Candace J. Dixon
The Security Summit, consisting of the IRS, state tax agencies, and the tax community, including tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations and financial institutions, formed in 2015 to fight against identity theft. Total membership includes 42 state agencies and 20 industry offices in addition to the IRS, with members organized into six work groups, each tasked with addressing an area of need. The Summit has made great advances against tax-related identity theft, dramatically reducing confirmed identity theft returns and saving billions in tax dollars.
In a continuing effort to battle tax-related identity theft, the Security Summit held its sixth annual "Protect Your Clients; Protect Yourself" summer campaign this year aimed at tax professionals, urging them to step up their efforts to protect client data amid the pandemic and its aftermath. Boost Security Immunity: Fight Against Identity Theft is an awareness campaign that urges tax professionals to take basic actions to stem the data theft from their offices.
The 2021 campaign begins as the number of data thefts reported by tax professionals to the IRS continued to climb. Identity thieves and fraudsters were especially active last year and this year as they used the COVID-19 pandemic, the nationwide teleworking practices and the economic downturn as fuel for a variety of scams and schemes to steal money and identities.
This campaign is part of a wider effort by the Security Summit coalition to raise awareness and strengthen protections against identity and data theft threatening the tax system.
"The Security Summit continues to work cooperatively to battle tax-related identity theft, but we need the help of tax professionals in this effort," said IRS Commissioner Chuck Rettig. "We continue to see instances where tax professionals did not take simple steps that could have protected their clients and their business. Tax professionals must take a shot at basic security steps to protect against relentless efforts by identity thieves to steal data and tax information."
Tax professionals are key targets of criminal syndicates that are tech-savvy, tax-savvy and well-funded. These scammers either trick or hack their way into tax professionals' computer systems to access client data. They use stolen data to file fraudulent tax returns that make it more difficult for the IRS and the states to detect because the fraudulent returns use real financial information. The Security Summit partners will highlight actions that tax professionals can take to better protect client data from theft and help ensure that the progress in tax-related identity theft that started in 2015 continues on its path:
Use Multi-factor Authentication on Tax Software Products
With security incidents on the rise, tax professionals and taxpayers are urged to use multi-factor authentication available on tax software products to help protect against identity and data theft. Multi-factor authentication, also known as two-factor authentication, provides more security. It allows the tax professional or taxpayer to use another feature such as a security code sent to a mobile device, a pin number or a fingerprint in addition to the username and password. A thief may steal usernames and passwords but cannot access accounts without the additional multifactor feature.
All tax software providers now offer multi-factor authentication options, which require more than just a username and password to access accounts. This feature is offered on tax preparation products for both tax professionals and taxpayers. This is a key step to securing sensitive financial data. Multi-factor authentication is in addition to actions such as using anti-virus software, strong password phrases and virtual private networks to protect connections between telework locations and offices, all critical steps for tax pros.
"The Security Summit has made great strides to protect the tax community, but we need the help of everyone in the tax professional community," said IRS Commissioner Chuck Rettig. "Using the multi-factor authentication feature available on tax preparation products is one of the easiest and cheapest security measures any tax pro can take. It's offered for free by the tax software providers. As people continue to get vaccines, we urge tax professionals as well as taxpayers to boost their security immunity and help in the battle against identity theft."
Through June 30, 2021, there have been 222 data theft reports this year from tax professionals to the IRS, outpacing the rate of 211 in 2020 and 124 in 2019. Each individual report may involve hundreds to thousands of taxpayers. Client information stolen from tax professionals' offices is used to create fraudulent tax returns that are difficult to detect because the identity thief is using real financial data.
Based on reports to the IRS in 2020, many tax professionals whose client data was stolen failed to use multifactor authentication, and the feature could have prevented some of the thefts. Tax professionals also should use multi-factor authentication features anywhere it is offered, such as commercial email products and cloud storage providers.
Multi-factor authentication is just one of several security steps tax professionals – and taxpayers – should use to protect sensitive data. Other steps include:
Use anti-virus software and set it for automatic updates. Anti-virus software scans existing files and drives on computers - and mobile phones – to protect from malware.
Use a firewall to shield digital devices from external attacks.
Use backup software/services to protect data. Making a copy of files can be crucial, especially if the user becomes a victim of a ransomware attack.
Use drive encryption to secure computer locations where sensitive files are stored. Encryption makes data on the files unreadable to unauthorized users.
Create and secure Virtual Private Networks. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. Search for "Best VPNs" to find a legitimate vendor; major technology sites often provide lists of top services.
Federal law requires all professional tax professionals to create and implement a data security plan, and it's recommended that they also create a data theft response plan, which includes contacting the IRS Stakeholder Liaisons to report a theft.
