When real client data is used to file fraudulent tax returns, it becomes much more difficult to identify and halt the returns. Cybercriminals have therefore evolved their tactics in recent years to focus on tax professionals and their firms where there is an abundance of client data. Data such as income, dependents, credits and deductions are used to generate fraudulent refunds, which are then delivered to the criminals.
The clear majority of the thefts occur when a tax preparer or staff person opens a phishing email and clicks on a link or attachment that contains malware. Some malware downloads secretly into computers and allows thieves to covertly capture each keystroke or gain remote access to the computer, allowing them to steal the data stored there.
The new scheme is likely just the first of many that will be identified this year as the IRS and its security partnership, the Security Summit, coordinate tax preparers, software companies, and state tax agencies to fight tax-related identity theft. To learn more visit https://www.irs.gov/privacy-disclosure/security-summit.
Loss Prevention TipsTax professionals should review the Security Summit’s Don’t Take the Bait campaign, which outlines the various scams used by criminals. Practitioners are also urged to engage cybersecurity experts to better secure their data. Experts familiar with the firm’s systems can work with insurance and breach-response service providers to reduce damages from breaches, minimize the costs, and expedite the recovery process.
The IRS recommends the following:
- Educate all employees about phishing in general and spear phishing in particular, which targets a specific recipient with social engineering techniques designed to deceive the recipient. Train all employees to go directly to a website for information rather than clicking on links provided in the message.
- Create a password policy that requires the use of strong, unique passwords. Better yet, use a phrase instead of a word. Require different passwords for each account, and a mix of letters, numbers and special characters.
- Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Visit the e-Services website (not via a link embedded within the message) for confirmation.
- If an email contains a link, hover your cursor over the link to display the web address (URL) destination. If it’s not a URL you recognize, or if it’s an abbreviated URL, don’t open it.
- Obtain a verbal confirmation by phone if you receive an email from a new client sending you tax information, or any client requesting last-minute changes to their refund destination.
- Use security software to defend against malware, viruses and known phishing sites, and update the software automatically. Create and enforce a policy to update and patch all software regularly.
- Use the security options that come with your tax preparation software.
- Send suspicious tax-related phishing emails to firstname.lastname@example.org.
The IRS has a procedure for tax professionals to report data thefts to the IRS. They need only contact their state’s IRS Stakeholder Liaison, who will notify appropriate IRS officials and serve as a point of contact. All practitioners should review Data Theft Information for Tax Professionals for details about the process and the additional steps they should take.
CAMICO also recommends that practitioners:Back up all important data and information frequently to reduce the likelihood that critical data is lost in the event of a cyberattack or physical incident such as a fire or flood. Protect the backups in a remote or external location where they are safe from ransomware that seeks out backup copies. Periodically, verify whether the backup is working.
Implement the "least privilege" concept of user permissions. Strictly defined user permissions and restrictions help ensure that people have only the level of user rights they need to do their jobs.
Require site administrators to log out of systems and programs immediately after they have completed their tasks. Excessive rights and activities enable malware to cause more harm and result in greater data losses. Also, not every piece of hardware needs to have administrative rights.
Have cyberinsurance that includes breach response services to help determine whether an incident is a breach as defined by current state and/or federal laws. Your cyberinsurance advisers, with the assistance of IT forensics, should be able to determine whether there has been a breach, assist with reporting and notification requirements, arrange credit monitoring, coordinate with call centers, provide public relations assistance, respond to ransomware demands, and provide services to decrypt and restore the firm’s files.
Install a secure client web portal that will archive and store your clients’ personal documents and data. A portal will lower your staff’s administrative burden, ease the burden of locating important electronic documents, and eliminate the need to hunt for those documents within extended email threads.
Add another layer of security with multi-factor authentication. Usernames and passwords alone are often insufficient for preventing account takeovers. Adding and combining factors provides greater protection.
Establish an incident response plan. Without a plan in place, entities' initial responses to incidents could make mountains out of molehills. An incident may not be a breach. In response to perceived breaches, personnel with good intentions often purge files that incident response professionals would have wished to analyze to determine whether there was an attack, its source, and those impacted. Purging of files could necessitate breach notifications when otherwise not required.
Robust breach response services and an effective risk management program are more important than ever to assist firms in preventing or recovering from an incident. Remember, adequate preparation will make all the difference in enabling your firm to get back to functioning as soon as possible.