How to protect your firm and taxpayer data from COVID-19 scams

As more practitioners work remotely and security risks increase, the IRS and Security Summit partners issued a bulletin urging tax professionals to take additional security steps immediately to protect taxpayer data.

The IRS, state tax agencies and the nation’s tax industry continue to see an upswing in data thefts from tax professionals as cybercriminals try to take advantage of COVID-19 and economic impact payments (EIPs) to create new scams.

“Identity thieves view the pandemic as a chance to exploit tax professionals as well as taxpayers,” said IRS Commissioner Chuck Rettig. “They are using every trick of their criminal trade to con people, as well as steal valuable personal and financial information to help enable tax-related identity theft. In many ways, tax pros are one of the first lines of defense. We urge the entire tax community to take additional steps and protect their sensitive data.”

The partners in the Security Summit – including the IRS, state tax agencies and the private-sector tax industry – continue working closely together to watch for new threats during the coronavirus. In addition, IRS Criminal Investigation is actively working to combat scam artists trying to exploit EIPs and other provisions related to the coronavirus. So far, the scams include preying on vulnerable taxpayers who are unaware of how the payments will reach them.

The IRS and Security Summit partners also recommend these additional security measures:

Use a virtual private network for extra security. All tax professionals work remotely should use an encrypted virtual private network (VPN) that provides a secure, encrypted tunnel to transmit data between a remote user via the internet and the company network.

Cybercriminals can exploit various weaknesses, whether by using a phishing email or an unsecured network, to gain control of a tax professional’s computer. Once they have remote control, they can either steal data, or complete and file client tax returns, but change the bank account information for refunds.

The government cannot recommend a VPN provider, but tax professionals can ask trusted colleagues or search for “best VPNs” to find a legitimate vendor. Major technology sites often provide lists of top services. Never fall for pop-ups on websites for VPNs or any kind of security software. Those generally are all scams.

Multi-factor authentication helps protect data. This year, most tax software providers for tax professionals and for taxpayers are offering the option of multi-factor authentication. Multi-factor authentication means a returning user to the software product must enter not only their credentials (username/password), but also a security code, generally sent as a text to a mobile phone. The idea is the thief may compromise log-in credentials, but it is unlikely they will have stolen the mobile phone as well.

Multi-factor authentication protects the software account from being breached and from client data being stolen. Tax professionals should activate this feature immediately.

Avoid phishing scams. Identity thieves have stepped up phishing scam efforts to capitalize on COVID-19 and EIPs. Crooks are targeting tax professionals as well as taxpayers.

Tax professionals should beware of emails from criminals posing as potential clients. As people practice social distancing, criminals may exploit this process to try to trick tax practitioners into opening links or attachments. For example, crooks may present themselves as a new client, and ask the practitioner to view the wage and income information they have in an attachment.

The Security Summit reminds tax professionals of simple steps to remember: Know your customers. Use the phone to confirm identities. Don’t take the bait.

Thieves also seek to impersonate tax software providers, cloud storage providers banks and others. Remember, phishing emails generally have an urgent message, such as “your account password expired,” and will direct you to a link or attachment. Taxpayers can report suspicious emails posing as the IRS to phishing@irs.gov.

Watch out for IRS impersonation scams. The IRS will not call, email or text anyone about EIPs. These are impersonation scams by thieves seeking to steal bank account or other sensitive data. Do not fall for these scams.

Don’t forget security software. Everyone, especially tax professionals, should be using broad-based security software that protects not just their computers, but mobile phones as well. Security features will help identify and stop potentially dangerous malware that can infect digital networks.

For more help, the IRS and Security Summit partners urge tax practitioners to review the security measures outlined in Publication 4557, Safeguarding Taxpayer Data. The Intuit® Tax Pro Center will continue to run articles on fraud and security, so check back frequently for updates.