IRS Tax Tip 2021-184, December 13, 2021
With the tax filing season around the corner, the IRS and its Security Summit partners remind tax pros to review their security measures. The Taxes-Security-Together Checklist can help tax professionals identify the basic steps they should take to safeguard their clients and their business.
Here’s an overview of some of those safety measures.
Use multi-factor authentication to protect tax accounts
Practitioners can download to their mobile phones readily available authentication apps offered through Google Play or the Apple Store. These apps will generate a security code. Codes may also go to a preparer’s email or text, but the IRS notes those are not as secure as the authentication apps. Tax professionals can search for “authentication apps” in a search engine to learn more.
Use virtual private networks to protect remote sites
A VPN provides a secure, encrypted way to transmit data between a remote user via the internet and the company network. As teleworking or working from home continues, VPNs are critical to protecting and securing internet connections.
Failing to use VPNs can add risks to remote takeovers by cyberthieves, giving criminals access to the tax professional’s entire office network simply by accessing an employee’s remote internet.
Tax professionals should consult cybersecurity experts whenever possible. Practitioners can also search for “best VPNs” to find a legitimate vendor, or major technology sites often provide lists of top services. They should never click on a “pop-up” advertisement for a security product. Those generally are scams.
Avoid phishing scams and attempts to steal EFINs
Phishing emails generally have an urgent message, such as “account password expired.” They direct users to an official-looking link or attachment. However, the link may take users to a fake site made to appear like a trusted source, where it requests a username and password. The attachment may contain malware, which secretly downloads software that tracks keystrokes and allows thieves to eventually steal all the tax pro’s passwords.
Scam emails can target tax pros by seeking EFIN information. One scam example says it’s from “IRS Tax E-Filing” and has the subject line “Verifying EFIN before e-filing.”
Tax pros should not take any of the steps outlined in these types of email, especially responding to the email.
Those who receive a scam email should save it as a file and then send it as an attachment to phishing@irs.gov. They also should notify the Treasury Inspector General for Tax Administration to report the IRS impersonation scam. Both TIGTA and the IRS Criminal Investigation division are aware of the scam.
Have security and data theft plans
The IRS and Security Summit partners remind tax professionals that federal law requires them to have a written information security plan. In addition to the required information security plan, tax pros also should consider an emergency response plan should they experience a breach and data theft. This time-saving step should include contact information for the IRS Stakeholder Liaisons, who are the first point of contact for data theft reporting to the IRS and to the states.