The Internal Revenue Service and members of the Security Summit warn the nation’s tax professionals that it’s time to improve security measures for protecting their data and the data of their clients.

Data thefts at tax practitioners’ offices are still on the rise. They lead to fraudulent tax returns that can be especially tough for the IRS and state tax agencies to detect.

"The IRS and the Security Summit partners urge all tax professionals to take stronger security steps to protect themselves and their clients," said Acting IRS Commissioner David Kautter. "With the help of the Summit partnership, the IRS has made major progress protecting taxpayers in the battle against tax-related identity theft. But the threat remains, and we need the help of tax professionals to take basic steps to safeguard their systems and taxpayer data."

The Security Summit – made up of IRS personnel, state taxing agency representatives and tax industry partners – is joining the IRS in announcing a new security awareness campaign aimed at the nation’s tax professionals. Called “Protect Your Clients; Protect Yourself: Tax Security 101,”  the awareness campaign builds on previous efforts by the IRS to provide tax pros with the basic information needed to protect taxpayer data and prevent fraudulent filing of tax returns.

This new initiative, however, goes farther.

“Tax Security 101” follows recommendations made by the Electronic Tax Administration Advisor Committee (ETAAC), which cautioned that tax practitioners “are at increasing risk” of security threats.

In spite of advances by the IRS, state tax agencies and others, criminal tactics continue to evolve, so data thefts from tax prep offices are on the rise. Using stolen taxpayer data, thieves file fraudulent returns that are harder to detect. Identity thieves are technically sophisticated and are backed many times by well-funded and tax-savvy criminal syndicates, both here and abroad.

Helpful Pubs for Pros

To better reflect the current threats to tax professionals, the IRS has updated its Publication 4557, Safeguarding Taxpayer Data. This guide outlines basic steps that tax pros should take, how to take them, and provides details on how to comply with requirements for a data security plan.

The IRS has also created a new document, Publication 5293, Data Resource Guide for Tax Professionals, which offers a wealth of IRS resources for tax preparers.

Both publications promote the basic security steps endorsed by the Security Summit partners for tax practitioners. These include:

• Learn to recognize phishing emails, especially those pretending to be from the IRS, a tax software provider, cloud storage provider or state tax agencies. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax professional via email.
• Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
• Review internal controls for their business: 
• Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
• Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
• Encrypt all sensitive files/emails and use strong password protections.
• Back up sensitive data to a safe and secure external source not connected fulltime to a network.
• Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
• Limit access to taxpayer data to individuals who need to know.
• Check IRS e-Services account weekly for number of returns filed with EFIN.
• Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
• Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert and Social Media.

One more reminder from the IRS: the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act, requires certain financial entities – including professional tax return preparers – to create and maintain a security plan for the protection of client data. The Federal Trade Commission administers this law and its “Safeguards Rule” regulations.

Worst Fears Realized

If we needed any convincing, a “worst case scenario” played out this last tax season to show just how sophisticated these cybercriminals have become.

A gang of cyber-thieves breached numerous tax preparer offices by gaining remote control access of computers; this allowed them to steal taxpayers’ 2016 tax information. The cybercriminals then used that data to file fraudulent 2017 tax returns. These fake returns carried the stolen real data – including bank account numbers for direct deposit.

The thieves’ next move was to call the taxpayers to trick them into “returning” the fraudulent refunds. In some cases, it didn’t matter; the gang already had so much information from the stolen taxpayer files they could access the clients’ online bank accounts and steal the refunds directly. Many times, the tax pros never even knew their client data had been stolen at all.

The moral of the story is to Be Prepared. If you can, attend one of the IRS Nationwide Tax Forums to hear the latest news, defense tactics and more. The IRS tells us that data security will figure prominently in EACH forum in the series. Check out the new IRS publication on data security.

This is a fight we can’t afford to lose. Remember, every additional step you take to secure client data matters.