Know the Warning Signs of Client Data Theft
Ever had one of those days at work where things just didn’t seem quite right? Did you ever wonder if those little nagging problems might point to something larger – something like client data theft?
Since we’re between tax seasons, maybe now is a good time to brush up on the telltale signs that the office may have experienced a data theft that led to bogus tax returns being filed in your clients’ names.
The Internal Revenue Service and its Security Summit partners are taking this time to urge the tax community to review their data security protection. They’ve offered a “Taxes – Security – Together” checklist as a starting point. And knowing the warning signs of client data theft is Number 4 on the list.
Previous checklist items include: deploying the “Security Six” basic steps, creating a written data security plan and educating yourself on email phishing scams.
“Learning the signs of identity theft is critical for anyone handling taxpayer data,” said IRS Commissioner Chuck Rettig. “It can be as subtle as an unusually slow computer system or as obvious as multiple clients unexpectedly receiving the same IRS notice. Paying attention to these details is critical, and fast action alerting the IRS and calling in a security expert can help protect taxpayers and your business.”
No doubt about it, the Security Summit – made up of IRS and state taxing agency officials and tax industry partners – is making big progress against tax-related identity theft. But the fight is far from won. Cybercriminals are an agile lot and have learned to quickly evolve. So data thefts at tax professionals’ offices remain a major attack strategy. The stolen data is then used to create fraudulent returns that are harder for the IRS and its Summit partners to detect.
Signs of Client Data Theft
The IRS and Summit partners have created a list of warning signs that a tax professional or their office may have experienced a data theft:
- Client e-filed returns begin to be rejected by the IRS or state tax agencies because returns with their Social Security numbers were already filed;
- Clients who haven’t filed tax returns begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS to confirm their identity for a submitted tax return.
- Clients who haven’t filed tax returns receive refunds;
- Clients receive tax transcripts that they did not request;
- Clients who created an IRS Online Services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. Another variation: Clients unexpectedly receive an IRS notice that an IRS online account was created in their names;
- The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients;
- Tax professionals or clients responding to emails that the firm did not send;
- Network computers running slower than normal;
- Computer cursors moving or changing numbers without touching the keyboard;
- Network computers locking out employees.
“Tax professionals should be on the lookout for these scary scenarios that have hit firms across the country, jeopardizing data of the company and their clients,” Commissioner Rettig said.
Because federal and state tax systems only accept one unique Social Security number, taxpayers often discover they are a victim when they attempt to e-file and their tax return is rejected because a return with their SSN already is in the system. More commonly, the IRS identifies a return that could be an identity theft return and sends a letter to the taxpayer asking them to contact the agency to let the IRS know if they filed the return.
Sometimes, the identity thief will attempt to leverage his stolen data by using the taxpayer’s information to access the IRS’ Get Transcript system. Such an attempt to create a fraudulent account will generate another warning sign: the two-factor authentication system used by Get Transcript will disable the account and send the taxpayer a letter to confirm their identity.
Taxpayers who get a transcript in the mail but did not order one are another warning sign that client data may be misused.
Check Your EFIN
One easy way to see if your client data may be compromised is to make a weekly check of returns filed under your office’s Electronic Filing Identification Number (EFIN). Tax pros can access their e-File applications and select “Check EFIN Status,” to see a count. The report is updated weekly. If the numbers are inflated, contact the IRS e-Help Desk at (866) 255-0654.
Check for acknowledgements for returns you didn’t e-file. Acks are usually sent soon after a return is transmitted.
Evidence Something’s Phishy
Tax pros who fall victim to “spear phishing” email scams may suddenly see responses to emails they never sent. If a practitioner is duped into providing username and password information to the thief, the cybercriminal often harvests the tax pro’s contact list, stealing names and email addresses of colleagues and clients. This further enables the crooks to use the tax firm to expand their scam.
Always be alert to phishing scams, even if the emails appear to come from a colleague or client. If the language sounds a bit off or if the request seems unusual, contact the “sender” by phone to verify rather than opening a link or attachment.
Finally, there are several signs that office computer systems may be under attack or may be under remote control, such as the cursor moving with no one at the keyboard. The IRS is aware of many examples where cybercriminals gained access to practitioners’ office computers, completed pending Forms 1040, changed electronic deposit information to their own accounts and then e-filed the returns – all performed remotely.
Tax professionals who notice any signs of identity theft should contact their state’s IRS Stakeholder Liaison immediately. The process for reporting data theft to the IRS is outlined in Data Theft Information for Tax Professionals.