In an era where identity theft is increasingly targeting tax professionals, the urgency for comprehensive security measures has never been more pronounced. The Internal Revenue Service (IRS), in collaboration with its Summit partners, is at the forefront of advocating for robust protective strategies within the tax community. This initiative is underscored by the release of the "Taxes-Security-Together" Checklist, a comprehensive guide aimed at fortifying the defenses of tax professionals against the evolving tactics of cybercriminals. 

Multi-Factor Authentication: A Mandatory Shield 

The IRS, alongside the Summit partners, strongly recommends the adoption of multi-factor authentication for tax software accounts. This security measure adds an extra layer of protection, significantly reducing the risk of unauthorized access. The recent update from the Federal Trade Commission (FTC) on safeguard standards reaffirms the necessity of multi-factor authentication, mandating its use to protect client information rigorously. 

Remote Work Security: The Role of Virtual Private Networks 

For tax professionals who find themselves working remotely, the use of a Virtual Private Network (VPN) is invaluable. VPNs create a secure, encrypted connection over the internet, shielding sensitive client data from potential interception by malicious entities. This tool is essential in maintaining the integrity and confidentiality of client information, especially in less controlled environments outside the traditional office setting. 

Federal Compliance: Drafting a Written Data Security Plan 

Under federal law, tax practitioners are required to have a written data security plan. This document outlines the strategies and measures employed to protect client data, demonstrating a commitment to cybersecurity and regulatory compliance. The creation of such a plan not only fortifies the tax professional's defenses against data breaches but also serves as a testament to their dedication to client safety. 

Phishing and Phone Scams: A Persistent Threat 

Awareness of phishing and phone scams, including sophisticated "spearphishing" schemes, is crucial. These scams often involve identity thieves posing as new clients to infiltrate the tax professional's network. Educating oneself and staying vigilant against these tactics are vital in preventing unauthorized access to sensitive client information. 

Proactive Planning: Security and Recovery 

The IRS and the Summit partners emphasize the importance of having both data security and data theft recovery plans. These proactive measures ensure that tax professionals are not only equipped to prevent data breaches but also prepared to respond effectively should a breach occur. The ability to quickly recover from a data theft incident minimizes potential damage and helps maintain client trust. 

Enhancing Tax Security: The IRS Identity Protection PIN Program 

Internal Revenue Service (IRS) has developed a robust mechanism to enhance taxpayer security: the Identity Protection Personal Identification Number (IP PIN) program. This initiative is a critical tool for taxpayers to safeguard their tax refunds and personal information from the clutches of identity thieves.  

What is an IP PIN? The IP PIN is a six-digit number that the IRS assigns to taxpayers who opt into the program. This unique code is known only to the individual taxpayer and the IRS, acting as a secret handshake between the two. When a taxpayer files their tax return with an IP PIN, it significantly increases the security of their Social Security number on the tax return. Essentially, the IP PIN serves as an additional layer of verification that the person filing the tax return is indeed the legitimate taxpayer, making it much harder for identity thieves to submit fraudulent tax filings in someone else's name. 

Obtaining an IP PIN: Getting an IP PIN assignment is a straightforward process. Taxpayers can access the "Get an Identity Protection PIN (IP PIN)" tool available on the IRS website at IRS.gov/ippin. The tool guides individuals through a secure identity verification process. Once verified, taxpayers can immediately receive their IP PIN online. This direct approach ensures that taxpayers can protect their tax filings as soon as they decide to participate in the program. 

Best practices for IP PIN security: While the IP PIN is a powerful tool in the fight against tax-related identity theft, its effectiveness hinges on how securely it is handled by the taxpayer. Here are some best practices to keep in mind: 

• Never Share Your IP PIN 

Your IP PIN should be treated as confidential information. It should never be shared with anyone except a trusted tax preparation provider. Even then, caution is advised. The security of the IP PIN relies on its confidentiality. 

• Use Trusted Tax Providers 

If you decide to share your IP PIN with a tax preparer, ensure that they are reputable and have robust security measures in place to protect your personal information. 

• Regular Monitoring  

Stay vigilant and monitor your tax records and IRS correspondence for any signs of unauthorized activity. Early detection can make a significant difference in mitigating the impact of identity theft. 

Reporting Phishing and Data Breaches 

Understanding where and how to report fraud and phishing attempts is crucial for mitigating their impact. This comprehensive guide outlines the steps tax professionals should take if they fall victim to phishing scams or data breaches, ensuring they can swiftly navigate the aftermath to protect themselves and their clients. 

Reporting Phishing Emails and Scams 

Phishing attempts, where scammers impersonate the IRS or other trusted entities, are a common tactic to deceive tax professionals into revealing sensitive information. If you receive an unsolicited email claiming to be from the IRS: 

1. Forward it to phishing@irs.gov. The IRS uses this information to track phishing trends and combat future attacks.
2. Report any financial loss to the following agencies:

• The Treasury Inspector General for Tax Administration (TIGTA): Directly involved in protecting the integrity of federal tax administration. 
• Federal Trade Commission (FTC): Addresses cases of fraud, identity theft, and other deceptive practices. 
• The Internet Crime Complaint Center (IC3): A partnership between the FBI and the National White Collar Crime Center, focusing on internet-related criminal complaints. 
• Your Internet Service Provider (ISP): Forwarding the phishing email to your ISP's abuse department can help in blocking the sender. 

Responding to Data Breaches 

For tax professionals, a data breach can have far-reaching consequences. Immediate action can help the IRS block fraudulent returns filed in clients' names and take additional protective measures. Here’s what to do: 

1. Report the breach to the local IRS Stakeholder Liaison. This ensures that the IRS Criminal Investigation and other relevant departments within the agency are notified promptly.
2. Contact law enforcement: Report the incident to the local offices of the FBI, the Secret Service, and your local police department.
3. Notify state authorities: This includes:

• Federation of Tax Administrators: Use their "report a data breach" webpage for guidance on state reporting requirements. 
• State Attorneys General: Most states mandate that data breaches be reported to the state attorney general. 

For tax professionals, staying vigilant and being prepared to act against phishing and data breaches is paramount. By knowing where and how to report these incidents, professionals can play a pivotal role in protecting not only their practice but also the integrity of their clients' sensitive information. Remember, prompt reporting and a solid action plan are your best defenses against the repercussions of digital crime.  

By implementing recommended security measures, such as multi-factor authentication and VPN usage, drafting a compliant data security plan, staying informed about phishing tactics, and preparing both security and recovery plans, tax professionals can significantly enhance their defenses. In the fight against cybercrime, staying informed and proactive is our strongest strategy. 

Drake Software® strives to offer our clients the best resources and security available in the industry. We published several blogs this year that are companion pieces for the tax preparer security topics covered above. Read our blog posts on cybersecurity, employee retention credit scams, and IRS security requirements for more preparation to fend off attacks on sensitive information. 

Additional IRS Resources: 

• Tax scams/Consumer alerts 
• IRS, Security Summit partners warn of surge in “new client” scams 
• IRS warns tax professionals to be aware of EFIN scam email 
• Protect Your Clients; Protect Yourself | Resources for Tax Professionals 
• Protect your business against data loss and fraud 
• Watch out for tax scams and report fraudulent messages 
• Data Theft Information for Tax Professionals 
•  Creating a Written Information Security Plan for your Tax & Accounting Practice (Publication 5708) 
• Safeguarding Taxpayer Data: A Guide for Your Business (Publication 4557)