- Educate all employees about phishing in general and spear phishing in particular.
- Use strong, unique passwords. Better yet, use a phrase instead of a word. Use different passwords for each account. Use a mix of letters, numbers and special characters.
- Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Visit the e-Services website for confirmation.
- If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
- Consider a verbal confirmation by phone if you receive an email from a new client sending you tax information or a client requesting last-minute changes to their refund destination.
- Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.
- Use the security options that come with your tax preparation software.
- Send suspicious tax-related phishing emails to [email protected].
Have you been following the IRS Don’t Take the Bait series? This 10 part education series was part of the IRS Security Summit effort. Data breaches and scams have been steadily increasing and are getting more and more sophisticated. The purpose of the series is to raise awareness of this and educate tax preparers on security measures and best practices. As tax preparers, it is our responsibility to do our due diligence and protect taxpayer information. We need to be cautious about everything we do and remain hyper-vigilant when it comes to security. We’ve been following the “Don’t Take the Bait” series since day one. Here’s a recap of all 10 steps with a handy infographic that summarizes them all. Step 1: Avoid Spear Fishing EmailsWe’ve written about phishing scams and how they work before. The IRS warns that these kind of scams are usually tailored to individual practitioners. If you fall prey to one, it usually results in stolen taxpayer data and fraudulent tax returns filed in the names of individual and business clients. The email is usually disguised as being from a trusted source. It often attempts to get victims to voluntarily disclose sensitive information such as passwords. Or, it may encourage people to open a link or attachment that actually downloads malware onto the computer. The IRS warns tax preparers to be wary of emails they receive – especially when they are asking for sensitive information. Here are the steps the IRS suggests taking: Step 2: Be Alert to Account Takeover Tactics
Account takeovers occur when a thief manages to steal or guess the username and password of a tax professional, enabling access of their computers or their other online accounts. Here’s how they work:
Thieves peruse websites and social media for clues about a tax preparer’s email addresses and business activities. From there, they pose as a familiar organization like IRS e-Services or tax pro software by sending a spear phishing email. The email recipient clicks on a disguised link that takes them to a login page that looks like it’s for the organization the thief is impersonating. That page then loads malware that captures keystrokes, giving the thief access to user credentials.
Common organizations thieves pose as include IRS e-Services, tax pro software, another tax professional, a familiar bank, a cloud-based storage provider, or a “potential client”.
Step 3: Security Summit SafeguardsThere are several safeguards the IRS is taking to protect against hackers. For 2018, the IRS will be asking tax pros to gather the following information on their business clients.
Step 4: Defend against RansomwareRansomware is a type of malware that infects computers, networks and servers and encrypts (locks) data. Once the malware is on your computer, cybercriminals demand a ransom to release the data. There have only been a handful of tax practitioners who have been victimized by ransomware attacks, but that doesn’t mean there won’t be more. Ransomware attacks are a growing and evolving crime threatening the private and public sectors as well as individuals. Tips to Prevent Ransomware Attacks
Step 5: Prevent Remote Access Takeover AttacksYour entire digital network could be at risk for remote takeover by cybercriminals. Such a takeover could lead to fraudulent tax filings and damage to your clients. A remote attack targets an individual computer or network as the cybercriminal exploits weaknesses in security settings to access the devices. Another line of attack uses malware to download malicious code that gives the criminals access to the network. The IRS urges tax professionals to take the following steps to help protect themselves from remote takeovers:
Step 6: Watch Out for the W-2 Email ScamThe W-2 scam – called a business email compromise or BEC – is one of the most dangerous phishing email schemes trending nationwide. A business email compromise occurs when a cybercriminal is able to “spoof” or impersonate a company or organization executive’s email address and target a payroll, financial or human resources employee with a request. Tax professionals should be very wary of emails that they receive and should educate clients about these scams. Employers, including tax practitioners, should review their policies for sending sensitive data such as W-2s or making wire transfers based solely on an email request. Step 7: Protect e-Services Accounts, EFINsA tax professional’s login credentials are highly sought out by cybercriminals. They use them to access IRS e-Services and obtain the EFIN, which allows a criminal to steal your clients’ information. How do they get your login credentials? They use spear phishing emails. The email usually impersonates IRS e-Services in an attempt to trick practitioners into disclosing their username and password. The IRS asks that tax practitioners:
Step 8: How to Start Protecting Clients, Businesses from Cybersecurity ThreatsAll tax practitioners have a legal obligation to protect taxpayer information in their care. That means securing sensitive data from unauthorized disclosure, improper disposal and outright theft. Tax pros should review Publication 4557 and NIST’s Small Business Information Security: the Fundamentals. From Publication 4557:
5 action-item categories from NIST’s small business guide:
Step 9: Make Data Security an Everyday PriorityData security within a tax professional’s office is only as strong as the least-informed employee. And, security awareness must extend beyond the office into homes. Create a culture within your tax practice that takes cybersecurity seriously. Embed these best practices into your every day procedures. Here are some best practices that should be followed and taught to employees:
Step 10: Steps for Tax Pros with Data Incidents; Tips to Help Protect Clients, TaxpayersThe final step is all about reporting an incident when it happens. Criminals work quickly so a quick response once a problem is discovered is crucial and can help avert problems. In the event of a data breach or incident, tax professionals should contact the following agencies.
Cybercrime is serious and should be treated as such. This is a lot of information to take in but it’s important to know how cybercriminals work so that you can educate employees and clients. Stay vigilant and follow these best practices. Download our infographic below to share with clients and employees. from http://www.theincometaxschool.com/blog/irs-dont-take-the-bait/
0 Comments
Leave a Reply. |