• IRS, Security Summit partners urge tax professionals to review their practices, enhance safeguards to protect taxpayer data

    July 17, 2019, 8:26 AM

    Leaders from the IRS, state tax agencies and the tax industry today called on tax professionals nationwide to take time this summer to review their current security practices, enhance safeguards where necessary and take steps to protect their businesses from global cybercriminal syndicates prowling the Internet.

    Despite major progress by the IRS and the Security Summit partners against identity theft, evolving tactics continue to threaten the tax community and the sensitive data of taxpayers. 

    To help combat this, the Security Summit partners created a new “Taxes. Security. Together.” Checklist to serve as a starting point for tax professionals. Beginning next week, the IRS and Summit partners will issue a series of five Tax Security 2.0 news releases highlighting “Taxes. Security. Together.” Checklist action items.

    “The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data,” said IRS Commissioner Chuck Rettig. “But a major risk remains, regardless of whether you are the sole tax practitioner in your office or part of a multi-partner accounting firm. To help with this, we assembled a security checklist to assist the tax community. We hope tax professionals will use our checklist as a starting point to do everything necessary to protect their client’s data.”

    The Security Summit — a partnership between the IRS, states and the private-sector tax community — started in 2015 to combat identity theft and protect taxpayers. Key IRS data show the Summit continues making major progress against tax-related identity theft. Between 2015 and 2018, key indicators showed:

    • The number of taxpayers who reported to the IRS that they were victims of identity theft fell 71 percent. In 2018, the IRS received 199,000 identity theft affidavits from taxpayers compared to 677,000 in 2015. This was the third consecutive year this number declined.
    • The number of confirmed identity theft returns stopped by the IRS declined by 54 percent, falling from 1.4 million in 2015 to 649,000 in 2018.

    As the Summit has increased the tax community’s defenses against identity theft and refund fraud, cybercriminals continue to evolve. Increasingly, they look to data thefts at tax professionals’ offices to obtain large amounts of sensitive taxpayer data. Thieves then use stolen data from tax professionals to create fraudulent returns that are harder to detect.

    The "Taxes. Security. Together." Checklist

    The Summit partners urge the tax community to review these basic security steps this summer. Some tax pros may routinely overlook these checklist items and others need to regularly revisit them. The steps are not only important for tax practitioners, but for taxpayers as well. Everyone has a responsibility to protect sensitive data.

    The "Taxes. Security. Together." Checklist highlights key security features: 

    • Deploy the “Security Six” measures:
      • Activate anti-virus software.
      • Use a firewall.
      • Opt for two-factor authentication when it’s offered.
      • Use backup software/services.
      • Use Drive encryption.
      • Create and secure Virtual Private Networks.
         
    • Create a data security plan:
      • Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. 
      • The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large. 
      • Tax professionals are asked to focus on key risk areas such as employee management and training; information systems; and detecting and managing system failures.
         
    • Educate yourself and be alert to key email scams, a frequent risk area involving:
      • Learn about spear phishing emails.
      • Beware ransomware.
         
    • Recognize the signs of client data theft:
      • Clients receive IRS letters about suspicious tax returns in their name.
      • More tax returns filed with a practitioner’s Electronic Filing Identification Number than submitted. 
      • Clients receive tax transcripts they did not request.
         
    • Create a data theft recovery plan including:
      • Contact the local IRS Stakeholder Liaison immediately.
      • Assist the IRS in protecting clients’ accounts.
      • Contract with a cybersecurity expert to help prevent and stop thefts. 

    Security Summit partners/tax professionals urge review

    “The states and our partners have made progress in the fight against tax-related identity theft, but criminals continue to evolve. We cannot let our guard down in this fight because our common enemy is well-funded, technologically skilled and savvy about state and federal tax processes,” said Sharonne Bonardi, president of the Board of Trustees of the Federation of Tax Administrators and Deputy Comptroller in Maryland. “To make this work, we need help from individual tax professionals across the nation.”

    Checklist marks third year of Summit campaigns aimed at tax professional community

    This year’s Tax Security 2.0 effort involving the Security Checklist is the third summer campaign in a row involving the Summit partners. The effort follows feedback and recommendations from the Electronic Tax Administration Advisory Committee (ETAAC) that encouraged the Summit partners to expand and intensify outreach efforts to the tax professional community on identity theft and security issues. 

