Phishing is a year-round pastime for scammers seeking to steal sensitive data about your clients or your company, but phishing scams inevitably ramp up at tax return time. During the 2021 filing season, for example, the IRS urgently warned tax professionals of a phishing scam designed to steal Electronic Filing Identification Numbers (EFINs). The IRS also warned that the ramp-up of remote transactions during COVID-19 have spawned phishing expeditions by scammers posing as potential clients. Obviously, learning to identify and to avoid these kinds of phishing expeditions is imperative. However, there are other steps you can—and should—take to protect your data.
Secure your office. Make sure all physical and virtual client files are protected from unauthorized access. For example:
- Lock doors to file rooms and computer rooms.
- Permit access to client files only on an authorized need-to-know basis.
- Make sure client information, including data on computer hardware or other media, is not left unsecured inside or outside the office, such as on desks or photocopiers, in trash cans, or in employees’ vehicles or homes.
- Provide for secure disposal of client information, such as by shredding unneeded documents or destroying digital media by incineration, pulverizing, shredding, disintegration, or melting.
Secure your systems. While trolling in your trash is not unheard of, your computer systems are likely to be the prime target for identity theft. Here are some steps you can take to prevent a computer data breach:
- Require separate user names and passwords for each individual with computer access—and disable and remove inactive users.
- Make sure users set up strong passwords with a combination of numbers, symbols, and upper and lowercase letters—and require periodic password changes every 60 to 90 days.
- Lock out users after three invalid access attempts—anyone can make a typo, but three strikes and you’re out.
- Monitor computer systems for unauthorized access by reviewing system logs.
- Protect internet-connected computers with a firewall or other barrier device.
- Maintain hardware and software regularly.
Secure your storage. IRC Sec. 6107(b) requires you to maintain client data for three years after their returns have been filed, but these records should be separated from your active files. Back up client data regularly and store it on separate secure computers or media that are not connected to the internet. Remove client information once the retention period expires by using software designed to securely remove the data.
How to spot a phishing email
The IRS offers these tips on how to spot—and avoid—a phishing email.
It contains a link. Scammers often pose as the IRS, financial institutions, tax companies, or software providers. They may claim that you need to update your account or change a password. The email offers links to a spoofing site that may look similar to the legitimate official website. Do not click on the link. If in doubt, go directly to the legitimate website and access your account.
It contains an attachment. Scammers often include an attachment to an email. This attachment may be infected with malware that can download malicious software onto your computer without your knowledge. If it’s spyware, it can track your keystrokes to obtain information about passwords,
Social Security numbers, or other sensitive data. Do not open attachments from unknown sources.
It appears to be from a government agency. Scammers attempt to trick people into opening email links by posing as the IRS and other government agencies. The IRS does not initiate taxpayer communications through email.
It’s an “off” email from a friend. Scammers also hack email accounts and try to leverage the stolen email addresses. You may receive an email from a “friend” that just doesn’t seem right. It may be missing a subject for the subject line or contain odd requests or language. If it seems off, avoid it and do not click on any links.
It has a lookalike URL. A questionable email may try to trick you with the URL. For example, instead of www.irs.gov, it may be a false lookalike.
Check out the Intuit® Tax Pro Center’s array of articles on fraud and security for more information and helpful tips.