves on the screen without input from a local operator. The IRS has many examples in which cybercriminals gained access to practitioners’ office computers, completed the pending Form 1040s, changed electronic deposit information to their own accounts and then e-filed the returns – all performed from a remote location.

Vigilance Pays

During tax season, tax practitioners should check weekly the number of returns filed with the office’s EFIN (Electronic Filing Identification Number). Tax pros can access their e-File applications and select “check EFIN status” to see a count. The report is updated every week. If the number on the report is larger than the number of returns the office shows were filed, the practitioner should call the IRS e-Help Desk at (866) 255-0654.

This is the ninth in the “Protect Your Clients; Protect Yourself: Tax Security 101” series. The Security Summit awareness campaign is intended to provide tax professionals with the basic information needed to better protect taxpayer data and help prevent filing of fraudulent returns.