Tax Return Theft: Tips for Prevention and Response
As the Internal Revenue Service warned tax professionals in November, malicious actors are currently attempting to hack into tax preparers’ networks to steal 2020 tax return information. If you are a professional tax preparer, you are a target – regardless of the size of your business. Malicious actors target information including tax returns filed in previous years, Form W-2 Wage and Tax Statement images, and anything that contains unredacted Social Security numbers (SSNs).
Tax professionals should take all of the following measures to enhance the security of tax return information:
- Create a heightened awareness of phishing email messages. Train your employees to be aware of social engineering threats and adopt risk-conscious habits to avoid them. The IRS never initiates communication with a professional tax preparer via email. If a message appears to be from the IRS, e-Services, a tax software provider, or a cloud storage provider, it is probably a phishing email message. Never open links or attachments in these messages.
- Develop an incident response plan. The plan should identify the roles and responsibilities of your internal team, and contact information for your cyber insurance broker and carrier, and any third party responders, including outside legal counsel and a digital forensics firm pre-authorized by your cyber insurer.
- Disable dormant accounts, unnecessary services, and ports. It is important to disable any third party service accounts unless they are actively being used.
- Review and enable all appropriate security controls, including any intrusion detection or data loss prevention applications.
- Ensure that anti-malware software is installed on all devices and is up to date.
- Implement a complex password management program, with passwords of at least 12 characters. Users should never use the same password for different accounts.
- Implement two-factor authentication for access to user accounts to prevent unauthorized access to user accounts even passwords are stolen.
- If possible, encrypt all sensitive files and email communication.
- If possible, back up sensitive data to a safe and secure external source not connected fulltime to a network.
- Implement a record retention program to ensure that sensitive data is regularly and securely disposed of when it is no longer necessary for legitimate business purposes.
- Check IRS e-Services accounts weekly to check on the number of returns filed with your Electronic Filing Identification Number (EFIN), and immediately contact the IRS if any discrepancies are discovered.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
Additionally, tax professionals should watch out for the following signs of tax return data theft:
- E-filed returns are rejected because returns with their SSNs have already been filed;
- Clients who have not yet filed tax returns begin to receive authentication letters from the IRS (Letter Forms 5071C, 4883C, or 5747C);
- Clients who have not yet filed tax returns receive refunds;
- Clients receive tax transcripts that they did not request;
- Clients who created an IRS online services account receive an IRS notice that their account was accessed, receive emails stating their account has been disabled, or receive an IRS notice that an IRS online account was created in their names;
- The number of returns filed with a tax practitioner’s EFIN exceeds their number of clients;
- Email messages received in response to email messages that the practitioner did not send;
- Network computers are running slower than normal;
- Computer cursors are moving or changing numbers without the legitimate user touching the keyboard; or
- Network computers are locking out tax practitioners.
If it appears that tax return information may have been accessed or acquired without authorization, the tax practitioner should immediately do the following:
- Notify the appropriate IRS Stakeholder Liaison;
- Contact your cyber insurance broker or carrier and utilize their authorized incident response services, including outside legal counsel, digital forensics services, and consumer remediation services;
- With the assistance of your legal counsel, report the matter to the appropriate IRS Criminal Investigation Special Agent to help secure the affected SSNs and prevent fraudulent activity; and
- With the assistance of your legal counsel, assess and comply with the various consumer and regulatory notification obligations.
- Malicious actors are more persistent and sophisticated than ever before. It is therefore critically important to do more than ever before to prevent the theft of tax return information. If you detect that tax return information has been stolen, report the incident immediately, and be prepared to work quickly with incident response professionals to protect your client information.
Beyond a security risk, the failure to employ an information security program also presents a regulatory risk for tax professionals. For example, federal law specifically requires tax preparers to implement an information security program that includes:
- A written information security policy;
- An employee point person to coordinate the program;
- A process to identify the data the company maintains and risks associated with it; and
- A process to evaluate and mitigate risks posed by vendors and business partners.
Once in place, the program must be periodically reviewed and revised in light of reasonable risks. The failure to take these steps could lead to an investigation by the Federal Trade Commission or the IRS. Beyond those laws that are specific to tax professionals, an increasing number of state laws require companies to employ reasonable safeguards. In these states, the failure to do so may equate to an unfair trade practice leading to further civil and regulatory exposure.