Cybercriminals have stepped up their attacks on tax professionals and, regardless of firm size, practitioners must be extremely diligent in protecting their clients and their business against fraud. In fact, during the 2018 tax filing season, the IRS reported that it received fi ve to seven reports per week from tax firms that experienced a data theft.
And new research by the American Institute of CPAs found that managing privacy/security risks was a top concern among fi rms of all sizes. This comes as no surprise given the evolving tactics threatening the tax community and their clients.
In light of the growing threat, the IRS has urged practitioners to take steps to protect client data and has reminded tax preparers that they are required by federal law to create and maintain a written data security plan.
“As the IRS, the states and the tax industry improve our defenses against tax-related identity theft, cybercriminals are looking for better data sources to fi ll out fraudulent tax returns,” said IRS Commissioner Chuck Rettig in a press statement. “This makes tax professionals and their client data a treasure trove for cybercriminals to target. Tax professionals are a critical line of defense, and we urge them to protect their data, their systems and their clients. And we want taxpayers to seek out reliable tax professionals who use the latest security features.”
The threats facing today’s practitioners and their clients are real. The good news is that there are measures you can take to help safeguard your clients’ data and avoid becoming a statistic.
Find the Right Software Providers
When selecting a software provider, it is important to do your due diligence to ensure that security is a top priority for that vendor and that they have key security measures in place. This also holds true when selecting a provider of wage and information reporting products and services.
“Security is a top priority for Greatland, and we have made significant investments to protect customer data. We have adopted a multilayered approach that covers everything from security of systems to security of our facilities and employees. Our Information Security team has built a program based on ISO and NIST controls and we are audited annually [SOC 2] by an independent service auditor to validate the program is working as intended,” said Phil Kirchner, Greatland’s chief information security officer.
As explained by the AICPA, a SOC 2 audit provides detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
When evaluating software providers, consider the following questions:
|
Be Proactive
Your best defense against fraud is to stop cybercriminals before they strike. This may seem easier said than done but it is important to remember the proactive steps you can take to mitigate risks and better safeguard your clients’ data. Consider the following:
Limit the data,limit your exposure. Develop a retention policy for your data and stick to it. It is important to ensure that data outside the timeframe of your retention policy is eliminated from your system.
If in doubt, throw it out. Do not click on suspicious emails, or open attachments or links within these e-mails. Many of the current threats come through email and execute malicious programs.
Educate staff. Educate staff on how to spot these types of emails, and how to respond if a suspicious email is received. It is easier to prevent a cyberattack upfront as opposed to letting something on the back end catch the attack.
Use multi-factor authentication. MFA is important as it adds an extra layer of identity verifi cation to a login process. Some providers of software products for tax professionals off er two-factor or even three-factor authentication. An example of two-factor authentication: you must enter your credentials (username and password) plus a security code sent as a text to your mobile device before you can log into an account
Stay current. Ensure that all of your systems are up-to-date and current with patches. Between computer vendors and threat detection vendors, they often have information before a threat becomes widespread. By keeping your systems up to date, you can avoid becoming a target.
Create strong passwords. Be sure to create strong, unique passwords (a combination of letters, numbers and symbols) for each account and device.
Have a plan. As noted by the IRS, the Gramm-Leach-Bliley Act of 1999 requires all fi nancial institutions, which it also defi nes as professional tax preparers, to create and maintain information security plans. The Federal Trade Commission administers this law and created a Safeguards Rule to administer it. The IRS also recommends creating an action plan outlining the steps you would take in the event of a data theft.
Educate Clients
Tax form filing season can be stressful for business owners and being vigilant in assembling and reviewing reporting documents to avoid misfilings is no doubt essential. However, you can further help your clients by educating them on the risks of fraud and the steps they can take to better protect their business. This can help strengthen your client relationships and further position your firm as a trusted advisor.
Consider this: The number of businesses reporting they are victims of tax-related identity theft increased by 10 percent for 2018, with 2,450 reports compared with 2,233 reports in 2017, according to the IRS.
Cybercriminals employ various tactics to target businesses. They may file a fraudulent tax return, a fraudulent quarterly tax payment or use stolen Employer Identification Numbers to create fraudulent Forms W-2. Fraudsters also may impersonate business executives to convince payroll or finance employees to disclose employee W-2 information or make wire transfers.
In fact, the IRS has warned employers that they should be on-guard against a growing wave of identity theft and W-2 scams. This scheme has become one of the more dangerous email scams, and the IRS has even developed a special reporting process.
According to the IRS, here’s how the W-2 scam works:
|
Businesses that believe that have fallen victim to such an attack should do the following, according to the IRS:
- Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. The business should not attach any employee personally identifiable information data.
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
- File a complaint with the FBI’s Internet Crime Complaint Center. Businesses and payroll service providers may be asked to file a report with their local law enforcement agency.
- Notify employees. The employee may then take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
- Forward the scam email to phishing@irs.gov.
Whether you’re a sole practitioner or a larger firm, it is essential that you not underestimate the growing threats facing both your firm and your clients. Falling victim to such attacks could spell a loss of sensitive data, a disruption to your operations, financial losses, and potential harm to your firm’s reputation. Turn to experts, like Greatland, who can help your firm ensure data security and take the necessary proactive measures to prevent an attack before it strikes.
