The Security Summit partners today concluded a special summer education campaign by outlining steps tax professionals can take to help clients from becoming statistics in identity-theft related tax-fraud scams.
The IRS, state tax agencies and the tax industry – working together as the Security Summit—have been combating identity theft since 2015. This is the final part in a five-part summer series sponsored by the Summit partners to highlight critical steps tax professionals can take to protect client data. The “Protect Your Clients; Protect Yourself” campaign is an effort to urge tax professionals to secure their computer systems and protect client data following the pandemic and its aftermath.
“Identity thieves always seem to find a hook to lure victims, and we increasingly see tax professionals as a target given the sensitive client data they handle,” says IRS Commissioner Chuck Rettig. “Tax professionals have their hands full taking care of their clients and staying on top of the latest in professional developments. But they shouldn’t overlook the basics of protecting their data and their systems. Missing these basic steps can be devastating to a tax pro—and their clients. But a few common-sense steps and being aware of security basics can go a long way to provide important protection.”
While many may be working from home either full- or part-time, the IRS and Security Summit partners urge the use of virtual private networks or VPNs, to securely conduct business.
Online business/commerce and banking should only be done while using a secure browser connection—never at a coffee shop, restaurant or other business offering “free WiFi.” One way users can tell if they are using a secure browser is by looking for a small lock visible in the lower right corner or upper left of the web browser window.
Some additional considerations:
- Be cautious of email attachments and web links. Do not open a link or attachment that arrives unexpectedly. Always call the sender to confirm receipt and validity of any unexpected links or attachments before opening.
- Use separate personal and business computers, mobile devices and email accounts. This is particularly important for those who may share hardware with other family members, especially children, who may not be aware of safety protocols.
- Do not send sensitive business information to personal email devices. Do not conduct business, including online business banking, on a personal computer or device. Likewise, do not engage in web surfing, gaming or video downloading on business computers or devices.
- Do not share USB drives or external hard drives between personal and business computers or devices. Never connect an unknown/untrusted piece of hardware into the system or network. Also do not insert any unknown CD/DVD or USB drive. Disable the “Autorun” feature for USB ports and optical drives on business computers to help prevent malicious programs from being installed.
- Be careful with downloads. Do not download software from an unknown web page. Always exercise caution with freeware or shareware.
- Use strong passwords. Never give out usernames or passwords to others. Strong passwords consist of a random sequence of letters to include upper and lower-case, numbers and special characters. Ideally, passwords should be at least 12 characters long. For systems or applications that have sensitive information, use multiple forms of identification (multifactor or dual-factor authentication).
- Change default passwords. Many devices come with default administrative passwords. Change them immediately and regularly thereafter. Default passwords are easily found or known by hackers.
- Change passwords often. Every three months is recommended. Consider using a password management application to store passwords. Passwords to devices and applications that contain business information should not be reused.
For more information, go to IRS.gov.