Sign Up for Identity Protection PINs
The Security Summit calls on tax professionals to increase efforts to inform clients about the Identity Protection PIN Opt-In Program that can protect against tax-related identity theft by helping prevent an identity thief from filing a fraudulent return in the taxpayer's name. The IRS created Publication 5367 IP PIN Opt-In Program for Taxpayers and special posters for tax professionals to with clients. The IRS now offers IP PINs to everyone who can verify their identities online, on the phone with an IRS employee after filing a Form 15227 or in person.
"An Identity Protection PIN prevents someone else from filing a tax return using your Social Security number," said Chuck Rettig, IRS commissioner. "We've now made the IP PIN available to anyone who can verify their identity. This is a free way for taxpayers to protect themselves, but we need the help of tax professionals to make sure more people know about it."
Tax professionals who experience a data theft should assist their clients by urging them to quickly obtain an IP PIN. Even if a thief already has filed a fraudulent return, an IP PIN still offers protections for later years and prevent people from being repeat victims of tax-related identity theft.
What You Should Know About the IP PIN:
It's a six-digit number known only to you and the IRS.
The opt-in program is voluntary.
The IP PIN should be entered onto the electronic tax return when prompted by the software product or onto a paper return next to the signature line.
The IP PIN is valid for one calendar year; you must obtain a new IP PIN each year. You can currently obtain an IP PIN for 2021, which should be used when filing any federal tax returns during the year. New IP PINs will be available starting in January 2022. The online tool used to get an IP PIN is offline between November and January.
Only people who can verify their identities may obtain an IP PIN. You must validate your identity through Secure Access authentication to access this tool and your IP PIN. Refer to Secure Access: How to Register for Certain Online Self-Help Tools before beginning this process.
IP PIN users should never share their number with anyone but the IRS and their trusted tax preparation provider. Tax professionals should never their store clients' IP PINs on computer systems. The IRS will never call, email or text to request the IP PIN.
The IP PIN process for confirmed victims of identity theft remains unchanged. These victims will automatically receive an IP PIN each year.
How to Get an IP PIN:
Tax professionals can't obtain an IP PIN on behalf of clients for security reasons. People can get an IP PIN online with the IRS tool Get an IP PIN. If unable to validate their identity online and their income is $72,000 or less, they can file Form 15227, Application for an Identity Protection Personal Identification Number. The IRS will call the telephone number they provide on Form 15227 to validate their identity, but for security reasons, they will assign an IP PIN for the next filing season; it can't be used for the current filing season. People who can't validate their identities online and are ineligible to file Form 15227 can make an appointment at a Taxpayer Assistance Center. They will need to bring one form of picture identification and another document to prove their identity, and they will receive an IP PIN via mail within three weeks once verified.
Help Clients Fight Unemployment Compensation Fraud
One of the biggest scams of 2020 involved identity thieves using stolen identities to file for unemployment benefits during the pandemic. States issue Forms 1099-G to taxpayers and the IRS to to report taxable unemployment income, and some people received multiple 1099-G forms from states because thieves used their names to steal benefits in 2020.
The Security Summit outlined how tax professionals can assist clients who were victims of unemployment compensation fraud schemes that targeted state workforce agencies in 2020 and 2021.
Unemployment compensation fraud was one of the more common identity theft schemes that emerged in 2020 as criminals exploited the COVID-19 pandemic and the resulting economic impact. Addressing unemployment compensation fraud is the third in a five-part series sponsored by the Security Summit to highlight critical steps tax professionals can take to protect client data. This year's theme "Boost Security Immunity: Fight Against Identity Theft" is an effort to urge tax professionals to secure their systems and protect client data during the pandemic and its aftermath.
"Identity thieves always look for opportunities, and the unemployment surge presented a new opportunity to exploit the pain and financial hardships faced by Americans," said IRS Commissioner Chuck Rettig. "This particular scam is especially egregious because 23 million Americans were jobless or underemployed last year and desperately needed these benefits."
The U.S. Department of Labor's Inspector General estimated $89 billion in unemployment compensation was lost in 2020 due to fraud.
Unemployment compensation is taxable income on federal taxes, although Congress waived the tax for 2020 for many people. States report compensation to the individual and to the IRS by using the Form 1099-G. Many people received Forms 1099-G for compensation they did not receive because of fraud and identity theft; some received forms from multiple states.
This scam could affect 2021 returns next year as well as 2020 returns this year.
Here are steps tax professionals can take to assist clients who are victims of the unemployment compensation fraud scheme:
File a Form 14039, Identity Theft Affidavit, only if an e-filed tax return rejects because the client's Social Security number has already been used. Do not file the IRS Form 14039 to report unemployment compensation fraud to the IRS.
