CAMICO claims experience shows that cybercriminals tend to step up their attacks in late March and early April as tax professionals work to wrap up their clients' tax returns.
Tax professionals are urged to be extra vigilant for email scams, even as tax work intensifies.
Cybercriminals have been focusing on accounting and tax firms where there is an opportunity to steal client data, file fraudulent tax returns, and misdirect refunds to the scammers’ bank accounts.
The majority of thefts occur when someone at the firm opens a phishing email and clicks on a link or attachment containing malware. Malware downloaded surreptitiously into computers permits thieves to covertly capture each keystroke or gain remote access to the computer, allowing them to steal data stored there.
Loss Prevention TipsThe IRS and its Security Summit partners posted a warning of the high risk of data theft and urged tax professionals to seek out cyber experts for assistance with security (IRS, Security Summit Partners warn tax professionals of high risk of data theft attacks). The Security Summit also recommends the following basic safeguards:
- Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open any link or attachment from a suspicious email. Remember: The IRS never initiates initial contact with tax professionals via email.
- Create a data security plan by using resources found within the link above.
- Review internal controls:
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
- Create passwords/passphrases of at least eight characters; the longer, the better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices, and consider password manager programs.
- Encrypt all sensitive files/emails and use strong password protections.
- Back up sensitive data to a safe and secure external source not connected fulltime to a network.
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
- Limit access to taxpayer data to individuals who need to know.
- Check IRS e-Services account weekly for number of returns filed with EFIN.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alerts, and Social Media.
- Opt for multi-factor authentication protection whenever it is available. Multi-factor authentication helps prevent cybercriminals from accessing accounts, even if they steal passwords.
CAMICO also recommends that practitioners avoid public Wi-Fi or hotspots; instead, use your personal hotspot on your cell phone.