The IRS began a new campaign to warn tax practitioners to beware of new threats from cybercriminals that target client data, allowing the criminals to prepare fraudulent tax returns that are difficult to detect. As part of that campaign, the IRS has introduced a new publication, Publication 5293, Data Security Resource Guide for Tax Professionals.
The IRS warns that data theft from tax practitioners continues to be a growing problem, with technically sophisticated cybercriminals employing evolving tactics to steal data.
The campaign is a joint effort by the IRS and its Security Summit partners, which include state tax agencies and the private-sector tax preparation industry.
The IRS announced that, as part of its efforts, it has also updated Publication 4557, Safeguarding Taxpayer Data, to better reflect current threats tax professionals face.
The IRS announcement also reiterated the steps it has urged tax practitioners to take to ensure client information is not breached:
- Recognize phishing emails, especially those pretending to be from the IRS, a tax software provider, cloud storage provider, or state tax agencies. Never open a link or any attachment from a suspicious email. The IRS does not contact a tax professional via email initially.
- Create a data security plan using Publication 4557, and Small Business Information Security — The Fundamentals, by the National Institute of Standards and Technology.
- Review internal controls for the business by:
- installing anti-malware/anti-virus security software on all electronic devices and keeping software set to automatically update;
- creating string passwords or passphrases and using different passwords for each account. (Use a password manager program to keep track of different passwords.);
- encrypting all sensitive files and emails;
- backing up sensitive data to a secure external source not connected full time to a network;
- wiping clean or destroying old computer hard drives and printers that contain sensitive data;
- limiting access to taxpayer data to those who need to know;
- checking IRS e-Services account weekly for the number of returns filed with the practitioner's electronic filing identification number (EFIN) to be sure only the practitioner has used it;
- reporting any data theft or data loss to the appropriate IRS Stakeholder Liaison; and
- staying connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts, and social media.
The IRS further emphasized the dangers posed by cybercriminals who have often outwitted efforts to stop them. The IRS noted that in many cases, tax practitioners were not aware that their client's data had been stolen.
— Sally P. Schreiber (Sally.Schreiber@aicpa-cima.com) is a JofA senior editor.