Accounting Firms: Confirming Security of Client Information After Reports of Tax Fraud
The July 15, 2020 extended tax-filing deadline is upon us. Accounting and tax preparation firms are squarely in the crosshairs of opportunistic cyber criminals looking to obtain and exploit sensitive information for the purposes of committing tax fraud.
Unfortunately, thousands of Americans will see fraudulent tax returns filed in their names this year, and the accounting firm that files the client’s taxes is often the most obvious target for blame (read our previous blog post on how to defend against such attacks.) However, the source of the tax exploit may not be as obvious as it seems.
Personal information compromises come in many forms, and there are numerous sources other than an accounting firm from which an individual’s tax-related information can be obtained and aggregated. Even where multiple clients report fraudulent tax filings, it is imperative that accounting firms do not reflexively assume that a breach in the security of their system is responsible for the compromise to their clients’ information. Instead, the firm should first conduct a comprehensive forensic investigation to determine if there is evidence that any client’s personal information was exploited in connection with a system compromise.
What To Do If Clients Report Tax Fraud
Once a firm has received notification from a client, or multiple clients, that a tax return has been fraudulently filed, the firm should immediately contact its cyber insurance carrier, which can refer the firm to both legal counsel and forensic experts for the purpose of conducting a thorough investigation of the firm’s network systems under the protection of attorney-client privilege.
A forensic investigation can provide valuable information, including whether:
- Unauthorized IP addresses have attempted to connect, or have successfully connected to, the firm’s network;
- An unauthorized person browsed to any directories containing sensitive client information;
- Credential harvesting tools or other malware have been placed on the network to expand the scope of compromise; and
- Any sensitive client information has been accessed or exfiltrated from the network by an unauthorized person.
If, after a complete and thorough forensic investigation, no indicators of compromise (IOC) are found on the network, then the incident may not be properly attributable to the accounting firm. However, if IOCs are found on the network, with the assistance of legal counsel and the forensics team, the firm can gain a more comprehensive understanding of the scope of the incident, and provide notification, if necessary, to any impacted individuals.
Assuming responsibility for a fraudulent tax filing before a forensic investigation is completed may place an unwarranted burden on the tax preparer, and can also result in unfounded reputational harm. Conducting an independent investigation into the security of the firm’s network, and the information contained therein, is a crucial step in determining the extent of responsibility an organization should assume for an information compromise.