Few professions have felt the brunt of identity theft like the tax and accounting profession. This profession is in the crosshairs; clients may have their identities stolen and have to deal with fraudulent tax returns, and financial professionals may get hit with spoofing emails. It is important to understand that many of these issues are not truly hacks but rather careless uses of passwords and/or poor office policies.
This overview is meant to provide some insight and best practices to help protect your practice and your clients from bad actors. Know that CPAs, enrolled agents and other tax professionals are attractive targets to hackers. Never say, “It won’t happen to my practice.”
Do Not Send Clients Files via Email
The most common hack involves a third party gaining access to an email account—either yours or one of your client’s. A hacker can gain access to an email password by using brute-force attacks, or by sending spoofing emails. The majority of intrusions are due to poor password management.
First, be sure that each account has a unique and very strong password. Nothing is worse than letting a hacker gain access to multiple accounts because you use the same password across the board. If hackers gain access to your email, they can then send spoof emails to your client base. This is very dangerous because the clients likely will trust the message because you are the sender and actually open it. Spoof emails come in various formats. Sometimes they are sent posing as password-reset emails from common sites such as DropBox, PayPal or Intuit QuickBooks. The IRS just warned of a new ransomware scam where the email impersonated the IRS and FBI in one message. These are the types of tactics that unsuspecting people can fall for. In addition, if you have sent private client files via email, any hacker who gets access to your email account (or your client’s) can use this information to commit identity theft.
Sample ransomware scam email::
Utilizing a client-portal system that requires unique usernames and passwords and that uses a secure SSL connection can help minimize this risk. Make sure that any such system has safety mechanisms built in—for instance, to limit the number of incorrect passwords that a user can enter before being locked out. Most portals also encrypt files stored on their servers, which adds another layer of protection.
Best Office Policies for Security
If you are still using paper, add a shredder to your office equipment list. In addition, make sure that you install an office security system—including camera surveillance—to help deter thieves. Crooks often target CPA offices and other accounting firms because of these offices’ bounty of private data, including social security numbers. Do not write down clients’ personal data such as credit card numbers or banking information. If you use file cabinets, make sure they are secure and locked. Do not write usernames or passwords on sticky notes near your computer. Although many of these best practices seem obvious, many people are guilty of breaking our own rules. Mistakes can occur if you get careless. For instance, when disposing of old tax records, always do so properly; thieves do go through the trash, and so if you are not careful, they can easily access private data in this way.
When it comes to securing your digital office, you can take a number of steps:
Identity Thieves, the IRS and Your Clients
The IRS and the Federal Trade Commission have taken steps to combat fraud resulting from identity theft. Many of their safeguards have already helped to cut down of the amount of fraud. However, it is hard to stop all of the fraud, especially after intrusions such as the recent Equifax hack of 143 million consumers. If any of your clients’ Social Security numbers were part of the breach, please direct them the special IRS identity theft website, which includes the steps to take if you are a victim. This includes access to IRS Form 14039.
Tax professionals are often in the middle of this issue, as they need to help both individuals and business owners who are victims of tax-related identity theft. They may become aware of such problems when clients’ returns are rejected as duplicates.
The IRS suggests that tax and accounting professionals take the following steps when this occurs:
The best defense is keeping your guard up. Hackers and identify thieves probe tax and accounting professionals daily. Using common sense and integrating cybersecurity best practices into your business will help minimize your risk.
August 15, 2018
In this Quick Hits video ClientWhys/CountingWorks PRO CEO, Lee Reams II is discussing the latest […]
August 7, 2018
In this Quick Hits video ClientWhys/CountingWorks PRO CEO, Lee Reams II discusses how accounting and […]
July 17, 2018
Service starts with more than 240,000 accounting professionals following the success of the popular TaxBuzz […]