As tax professionals begin preparing for the upcoming filing season, reviewing their security measures should be at the top of their to-do list. The Taxes-Security-Together Checklist can help tax them identify the basic steps they should take to safeguard their clients and their business.
Here are some of the recommended safety measures.
Have security and data theft plans
The IRS and Security Summit partners remind tax professionals that federal law requires them to have a written information security plan. In addition to the required information security plan, tax pros also should consider an emergency response plan should they experience a breach and data theft. This time-saving step should include contact information for the IRS Stakeholder Liaisons, who are the first point of contact for data theft reporting to the IRS and to the states.
Use multi-factor authentication to protect tax accounts
Practitioners can download to their mobile phones readily available authentication apps offered through Google Play or the Apple Store. These apps will generate a security code. Codes may also go to a preparer's email or text, but the IRS notes those are not as secure as the authentication apps. Tax professionals can search for "authentication apps" in a search engine to learn more. For more information on multi-factor authentication, taxpayers should visit the Cybersecurity and Infrastructure Security Agency website
Use virtual private networks to protect remote sites
A VPN provides a secure, encrypted way to transmit data between a remote user via the internet and the company network. As teleworking or working from home continues, VPNs are critical to protecting and securing internet connections.
Failure to use a VPN for remote communication can allow an attacker to eavesdrop on network communications.
Tax professionals should consult cybersecurity experts whenever possible. Practitioners can also search for "best VPNs" to find a legitimate vendor, or major technology sites often provide lists of top services. They should never click on a "pop-up" advertisement for a security product. Those generally are scams.
Avoid phishing scams and attempts to steal EFINs
Phishing emails generally have an urgent message, such as "account password expired." They direct users to an official-looking link or attachment. However, the link may take users to a fake site made to appear like a trusted source, where it requests a username and password. The attachment may contain malware, which secretly downloads software that tracks keystrokes and allows thieves to eventually steal all the tax pro's passwords.
Scam emails can target tax pros by seeking EFIN information. One scam example says it's from "IRS Tax E-Filing" and has the subject line "Verifying EFIN before e-filing."
Tax pros should not take any of the steps outlined in these types of email, especially responding to the email.
Those who receive a scam email should save it as a file and then send it as an attachment to email@example.com. They also should notify the Treasury Inspector General for Tax Administration to report the IRS impersonation scam. Both TIGTA and the IRS Criminal Investigation division are aware of spear phishing scams targeting tax preparers.