    This year’s campaign also coincides with this summer’s IRS Nationwide Tax Forums, which will again feature a major focus on security protection for tax professionals. The sessions will provide continuing education credits for sessions led by experts from inside and outside the IRS. The American Coalition for Taxpayer Rights also will again sponsor special sessions with experts from the Pell Center for International Relations and Public Policy at Salve Regina University in Rhode Island. 

    Last year's Summit education effort focused on Protect Your Clients; Protect Yourself: Tax Security 101. In 2017, the campaign highlighted email schemes in Don’t Take the Bait.

    Separate Summit initiatives focus on identity theft awareness for individual taxpayers and consumer alerts for developing tax scams and schemes. 

    Resources available for tax professionals

    Tax professionals also can get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data (PDF), and Small Business Information Security: the Fundamentals (PDF) by the National Institute of Standards and Technology.

    Publication 5293, Data Security Resource Guide for Tax Professionals (PDF), provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and social media.

     
    Source: IRS
  • Update your software now

    June 14, 2019, 10:22 AM

    We secure our valuables – our wallets, keys, and homes. We know that, if left unsecured, they can easily be a target for criminals. So it makes sense to think the same way about the information stored on all our devices.

    Computers, tablets, phones and other personal devices hold your emails and your financial and tax documents (with your Social Security numbers). Criminals who get access to this valuable information can commit identity theft, put harmful software on your devices, or both.

    What’s one easy way to help protect all of this sensitive information? Update your software regularly, and as soon as possible when a newer version comes out. What’s an even easier way? Set the updates to happen automatically. Don’t ignore reminders to update. Criminals look to exploit vulnerabilities before the software companies can fix it. Delaying gives hackers time to access your information – even when a patch is out there to lock them out.

    So what software should you be updating?

    1. Security software. Whether you use antivirus or firewall programs that were pre-installed on your device or that you bought on your own, make sure they’re up to date.
    2. Operating system software. Your operating system could be Windows, Apple OS, etc. If you’re not sure how to update your operating system, go to the website of your device manufacturer for help.
    3. Internet browsers and apps. Both are access points for criminals to enter your devices, so it’s important to keep them secure.
    Source: Federal Trade Commission 
  • IRS reminder: Tax scams continue year-round

    June 10, 2019, 2:25 PM

    Although the April filing deadline has passed, scam artists remain hard at work, and the IRS today urged taxpayers to be on the lookout for a spring surge of evolving phishing emails and telephone scams.

    The IRS is seeing signs of two new variations of tax-related scams. One involves Social Security numbers related to tax issues and another threatens people with a tax bill from a fictional government agency. Here are some details:

    • The SSN hustle. The latest twist includes scammers claiming to be able to suspend or cancel the victim’s Social Security number. In this variation, the Social Security cancellation threat scam is similar to and often associated with the IRS impersonation scam. It is yet another attempt by con artists to frighten people into returning ‘robocall’ voicemails. Scammers may mention overdue taxes in addition to threatening to cancel the person’s SSN.
       
    • Fake tax agency. This scheme involves the mailing of a letter threatening an IRS lien or levy. The lien or levy is based on bogus delinquent taxes owed to a non-existent agency, “Bureau of Tax Enforcement.” There is no such agency. The lien notification scam also likely references the IRS to confuse potential victims into thinking the letter is from a legitimate organization.

    Both display classic signs of being scams. The IRS and its Security Summit partners – the state tax agencies and the tax industry – remind everyone to stay alert to scams that use the IRS or reference taxes, especially in late spring and early summer as tax bills and refunds arrive.

    Phone scams

    The IRS does not leave pre-recorded, urgent or threatening messages. In many variations of the phone scam, victims are told if they do not call back, a warrant will be issued for their arrest. Other verbal threats include law-enforcement agency intervention, deportation or revocation of licenses.

    Criminals can fake or “spoof” caller ID numbers to appear to be anywhere in the country, including from an IRS office. This prevents taxpayers from being able to verify the true call number. Fraudsters also have spoofed local sheriff’s offices, state departments of motor vehicles, federal agencies and others to convince taxpayers the call is legitimate.

    Email phishing scams

    The IRS does not initiate contact with taxpayers by email to request personal or financial information. The IRS initiates most contacts through regular mail delivered by the United States Postal Service. However, there are special circumstances when the IRS will call or come to a home or business. These visits include times when a taxpayer has an overdue tax bill, a delinquent tax return or a delinquent employment tax payment, or the IRS needs to tour a business as part of a civil investigation (such as an audit or collection case) or during criminal investigation. 

