The IRS has been reminding tax professionals that the FTC's Safeguard Rules apply to them, so pros must take action to protect taxpayer data from being compromised. To assist tax professionals in being compliant, we have curated the security tips below and created an IRS Security Policy Template that can be edited and used by tax professionals when establishing their internal policies. Violation of these rules can result in civil penalties of up to $2,500 per violation. Much larger penalties could come as a result of any civil action brought by a client and an astute plaintiff attorney armed with the fact that the defendant did not abide by the “Red Flag Rules.”  Each practitioner firm is responsible for developing its own list of red flags based upon its own specific methods and business operations, and the list should be as exhaustive as possible. Unfortunately, there is no specific set of red flags for tax preparation, accounting, or financial services businesses. The FTC does not provide industry guidelines. Each business must include every situation that they can envision. The FTC does provide a Four-Step Process for identifying risks (red flags) here which should be reviewed prior to developing the firms’ security policy. Download our IRS Security Policy Template for free.

Cybersecurity: Is Your Tax and Accounting Practice Secure?

Few professions have felt the brunt of identity theft like the tax and accounting profession. This profession is in the crosshairs; clients may have their identities stolen and have to deal with fraudulent tax returns, and financial professionals may get hit with spoofing emails. It is important to understand that many of these issues are not truly hacks but rather careless uses of passwords and/or poor office policies.This overview is meant to provide some insight and best practices to help protect your practice and your clients from bad actors. Know that CPAs, enrolled agents, and other tax professionals are attractive targets to hackers. Never let your guard down and say “It won’t happen to my practice.”

Do Not Send Clients Files via Email

The most common hack involves a third party gaining access to an email account—either yours or one of your clients'. A hacker can gain access to an email password by using brute-force attacks, or by sending spoofing emails. The majority of intrusions are due to poor password management.First, be sure that each account has a unique and very strong password. Nothing is worse than letting a hacker gain access to multiple accounts because you use the same password across the board. If hackers gain access to your email, they can then send spoof emails to your client base. This is very dangerous: the clients likely will trust the message and actually open it because you are the sender (or so it seems).Spoof emails come in various formats. Sometimes they are sent posing as password-reset emails from common sites such as DropBox, PayPal or Intuit QuickBooks. The IRS has warned of ransomware scam where the email impersonated the IRS and FBI in one message. These are the types of tactics that unsuspecting people can fall for. In addition, if you have sent private client files via email, any hacker who gets access to your email account (or your client’s) can use this information to commit identity theft.Sample ransomware scam email:

Utilizing a client-portal system that requires unique usernames and passwords and that uses a secure SSL connection can help minimize this risk. Make sure that any such system has safety mechanisms built in — for instance, to limit the number of incorrect passwords that a user can enter before being locked out. Most portals also encrypt files stored on their servers, which adds another layer of protection.

Best Office Policies for Security

If you are still using paper documentation for your practice, add a shredder to your office equipment list. In addition, make sure that you install an office security system—including camera surveillance—to help deter thieves. Crooks often target CPA offices and other accounting firms because of these offices’ bounty of private data, including social security numbers. Do not write down clients’ personal data such as credit card numbers or banking information.If you use file cabinets, make sure they are secure and locked. Do not write usernames or passwords on sticky notes near your computer. Although many of these best practices seem obvious, many people are guilty of breaking our own rules. Mistakes can occur if you get careless. For instance, when disposing of old tax records, always do so properly; thieves do go through the trash, and so if you are not careful, they can easily access private data in this way.When it comes to securing your digital office, you can take a number of steps:

1. Keep your operating systems updated: While doing so may be annoying or time-consuming, always keep your workstations, iPads, phones, and other devices up to date with the latest security patches.
2. Lock your screen when it is idle: Passersby can quickly jump on unlocked devices to access users’ email, reset their passwords, and so on.
3. Use equipment-tracking software: This technology is not automatically loaded on every workstation, but device-location tools help in case of theft or lost devices. These tools even let users lock and erase data if a device is stolen.
4. Use hard-drive shredders: When disposing of old computers and other digital devices, make sure to use a certified hard-drive shredder to ensure that the data on those devices is permanently destroyed.
5. Do not use insecure Wi-Fi networks: When traveling, you will often come across insecure networks. Try to only use secure connections, and when in doubt, be careful about what sites you log into.
6. Train your staff about email best practices: All it takes is one careless staff member opening a spoofing email for an entire office to be compromised. Communicate your security policies to all staff members.
7. Use background checks when hiring: Anyone can make the mistake of trusting that they are hiring high-caliber employees. Sometimes, though, a background check can reveal surprises. Use a service such as checkr.com.
8. Look into cybersecurity insurance: Recent high-profile breaches have made cybersecurity insurance a growth area. Particularly if you are dealing with personal client data, it would be wise to look into anti-hacking insurance.
9. Use high-security account passwords and update them often: Updating your passwords limits the amount of time that hackers can use stolen login information. However, studies have argued that changing passwords is a hassle and can drain productivity, so the best practice is to change the passwords for sensitive accounts every 60 to 90 days.
10. Be very careful when clicking on email attachments: A Las Vegas CPA made the mistake of clicking on a file that was attached to an inbound email that they thought was a resume for an internship. The CPA did not have any openings or job listings but clicked on it anyway. The file turned out to be ransomware. When in doubt, delete the email or ask the sender to confirm that the file is safe.
11. Install antivirus/anti-malware software: The first line of defense is antivirus/anti-malware software. This is especially true for Microsoft operating systems. However, you must ensure that this software automatically updates so that it protects you from the latest threats.
12. Be wary when sharing private data offline: If third parties are probing you for personal data in a way that seems out of place, do not provide that information. You can always call a vendor directly. Use common sense.
13. Use a SSL certificate on your website: If you are collecting data from clients on your website, use a SSL certificate. This will be evident to clients because of the https:// before your domain name. Starting in 2018, Chrome even started alerting visitors if they navigate to sites that contain forms without SSL certificates.
14. Don’t wait until a breach occurs: Act now to set up the above protections. A little bit of effort today can save your practice a lot of pain later.

_{Identity Thieves, the IRS and Your Clients}

The IRS and the Federal Trade Commission have taken steps to combat fraud resulting from identity theft. Many of their safeguards have already helped to cut down on the amount of fraud. However, it is hard to stop all fraud, especially after large-scale intrusions such as the 2017 Equifax hack of 143 million consumers.If any of your clients’ Social Security numbers are part of a future breach, please direct them the special IRS identity theft website, which includes the steps to take if you are a victim. This includes access to IRS Form 14039.Tax professionals are often in the middle of this issue, as they need to help both individuals and business owners who are victims of tax-related identity theft. They may become aware of such problems when clients’ returns are rejected as duplicates.The IRS suggests that tax and accounting professionals take the following steps when this occurs:

• If the client has received an IRS notice, respond immediately.
• Instruct the client to complete the IRS Identity Theft Affidavit, IRS Form 14039.
• Recognize that, if the federal return was affected, the state return might be affected as well.
• If you need to represent your client before the IRS, make sure to complete a power of attorney form before trying to make contact.

The best defense is keeping your guard up. Hackers and identify thieves probe tax and accounting professionals daily. Using common sense and integrating cybersecurity best practices into your business will help minimize your risk. If you have any questions about security for your practice, contact us today at 1-800-442-2477 x3 or set up some time to speak with one of our digital marketing experts. We’re here to help you stay compliant and keep your practice – and your clients – secure. You can also try out our platform for free here.