“Hello,” the email began. The sender apologized for the delay, adding, “unfortunately I fell ill but am back up and running.”
“I have already applied for an extension,” she advised, but had uploaded her tax documents for 2021. The file was encrypted, so she noted the password, adding, “Thank you for taking me on and working with me this tax season! Have a good weekend!”
I received that email—or variations on it—about six times. This version was signed “Christen Jones.”
“Christen” is clearly a scammer.
She’s not the only scammer targeting my inbox this season. In the past few weeks, I’ve received fake invoices, changes to “our contract,” and numerous files allegedly relating to taxes sent to me using services like OneDrive.
Tax Pros Are Targets
I am not an anomaly—in fact, just the opposite. Earlier this year, the IRS reminded tax professionals that they remain “prime targets for thieves.”
When we think about these kinds of schemes, our minds tend to go straight to tax preparers since tax scams often include efforts to steal identities to file fraudulent tax returns for refunds. But all tax, legal, and financial professionals who work with client data that may include personally-identifying information (PII) and financial account details are vulnerable.
While we can’t control bad actors, that doesn’t absolve professionals of our responsibilities. In addition to potential contractual obligations, there are laws in place to protect customer information. For example, the Securities and Exchange Commission has had a rule on the books since 2000 regarding customer data. As part of the Gramm-Leach-Bliley Act, financial institutions must protect customer information and notify customers of their privacy policies and practices.
The Act led to the Federal Trade Commission’s Safeguards Rule, which took effect on May 23, 2003. Last year, the FTC updated the Rule to strengthen security processes that financial institutions must put in place to protect their customers’ financial information. Notably, the revised Rule requires non-banking financial institutions that handle customer data in paper, electronic, or another form—including mortgage lenders and brokers, finance companies, certain financial and investment advisers, and tax preparation firms—to “develop, implement, and maintain a comprehensive security system” to keep customers’ information safe. The plan must be appropriate to the “size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
Professionals that aren’t subject to the Safeguards Rule aren’t necessarily off the hook. State-specific laws may govern certain practitioners such as CPAs and lawyers. For example, attorneys are subject to ethics rules that require reasonable measures to safeguard client information and a duty to protect confidential information. As a recent PA Formal Opinion, 2020-300, confirmed, that also typically means a responsibility to “understand the risks and benefits of technology as it relates to the specifics of their practices.”
It’s pretty well established that not all tax professionals are technology savants. And these rules don’t expect you to be an expert. But they do require that you be smart and diligent—and that means paying attention to potential risks, including scams.
As tax season opened this year, IRS Commissioner Chuck Rettig noted an uptick in targeted scams, warning, “A little extra care can protect the tax professionals and their clients.” Specifically, the IRS warned about spear-phishing emails that use the IRS logo and a variety of subject lines such as “Action Required: Your account has now been put on hold” or an “unusual activity report” with a purported solution link. Other scams that the IRS warned about included bogus emails claiming to be from tax software providers.
In all cases, the IRS warns tax pros not to respond or take any of the steps outlined in these emails—never click on a link or open an attachment from a suspicious email. If you get an IRS-related scam email, send it as an attachment to email@example.com (if you don’t know how, see these IRS instructions). You should also notify the Treasury Inspector General for Tax Administration at www.tigta.gov of any IRS impersonation scam.
Steps to Take
But the best defense is a good offense. Rather than continue to react, you can take these steps now to protect your company and your client’s data:
Have a plan for protecting client data and review it regularly. If you don’t know where to start, hire someone to help. You know how it drives you nuts when taxpayers explain that they’ve already Googled “how to do a section 1031 like-kind exchange” and just want you to sign off on their own plan instead of relying on your expertise? Don’t be that client. Ask for assistance early.
Install anti-malware and anti-virus security software on your devices—and be sure that they’re up to date. Most computers and devices come with basic security features that you can enable with a click. If you need additional protection, don’t click on a pop-up ad, ask a tech expert.
Keep software, including your browser software, up to date. It’s even easier if you allow for automatic updates.
Use strong passwords. Ideally, use at least eight characters, including letters, numbers, and symbols—and never reuse passwords. It’s also important not to share passwords, even at the same office.
Opt-in to multi-factor authentication where available for applications and tax software products. That typically involves confirming a log-in with a secondary device, like your cellphone, so that your accounts can’t be accessed without your knowledge.
Limit access to taxpayer data. Avoid an open-door data policy for all employees. Just as you would lock particular doors at the office, don’t leave taxpayer and customer data widely available. “Lock up” digital access when it’s not needed.
Back up data. Encrypted backups are crucial. I know we all love the cloud, but I think there’s something to be said for staying old school by backing up copies of client data to external hard drives that you keep in a separate, secure location. This provides protection not only from theft but also from natural disasters like a fire or flood. It also provides options for recovering data if you’re the victim of a ransomware attack.
Preparers should track filed returns. You can check your weekly Electronic Filing Identification Number (EFIN) usage on the IRS website using your e-Services account. You should check your Preparer Tax Identification Number (PTIN) account for a weekly report of returns filed with your number if you are a Circular 230 practitioner or an annual filing season program participant and you file 50 or more returns a year.
Keep authorizations up to date. If you no longer represent a taxpayer, you can withdraw from representation by writing “WITHDRAW” across the top of the first page of Form 2848, sign and date, and mail or fax it to the IRS. If you no longer have a copy of the applicable Form 2848, send the IRS a statement of withdrawal—be sure to include the matters and years/periods and the name, TIN, and address of the taxpayer.
Remind clients regularly about privacy policies and basic security measures. If clients understand why you have specific policies, such as encrypted files with password protection or filing returns with an Identity Protection PIN, it may improve participation.
Finally, don’t let your guard down now that the busy season has passed. Scammers don’t have an off-season, so let’s be careful out there.
This is a regular column from Kelly Phillips Erb, the Taxgirl. Erb offers commentary on the latest in tax news, tax law, and tax policy. Look for Erb’s column every week from Bloomberg Tax and follow her on Twitter at @taxgirl.
To contact the reporter on this story: