Security Tips to Get You Through April
Ok, what’s worse than having to file your taxes? Falling for a tax scam. The problem is that there are way too many ways to fall victim. However, instead of focusing on the individual and the various well-documented phone, email, and other social engineering scams, we’ll look at the real pot ‘o gold – independent tax preparers. Why buy a quart of milk when you can own the whole cow?
We’re not talking about the major brokerages, H&R Block, and other established firms. The real risk is in compromising the corner tax preparer, in many cases doubling up as an accountant. Much like the independent doctor or dentist (becoming harder to find, btw), these preparers have access to the most confidential of financial data for literally hundreds of customers, a gold mine for identity theft.
Members of the IRS Electronic Tax Administration Advisory Committee (ETAAC) in June noted that they believe “far fewer than half of the tax professionals are aware of their responsibilities under the FTC Safeguards rule and that even fewer professionals …have implemented required security practices.”
In a good year, preparers need to be on the lookout for spoofed sites, ransomware, and phishing, basic network hygiene, physical intrusions – it only takes one USB drive, and even dumpster divers. They also need to head off scams where a hacker poses as a new client, possibly using stolen credentials. But, 2019 is anything but a normal year!
Between the government shutdown and changes in the tax law, many individuals are confused, stressed, and are delaying preparation, all falling on the shoulders of their preparers. In the interest of time, they’ll use less secure channels for communication, leave confidential messages, and of course, be more at risk from others spoofing their preparer’s identity.
As a preparer, be extra diligent as to any client or external email enclosures or links, any USB drives supplied with client data, and calls, said to be from clients, but possibly not, requesting confidential data.
On the IT side, it goes without saying to lock down your WiFi, encrypt all data as a last line of defense against data theft, and automatically assess for vulnerabilities and other security gaps based on industry best practices and patch as required. This also applies if you are using cloud-based services.
Scams involving SharePoint and other cloud-based accounts and documents are also in vogue this year, and with more clients apt to share documents via Google Docs, Box, Dropbox, or any one of a number of other services, the chance of a breach grows.
Finally, be on the lookout for any strange behavior when filing, when entering or reviewing data, or when downloading or uploading. Anything out of the ordinary could indicate a breach, so stop, and pause.
A good IRS guide with links to best practices is here:
- https://www.irs.gov/newsroom/tax-security-101-tax-preparers-should-take-these-steps-to-protect-data
- https://www.irs.gov/pub/irs-pdf/p4557.pdf
- https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
