Six-point plan welcomed, but security pros argue the guidance doesn’t go far enough
Between 2015 and 2018, the number of taxpayers who reported to IRS that they were victims of identity theft fell by 71%.
However, there were still 649,000 confirmed cases last year – including the case of Californian Jeffrey Grady, who took part in submitting at least 150 fraudulent tax returns, requesting around $94,000 in refunds.
The new guidelines recommend using antivirus software, firewalls, two-factor authentication, and drive encryption, as well as backing up data and creating and securing virtual private networks (VPNs).
Meanwhile, all “professional tax preparers” are required by law to create and maintain a security plan for client data, focusing on key risk areas such as employee management and training, information systems, and detecting and managing system failures.
Everyone is a potential target
“These six steps are simple actions that anyone can take,” says IRS commissioner Chuck Rettig.
“The important thing to remember is that every tax professional, whether a sole practitioner or a partner in a large firm, is a potential target for cybercriminals. No tax business should assume they are too small or too smart to avoid identity thieves.”
Signs to look out for, says the IRS, include clients receiving IRS letters about suspicious tax returns in their name or tax transcripts they did not request.
Tax practitioners should also check that there have not been more tax returns filed with a particular Electronic Filing Identification Number than were submitted.
The guidelines have been welcomed – but they don’t go far enough, according to Matt Lock, technical director at security firm Varonis.
“Advising tax professionals to use antivirus and firewalls is sage advice – 20 years too late,” Lock tells The Daily Swig. “They might as well tell them to bring a slingshot to a gunfight.”
“Professional tax services need to lock down their files to a least-privilege model to help guard against insider threats, which can be just as harmful as any APT [advanced persistent threat].
“This approach will help maintain ethical walls – that is, employees should only be able to access the client files they need to do their work, period.”