Report the fraud to state workforce agencies and request a corrected Form 1099-G. Each state has its own process for reporting unemployment compensation fraud. The U.S. Department of Labor has created an information page with all state contacts and other information here: State Directory for Reporting Unemployment Identity Theft
File a tax return reporting only the actual income received. State workforce agencies may not be able to timely issue a corrected Form 1099-G. Even if the client has not received a corrected Form 1099-G, report only wages and income received and exclude any fraudulent claims.
Consider using an IRS Identity Protection PIN (IP PIN). Clients receiving Forms 1099-G are identity theft victims whose personal information could be used for additional criminal activities, such as filing fraudulent tax returns. An IP PIN is a six-digit number that prevents someone else from filing a tax return using an individual's Social Security number. The IP PIN is known only to the individual and the IRS, and it helps the IRS verify an individual's identity when they file an electronic or paper tax return. More information about IP PINs can be found at IRS.gov/ippin.
Follow Federal Trade Commission recommendations for identity theft victims. Individuals should consider steps to protect their credit and other actions outlined by the FTC. The DOL also includes this information on its DOL.gov/fraud page.
Tax professionals' clients can also assist in fighting unemployment compensation fraud by responding quickly to state notices about employees filing jobless claims, especially when it has no record of those employees.
Although unemployment compensation is taxable, the American Rescue Plan Act of 2021 allows an exclusion of unemployment compensation of up to $10,200 for individuals for taxable year 2020; for married filing jointly, the exclusion is up to $10,200 per spouse. Adjusted gross income (AGI) must be less than $150,000 to qualify for this exclusion. This threshold applies to all filing statuses.
The exclusion may ease the burden on many fraud victims. However, victims who received Forms 1099-G from multiple states may have fraud claims that exceed that exclusion amount. Clients should retain any records of fraud reports to states.
Avoid Spear Phishing Scams
One of the most successful tactics used by identity thieves against tax professionals is the spear phishing scam. Thieves take time to craft personalized emails to entice tax professionals to open a link embedded in the email or open an attachment. For 2020, tax pros were especially vulnerable to spear phishing scams from thieves posing as potential clients. Thieves might carry on an email conversation with their target for several days before sending the email containing a link or attachment. The link or attachment may secretly download software onto the tax pros' computers that will give thieves remote access to the tax professionals' systems.
The Security Summit warns tax professionals to beware of evolving phishing scams that use various pandemic-related themes to steal client data in a continuing twist on a common scam, as they continue to see instances where tax professionals, especially those working remotely, have been vulnerable to identity thieves posing as potential clients this year.
The criminals trick practitioners into opening email links or attachments that infect their computer systems.
“Identity thieves have been relentless in exploiting the pandemic and the resulting economic pain to trick taxpayers and tax professionals to disclose sensitive information,” said IRS Commissioner Chuck Rettig. “Fighting back against phishing scams requires constant vigilance, and we urge tax pros to take some basic steps to help protect their clients and themselves.”
Phishing emails or SMS/texts (known as “smishing”) attempt to trick the person receiving the message into disclosing personal information such as passwords, bank account or credit card numbers, or Social Security numbers. Tax professionals are a common target.
While the scams may differ in themes, they typically have two traits:
They appear to come from a known or trusted source, such as a colleague; bank or credit card company; cloud storage or tax software provider, or even the IRS.
They tell a story, often with an urgent tone, to trick the receiver into opening a link or attachment.
A specific kind of phishing email that is often used to target tax professionals is called spear phishing. Rather than the disorganized nature of general phishing emails, scammers take time to identify their victim and devise a more tempting phishing email, known as a lure.
In a reoccurring and very successful scam this year, criminals posed as potential clients, exchanging several emails with tax professionals then following up with an attachment they claimed was their tax information. This scam was popular as many practitioners worked remotely and communicated with clients over email versus in-person or over the telephone because of COVID.
Once they clicked on the URL or opened the attachment, malware secretly downloaded onto their computers, giving thieves access to passwords to client accounts or remote access to the computers themselves. Thieves then used this malware, known as a remote access trojan (RAT), to take over the tax professional’s office computer systems, identify pending tax returns, complete them and e-file them, changing only the bank account information to steal the refund.
International criminals have used a ransomware attack to shut down a variety of companies in recent months. Criminals use similar, smaller scale tactics against tax professionals. When the unsuspecting tax professional opens a link or attachment, malware attacks their computer system, encrypts files and holds the data for ransom.
These scams highlight the importance of the basic security steps recommended by the Security Summit to protect data:
Using two-factor (2FA) or multi-factor authentication (MFA) options offered by tax preparation and storage providers protects client accounts even if passwords are accidentally disclosed.
Keeping anti-virus software automatically updated helps prevent scams targeting software weaknesses.
Using drive encryption and backing up files regularly helps stop theft and ransomware attacks.
