Tax Return Theft: Tips for Prevention & Response

January 08, 2019 As the Internal Revenue Service warned tax professionals last month, malicious actors are currently attempting to hack into tax preparers’ networks to steal 2019 tax return information. If you are a professional tax preparer, you are a target – regardless of the size of your business. Malicious actors target information including tax returns filed in previous years, Form W-2 Wage and Tax Statement images, and anything than contains unredacted Social Security numbers

By: Sean B. Hoar

As the Internal Revenue Service warned tax professionals last month, malicious actors are currently attempting to hack into tax preparers’ networks to steal 2019 tax return information. If you are a professional tax preparer, you are a target – regardless of the size of your business. Malicious actors target information including tax returns filed in previous years, Form W-2 Wage and Tax Statement images, and anything that contains unredacted Social Security numbers (SSNs).

Tax professionals should take all of the following measures to enhance the security of tax return information:

  • Create a heightened awareness of phishing email messages. The IRS never initiates communication with a professional tax preparer via email. If a message appears to be from the IRS, e-Services, a tax software provider, or a cloud storage provider, it is probably a phishing email message. Never open links or attachments in these messages.
  • Develop an incident response plan. The plan should identify the roles and responsibilities of your internal team, and contact information for your cyber insurance broker and carrier, and any third party responders, including outside legal counsel and a digital forensics firm pre-authorized by your cyber insurer.
  • Disable dormant accounts, unnecessary services, and ports. It is important to disable any third party service accounts unless they are actively being used.
  • Review and enable all appropriate security controls, including any intrusion detection or data loss prevention applications.
  • Ensure that anti-malware software is installed on all devices and is up to date.
  • Implement a complex password management program, with passwords of at least 12 characters. Users should never use the same password for different accounts.
  • Implement two-factor authentication for access to user accounts to prevent unauthorized access to user accounts even passwords are stolen.
  • If possible, encrypt all sensitive files and email communication.
  • If possible, back up sensitive data to a safe and secure external source not connected fulltime to a network.
  • Implement a record retention program to ensure that sensitive data is regularly and securely disposed of when it is no longer necessary for legitimate business purposes.
  • Check IRS e-Services accounts weekly to check on the number of returns filed with your Electronic Filing Identification Number (EFIN), and immediately contact the IRS if any discrepancies are discovered.
  • Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.

Additionally, tax professionals should watch out for the following signs of tax return data theft:

  • E-filed returns are rejected because returns with their SSNs have already been filed;
  • Clients who have not yet filed tax returns begin to receive authentication letters from the IRS (Letter Forms 5071C, 4883C, or 5747C);
  • Clients who have not yet filed tax returns receive refunds;
  • Clients receive tax transcripts that they did not request;
  • Clients who created an IRS online services account receive an IRS notice that their account was accessed, receive emails stating their account has been disabled, or receive an IRS notice that an IRS online account was created in their names;
  • The number of returns filed with a tax practitioner’s EFIN exceeds their number of clients;
  • Email messages received in response to email messages that the practitioner did not send;
  • Network computers are running slower than normal;
  • Computer cursors are moving or changing numbers without the legitimate user touching the keyboard; or
  • Network computers are locking out tax practitioners.

If it appears that tax return information may have been accessed or acquired without authorization, the tax practitioner should immediately do the following:

  1. Notify the appropriate IRS Stakeholder Liaison;
  2. Contact your cyber insurance broker or carrier and utilize their authorized incident response services, including outside legal counsel, digital forensics services, and consumer remediation services;
  3. With the assistance of your legal counsel, report the matter to the appropriate IRS Criminal Investigation Special Agent to help secure the affected SSNs and prevent fraudulent activity; and
  4. With the assistance of your legal counsel, assess and comply with the various consumer and regulatory notification obligations.

Malicious actors are more persistent and sophisticated than ever before. It is therefore critically important to do more than ever before to prevent the theft of tax return information. If you detect that tax return information has been stolen, report the incident immediately, and be prepared to work quickly with incident response professionals to protect your client information.