On January 25, 2019   /   Entrepreneurs!, Internal Controls, Internal Controls, Internal Revenue Service, Rascon CPA Firm, Tax Compliance  

Be enlightened.

During “National Tax Security Awareness Week,” which ran from December 3 to December 7, the IRS and its Security Summit partners (state tax agencies and the private-sector tax community) issued a series of reminders that urged taxpayers and tax practitioners to take steps to protect their data.

Cybersecurity Shopping Tips

While taxpayers are shopping for holiday gifts, identity thieves are “shopping” for tax and financial data they can sell on the dark web or use to create fraudulent tax returns. Keeping important personal data, such as credit card and social security numbers is essential to financial health. Taxpayers are urged to take the following measures while shopping online for gifts during the holiday season:

  • avoid unprotected Wi-Fi;
  • shop at familiar online retailers;
  • recognize and avoid phishing emails that pose as a trusted source;
  • keep a clean machine; • use strong passwords;
  • use multi-factor authentication; and
  • encrypt and password-protect sensitive data.

Phishing Emails

Taxpayers are urged to avoid identity theft by watching out for phishing scams that often surge during holidays and filing season. The most common way for cybercriminals to steal bank account information, passwords, credit cards or Social Security numbers is to simply ask for them. The scams may contain emails with hyperlinks that take users to a fake site or could contain PDF attachments that may download malware or viruses.

A scam artist could take advantage of knowledge gained from online research and earlier attempts to masquerade as a legitimate source, including presenting the look and feel of authentic communications, such as using an official logo. Further, scammers use email or malicious websites to solicit personal, tax or financial information by posing as a trustworthy organization. Often, the recipients are fooled into believing the phishing communication is from someone they trust. Taxpayers should be aware that not all phishing attempts are emails and that some are phone scams. According to the IRS, phishing@irs.gov continues to receive a large volume of IRS telephone scam complaints.

To safeguard against phishing attacks, the IRS reminds taxpayers:

  • never to open a link or attachment from an unknown or suspicious source;
  • remember that the IRS does not initiate contact with taxpayers by email to request personal or financial information;
  • when in doubt, do not use hyperlinks and go directly to the source’s main web page;
  • no legitimate business or organization will ask for sensitive financial information via email;
  • use security software to protect against malware and viruses;
  • use strong passwords to protect online accounts; and • use multi-factor authentication when offered.
  • never to open a link or attachment from an unknown or suspicious source;
  • remember that the IRS does not initiate contact with taxpayers by email to request personal or financial information;
  • when in doubt, do not use hyperlinks and go directly to the source’s main web page;
  • no legitimate business or organization will ask for sensitive financial information via email;
  • use security software to protect against malware and viruses;
  • use strong passwords to protect online accounts; and
  • use multi-factor authentication when offered.

Create Stronger Passwords

What is a “strong” password?

Taxpayers and tax practitioners are urged to review new, stronger standards to protect the passwords of their online accounts. Taxpayers who maintain any type of online accounts should use strong passwords to protect against savvy cybercriminals taking over their identities and accessing sensitive tax and financial data. Further, taxpayers should use passphrases such as a favorite line from a movie or a series of associated words, rather than using conventional alpha numeric passwords.

The IRS follows the cybersecurity framework set by the National Institute of Standards and Technology (NIST), which is a branch of the Department of Commerce. NIST suggested these three steps to build a better password:

  • Step 1: Leverage your powers of association. Identify associated items that have meaning to you.
  • Step 2: Make the associations unique to you. Passphrases should be words that can go together in your head, but no one else would ever suspect.
  • Step 3: Create a passphrase that you can picture in your head. The key is to create a passphrase that is hard for a cybercriminal to guess but easy for you to remember. 

Moreover, the IRS urged taxpayers and tax practitioners to take the following additional steps:

  • Use a different password or passphrase for each account; use a password manager if necessary for multiple accounts.
  • Use multi-factor authentication whenever possible. Don’t rely on the passphrase alone to protect sensitive data.
  • Change all factory-set passwords for wireless devices such as printers and routers.

Form W-2 Scams

Small businesses and employers are urged to avoid identity theft by watching out for W-2 scams that often surge during the filing season. Identity thieves have long made use of stolen Employer Identification Numbers (EINs) to create fake Forms W-2 that they would file with fraudulent individual tax returns. Now, they are using company names and EINs to file fraudulent returns.

In addition, the IRS advised businesses, partnerships, and estate and trust filers to be cautious of potential identity theft and contact the IRS if they experience any glitches with the filed returns. The Federal Trade Commission (FTC) maintains a Protecting Small Business page, which includes a series on cybersecurity, and a Cybersecurity for Small Business publication, which helps small businesses looking for a place to start on security. Moreover, elaborating on the W-2 scam, the IRS urged employers to educate employees, especially those in human resources and payroll departments who are often the first targets. Further, employers should put protocols in place for sharing sensitive employee information such as Forms W-2. In case of an incident, employers are urged to report it by adopting the following measures:

  • email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information;
  • email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states;
  • businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center ( IC3.gov);
  • • notify employees so they may take steps to protect themselves from identity theft; the FTC’s www.identitytheft.gov webpage provides guidance on general steps employees should take; and
  • forward the scam email to phishing@irs.gov.