For the last few weeks, we’ve been examining the data protection guidelines that the IRS has laid out for tax preparers in IRS Publication 4557. First, we examined how tax preparers can comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). Then we looked at some of the digital safeguards that tax professionals need to put in place to protect their computers and systems from hackers.
In our third installment of this series, we’ll see how tax preparers can build security into their processes and procedures. Even though digital safeguards are important, it’s still critical that you keep an eye out for potential scams and security issues during the course of your work.
Learn To Recognize Phishing Scams
“Phishing” refers to the practice of sending fraudulent emails, with the intent of getting the recipient to give up sensitive information. Even worse is “spear phishing”, where the scammer is using publicly available information about you or your firm to make the ruse more believable.
Scammers use a variety of methods to make you fall for a fake email. They may pose as your bank, your accounting software provider, or even the IRS, and ask for account numbers, fraudulent invoice payments, or other sensitive information. Or they may include an attachment that installs malware on your computer, giving them access to even more information.
To spot a phishing email, first look at the subject and content of the email. They may use subject lines that try to get you to take urgent action, like “URGENT: Update Your Account Now!”. The body will often contain threats of account termination or other scary-sounding penalties. But keep in mind that in general, legitimate emails don’t contain this kind of language, and they will never request account information via an email.
Then, check the links in the email. Hover over them (without clicking!) and see what website the link will take you to. Legitimate emails will point only to the sender’s official website, while phishing emails will point either to a website that has nothing to do with the company, or to a similar looking, but slightly different, address.
When in doubt, contact the alleged sender of any email through a different channel, such as their customer service phone number, to verify if the message is legitimate.
Learn To Stay Safe Online
Email isn’t the only way for scammers to contact you. Even just browsing the internet can put you in contact with malware and fraudulent pop-ups that can lead to data breaches.
Malware is one common online threat. In some cases, you may be asked to download a “missing plugin” or other software. In other cases, flaws in your browser can lead to a “drive-by” download, where malware is installed without your interaction. To prevent that, it’s important to keep your browser and operating system up-to-date at all times, and don’t download any software that you’re not familiar with or not sure you need.
Additionally, scammers use fraudulent pop-up windows to trick you into thinking that your computer has a virus. They’ll then invite you to call “technical support” to resolve the issue. A scammer will then connect to your computer and convince you to pay for fake “tech support”. But while they’re connected, they have free reign to look through your files for your (or your clients’) personal info. So it’s best to ignore these kinds of popups and don’t call anyone except your IT service provider for technical support.
One other way to stay safe online is to limit the amount of personal browsing you do on your work computer. If possible, save your shopping, social media, and other personal activities for your home computer. This will limit the potential of exposing your clients’ information to hackers and scammers.
Learn To Spot Signs of Data Theft
Of course, the goal is to avoid data theft in the first place. But in the event that it does happen, being able to recognize and react to it quickly can limit the damage to your clients and your business.
In Publication 4557, the IRS offers several warning signs that your firm may be a victim of data theft:
- Your clients’ returns are rejected because a return has already been filed with their ITIN or SSN
- Clients who haven’t filed returns receive refunds
- Clients receive tax transcripts that they didn’t request
- Clients respond to emails or requests for information that you didn’t send them
Additionally, the IRS recommends that you verify on their website the number of returns that have been filed for the week using your EFIN. If the number of returns with your EFIN exceeds the number you filed, you may be a victim of a data breach.
If any of these things happen, you should immediately reach out to your client to confirm your suspicions. Then, you can reach out to the IRS for assistance.
Another way to keep your clients’ data safe is to work with a trusted IT service provider. E-N Computers has been working with tax preparers and accountants for over 20 years. Our security-focused approach can help you to keep your clients’ data secure and give you the help you need in case of a security incident.
Contact E-N Computers for a consultation today.