Security Summit: Tax pros can help clients battle identity theft risk

IR-2022-151, August 16, 2022

WASHINGTON — The Security Summit partners today concluded a special summer education campaign by outlining steps tax professionals can take to help clients from becoming statistics in identity-theft related tax-fraud scams.

The IRS, state tax agencies and the tax industry – working together as the Security Summit – have been combatting identity theft since 2015. This is the final part in a five-part summer series sponsored by the Summit partners to highlight critical steps tax professionals can take to protect client data. The "Protect Your Clients; Protect Yourself" campaign is an effort to urge tax professionals to secure their computer systems and protect client data following the pandemic and its aftermath.

"Identity thieves always seem to find a hook to lure victims, and we increasingly see tax professionals as a target given the sensitive client data they handle," said IRS Commissioner Chuck Rettig. "Tax professionals have their hands full taking care of their clients and staying on top of the latest in professional developments. But they shouldn't overlook the basics of protecting their data and their systems. Missing these basic steps can be devastating to a tax pro – and their clients. But a few common-sense steps and being aware of security basics can go a long way to provide important protection."

While many may be working from home either full- or part-time, the IRS and Security Summit partners urge the use of virtual private networks, or VPNs, to securely conduct business.

Online business/commerce and banking should only be done while using a secure browser connection -never at a coffee shop, restaurant or other business offering 'free wifi.' One way users can tell if they're using a secure browser is by looking for a small lock visible in the lower right corner or upper left of the web browser window.

Some additional considerations:

  • Be cautious of email attachments and web links. Do not open a link or attachment that arrives unexpectedly. Always call the sender to confirm receipt and validity of any unexpected links or attachments before opening.
  • Use separate personal and business computers, mobile devices and email accounts. This is particularly important for those who may share hardware with other family members, especially children, who may not be aware of safety protocols.
  • Do not send sensitive business information to personal email devices. Do not conduct business, including online business banking, on a personal computer or device. Likewise, do not engage in web surfing, gaming or video downloading on business computers or devices.
  • Do not share USB drives or external hard drives between personal and business computers or devices. Never connect an unknown/untrusted piece of hardware into the system or network. Also do not insert any unknown CD/DVD or USB drive. Disable the "Autorun" feature for USB ports and optical drives on business computers to help prevent malicious programs from being installed.
  • Be careful with downloads. Do not download software from an unknown web page. Always exercise caution with freeware or shareware.
  • Use strong passwords. Never give out usernames or passwords to others. Strong passwords consist of a random sequence of letters to include upper and lower-case, numbers and special characters. Ideally, passwords should be at least 12 characters long. For systems or applications that have sensitive information, use multiple forms of identification (multifactor or dual-factor authentication).
  • Change default passwords. Many devices come with default administrative passwords. Change them immediately and regularly thereafter. Default passwords are easily found or known by hackers.
  • Change passwords often. Every three months is recommended. Consider using a password management application to store passwords. Passwords to devices and applications that contain business information should not be reused.

Additional resources

In addition to reviewing IRS Publication 4557, Safeguarding Taxpayer Data PDF, tax professionals can also get help with security recommendations by reviewing Small Business Information Security: The Fundamentals PDF by the National Institute of Standards and Technology. The IRS Identity Theft Central pages for tax pros, individuals and businesses have important details as well.

Publication 5293, Data Security Resource Guide for Tax Professionals PDF, provides a compilation of data theft information available on IRS.gov.