Securing their networks to protect taxpayer data is a tax professionals' responsibility. The IRS recently updated Publication 4557, Safeguarding Taxpayer Data to help them defend against phishing scams and better protect taxpayer information. The July 2021 version contains some of the latest suggestions such as using the multi-factor authentication option and helping clients get an Identity Protection Pin.
Know the Signs of Identity Theft
Many tax professionals who report data thefts to the IRS also say that they were unaware of the signs that a theft had occurred. There are many signs that tax pros should be aware. These include multiple clients suddenly receiving IRS letters requesting confirmation that they filed a tax return deemed suspicious. Tax professionals may see e-file acknowledgements for far more tax returns than they filed. Computer cursors may move seemingly on their own.
Tax professionals should contact the IRS immediately when there’s an identity theft issue, while also contacting insurance or cybersecurity experts to assist them with determining the cause and extent of the loss. One common refrain the IRS hears from tax professionals reporting data thefts is that they did not immediately recognize its signs.
Tax professionals should be alert for these critical signs:
Client e-filed returns rejected because their Social Security Number was already used on another return.
More e-file acknowledgements received than returns filed.
Clients responding to emails the tax pro didn’t send.
Slow or unexpected computer or network responsiveness such as software or actions taking longer to process than usual; computer cursors moving or changing numbers without touching the mouse or keyboard; unexpected lock outs from a network or computer.
They should also watch for warning signs from client reports about receiving:
IRS Authentication letters (5071C, 4883C, 5747C) even though they haven’t filed a return.
A refund even though they haven’t filed a return.
A tax transcript they didn’t request.
Emails or calls from the tax pro that they didn’t initiate.
A notice that someone created an IRS online account for them without their consent.
A notice they weren't expecting that someone accessed or disabled their IRS online account.
“There are tell-tale signs of identity theft that tax pros can easily miss,” said IRS Commissioner Chuck Rettig. “Identity thieves continue to look for ways to slip into the systems of tax pros to steal data. We urge practitioners to take simple steps and remain on the lookout for signs of data and identity theft. They are a critical first line of defense against identity theft.”
Tax pros should make sure they have the highest security possible and contact these sources if they sense or see something amiss:
Stakeholder Liaison Local Contacts: They will notify IRS Criminal Investigation and others within the agency on the practitioner’s behalf. Speed is critical; if reported quickly, the IRS can take steps to block fraudulent returns in the clients’ names and will assist tax pros throughout the process.
Federation of Tax Administrators: Email StateAlert@taxadmin.org to get information on how to report victim's information to the states. Most states require the state attorney general to be notified of data breaches. The notification process may involve multiple offices.
More information can be found at Data Theft Information for Tax Professionals.
Past Awareness Campaigns:
"Working Virtually: Protecting Tax Data at Home and at Work" in 2020 was an initiative that highlighted key security actions to protect tax professionals and their clients working remotely because of COVID-19: the basic "Security Six" protections for anyone handling sensitive data to use; multi-factor authentication to protect accounts and Virtual Private Networks to secure remote locations; email phishing scams, especially ones taking advantage of COVID-19; and plans for protecting data and reporting theft.
"Tax Security 2.0" in 2019 used a "Taxes-Security-Together” checklist as a starting point for tax professionals to review their security practices, enhance safeguards and protect their businesses from global cyber syndicates.
"Protect Your Clients; Protect Yourself: Tax Security 101" in 2018 provided tax professionals with information to better protect taxpayer data and help prevent the filing of fraudulent tax returns by revising Publication 4557, Safeguarding Taxpayer Data and creating Publication 5293, Data Security Resource Guide for Tax Professional, following recommendations from the Electronic Tax Administration Advisory Committee (ETAAC) that tax professionals “are at increasing risk” of security vulnerability.
“Don’t Take the Bait” in 2017 focused on the critical need for tax professionals to increase their computer security, avoid spear phishing emails and remember their legal requirement to protect taxpayer information.
“Protect Your Clients; Protect Yourself” expanded its public awareness campaigns on data security to include tax professionals in 2016 with this campaign, intended to raise awareness among tax professionals on their responsibilities and the common sense steps they can take to protect their clients from identity theft and to protect their businesses and warned tax preparers that they increasingly are targets of cybercriminals and should take appropriate steps to protect clients from data theft.
"Taxes. Security. Together" in 2015 was aimed at increasing public awareness of using security software, creating stronger passwords and avoiding phishing emails.
Resources:
Publication 5545, Protect Your Clients: Tips for Tax Pros to Combat Identity Theft
Publication 4557, Safeguarding Taxpayer Data
Small Business Information Security: The Fundamentals
Publication 5293, Data Security Resource Guide for Tax Professionals