    If a taxpayer receives an unsolicited email that appears to be from either the IRS or a program closely linked to the IRS that is fraudulent, report it by sending it to phishing@irs.gov. The Report Phishing and Online Scams page provides complete details.

    Telltale signs of a scam

    The IRS (and its authorized private collection agencies) will never:

    • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. The IRS does not use these methods for tax payments. Generally, the IRS will first mail a bill to any taxpayer who owes taxes. All tax payments should only be made payable to the U.S. Treasury and checks should never be made payable to third parties.
    • Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
    • Demand that taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.
    • Ask for credit or debit card numbers over the phone.

    For anyone who doesn’t owe taxes and has no reason to think they do:

    • Do not give out any information. Hang up immediately.
    • Contact the Treasury Inspector General for Tax Administration to report the call. Use their IRS Impersonation Scam Reporting web page.
    • Report the caller ID and/or callback number to the IRS by sending it to phishing@irs.gov (Subject: IRS Phone Scam).
    • Report it to the Federal Trade Commission. Use the FTC Complaint Assistant on FTC.gov. Add "IRS Telephone Scam" in the notes.

    For anyone who owes tax or thinks they do:

    The IRS does not use text messages or social media to discuss personal tax issues, such as those involving bills or refunds. For more information, visit the Tax Scams and Consumer Alerts page on IRS.gov. Additional information about tax scams is also available on IRS social media sites, including YouTube videos.

    Source: IRS
  • Make it a scam-free vacation

    May 28, 2019, 9:14 AM

    It’s almost summer! Right now, you probably have beaches on the brain or you’re thinking about that long-planned trip abroad. Before you head out, take steps to help keep your dream vacation from becoming a nightmare:

    Do some research — and then carefully read the details on travel offers.

    • First, get recommendations from family and friends on good travel agencies, vacation rentals, hotels and travel packages — before responding to offers.
    • Look up travel companies, hotels, rentals and agents with the words “scam,” “review,” or “complaint.”
    • Look for extra costs. Resort fees (also known as destination, facility and amenity fees) can add $50 or more to your nightly cost.
    • Ask about taxes, which may be significant in many locations.
    • Get a copy of the cancellation and refund policies before you pay.
    • If you’re buying travel insurance, be sure the agency is licensed.
    • Bring copies of any confirmation details that show the rate and amenities you were promised. This also helps if the hotel or host says your reservation is “lost.”

    Don’t pay for “prize” vacations. No legitimate company will ask you to pay for a prize. Also, look for catches to resort or timeshare offers. They may come with taxes and fees to pay, timeshare presentations to attend, and high-pressure sales pitches to endure.

    Don’t sign anything until you know the terms of the deal. Say “no thanks” to anyone who tries to rush you, without giving you time to consider the offer.

    Use a credit card, if possible, for your travel spending. This gives you more protection than paying by cash or debit card — and it may be easier to dispute unauthorized charges.

    Protect your identity and account information while you’re traveling.


    Source: Federal Trade Commission
  • COPPA: A few tips to keep your child safe online

    April 29, 2019, 11:22 AM

    Online games and websites for kids are everywhere these days – to the point where it’s commonplace to see toddlers playing with them, too. And while the internet often offers a positive way for children to explore and learn, privacy concerns are lurking. To help protect children’s privacy, the FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires websites and online services to obtain consent from parents before collecting personal information from kids younger than 13.

    According to the FTC, i-Dressup, a website allowing users to play dress-up games, and its owners violated COPPA by collecting personal information from kids – including names, email addresses, and user names – without obtaining parental consent and failing to take reasonable steps to protect this information. This led to a breach of i-Dressup’s network in August 2016. As a result of the breach, a hacker accessed the personal information and account passwords of over two million i-Dressup users, including at least 245,000 children under 13.

    So how can you protect your child online? Here are some tips:

    • Talk to your kids about what they’re doing online. Find out which games, social networking sites, and other online activities your kids are into and make sure you are comfortable with them.
    • Talk to your children about the implications of providing personal information.
    • Help your kids understand what information should stay private. Tell your kids why it's important to keep information like Social Security numbers, street addresses, phone numbers, and financial information private.
    • Learn more about how to protect your child when he’s online.
    • File a complaint with the FTC if you think a site has put your child’s privacy at risk.

    Source: Federal Trade Commission
  • IRS kicks off annual list of most prevalent tax scams: Agency warns taxpayers of pervasive phishing schemes in its ‘Dirty Dozen’ campaign

    March 05, 2019, 10:00 AM

    WASHINGTON — Kicking off the annual “Dirty Dozen” list of tax scams, the Internal Revenue Service today warned taxpayers of the ongoing threat of internet phishing scams that lead to tax-related fraud and identity theft.

    The IRS warns taxpayers, businesses and tax professionals to be alert for a continuing surge of fake emails, text messages, websites and social media attempts to steal personal information. These attacks tend to increase during tax season and remain a major danger of identity theft.

    To help protect taxpayers against these and other threats, the IRS highlights one scam on 12 consecutive week days to help raise awareness. Phishing schemes are the first of the 2019 “Dirty Dozen” scams.

    “Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” said IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”

    The IRS also urges taxpayers to learn how to protect themselves by reviewing safety tips prepared by the Security Summit, a collaborative effort between the IRS, state revenue departments and the private-sector tax community.

    “Taking some basic security steps and being cautious can help protect people and their sensitive tax and financial data,” Rettig said.

    New variations on phishing schemes

    The IRS continues to see a steady stream of new and evolving phishing schemes as criminals work to victimize taxpayers throughout the year. Whether through legitimate-looking emails with fake, but convincing website landing pages, or social media approaches, perhaps using a shortened URL, the end goal is the same for these con artists: stealing personal information.

    In one variation, taxpayers are victimized by a creative scheme that involves their own bank account. After stealing personal data and filing fraudulent tax returns, criminals use taxpayers' bank accounts to direct deposit tax refunds. Thieves then use various tactics to reclaim the refund from the taxpayer, including falsely claiming to be from a collection agency or the IRS. The IRS encourages taxpayers to review some basic tips if they see an unexpected deposit in their bank account.

    Schemes aimed at tax pros, payroll offices, human resources personnel

    The IRS has also seen more advanced phishing schemes targeting the personal or financial information available in the files of tax professionals, payroll professionals, human resources personnel, schools and organizations such as Form W-2 information. These targeted scams are known as business email compromise (BEC) or business email spoofing (BES) scams.

    Depending on the variation of the scam (and there are several), criminals will pose as:

    • a business asking the recipient to pay a fake invoice
    • as an employee seeking to re-route a direct deposit
    • or as someone the taxpayer trusts or recognizes, such as an executive, to initiate a wire transfer.

    The IRS warned of the direct deposit variation of the BEC/BES scam in December 2018, and continues to receive reports of direct deposit scams reported to phishing@irs.gov. The Direct Deposit and other BEC/BES variations should be forwarded to the Internet Crime Complaint Center (IC3). The IRS requests that Form W-2 scams be reported to: phishing@irs.gov (Subject: W-2 Scam). 

    Criminals may use the email credentials from a successful phishing attack, known as an email account compromise, to send phishing emails to the victim’s email contacts. Tax preparers should be wary of unsolicited email from personal or business contacts especially the more commonly observed scams, like new client solicitations.

    Malicious emails and websites can infect a taxpayer’s computer with malware without the user knowing it. The malware downloads in the background, giving the criminal access to the device, enabling them to access any sensitive files or even track keyboard strokes, exposing login victim’s information.

    For those participating in these schemes, such activity can lead to significant penalties and possible criminal prosecution. Both the Treasury Inspector General for Tax Administration (TIGTA), which handles scams involving IRS impersonation, and the IRS Criminal Investigation Division work closely with the Department of Justice to shut down scams and prosecute the criminals behind them.

    Tax professional alert

    Numerous data breaches across the country mean the tax preparation community must be on high alert to unusual activity, particularly during the tax filing season. Criminals increasingly target tax professionals, deploying various types of phishing emails in an attempt to access client data. Thieves may use this data to impersonate taxpayers and file fraudulent tax returns for refunds.

    As part of the Security Summit initiative, the IRS has joined with representatives of the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators to combat identity theft refund fraud to protect the nation's taxpayers.

    The Security Summit partners encourage tax practitioners to be wary of communicating solely by email with potential or existing clients, especially if unusual requests are made. Data breach thefts have given thieves millions of identity data points including names, addresses, Social Security numbers and email addresses. If in doubt, tax practitioners should call to confirm a client’s identity.

    Reporting phishing attempts

    If a taxpayer receives an unsolicited email or social media attempt that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), they should report it by sending it to phishing@irs.gov. Learn more by going to the Report Phishing and Online Scams page on IRS.gov.

    Tax professionals who receive unsolicited and suspicious emails that appear to be from the IRS and/or are tax-related (like those related to the e-Services program) also should report it to: phishing@irs.gov.

    The IRS generally does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

    Source: IRS