IR-2022-209, Nov. 30, 2022<\/p>\n
<\/p>\n
WASHINGTON \u2013 With tax season quickly approaching, the Internal Revenue Service and the Security Summit<\/a> partners today urged tax professionals to remain focused on security issues and to review resources available to them, including sample security plans and checklists.<\/p>\n <\/p>\n During National Tax Security Awareness Week, now in its seventh year, the Security Summit partnership of the IRS, state tax agencies and the tax software and tax professional communities work to highlight data security and provide scam prevention tips. Part of the Summit\u2019s effort continues to be focusing tax professionals, including smaller practices, on ways to protect themselves and safeguard client information. Day three of this special week focuses on several important aspects for the tax community to keep in mind.<\/p>\n <\/p>\n \u201cTaxpayer information can be a gold mine for identity thieves. As the Security Summit partners strengthened our internal defenses in recent years, we\u2019ve seen identity thieves shift their focus onto the tax professional community and their client information,\u201d said IRS Acting Commissioner Doug O\u2019Donnell. \u201cSpecific taxpayer information can help a scammer prepare a more authentic looking tax return, so tax professionals maintaining strong security is a critical line of defense for themselves, their clients and the nation\u2019s tax system.\u201d<\/p>\n <\/p>\n Written Information Security Plan (WISP)<\/strong><\/p>\n The IRS and Security Summit partners remind tax professionals that federal law requires them to have a written information security plan. Earlier this year, members of the Summit\u2019s tax professional team developed a special document that allows practitioners to quickly develop their own written security plans.<\/p>\n <\/p>\n This sample document, a Written Information Security Plan (WISP)<\/a>, can be scaled for a company\u2019s size, scope of activities, complexity and customer data sensitivity. There\u2019s not a one-size-fits-all WISP. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm, which is reflected in the sample WISP from the Security Summit group.<\/p>\n <\/p>\n There are many aspects to running a successful business in the tax preparation industry, including reviewing tax law changes, learning software updates and managing and training staff. But an often overlooked but critical component is creating a WISP.<\/p>\n “There’s no way around it for anyone running a tax business. Having a written security plan is a sound business practice \u2013 and it’s required by law,” said Jared Ballew of Drake Software, co-lead for the Summit tax professional team and chair of the Electronic Tax Administration Advisory Committee (ETAAC). “The sample provides a starting point for developing your plan, addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data losses and theft.”<\/p>\n Security issues for a tax professional can be daunting. The Summit team worked to make this document as easy to use as possible, including special sections to help tax professionals get to the information they need.<\/p>\n Here are a few WISP considerations for tax pros:<\/p>\n Taxes-Security-Together Checklist<\/strong><\/p>\n Unfortunately, tax practitioners remain high-value targets of cybercriminals seeking to steal sensitive tax information. With this in mind, the Security Summit created the \u201cTaxes-Security-Together\u201d Checklist<\/a> to help tax professionals identify basic cybersecurity measures to implement.<\/p>\n <\/p>\n These six easy steps can make a big difference in protecting information, both for tax pros and taxpayers:<\/p>\n <\/p>\n \u00a0<\/strong><\/p>\n For more information on how to protect client information, tax professionals should look to Publication 4557, Safeguarding Taxpayer Data<\/a>.<\/p>\n \u00a0<\/strong><\/p>\n Phishing scams, malware and ransomware present risks<\/strong><\/p>\n For both tax professionals and taxpayers, phishing emails generally have an urgent message and try to direct users to an official-looking link or attachment. But the link instead may take users to a fake site made to appear like a trusted source where it requests a username and password. The attachment may also contain malware, which secretly downloads software that tracks keystrokes and allows thieves to eventually steal all the tax professional\u2019s passwords.<\/p>\n <\/p>\n Some thieves also pose as potential clients and may interact repeatedly with a tax professional and then send an email with an attachment that claims to include their tax information. The attachment may contain malware that allows the thief to track keystrokes and eventually steal all passwords or take over control of the computer systems.<\/p>\n <\/p>\n The IRS warns tax pros not to take any of the steps demanded in these types of email, and to delete the email.<\/p>\n Recipients of these IRS-related scams can report them to phishing@irs.gov<\/a>.<\/p>\n <\/p>\n Sometimes, phishing scams are ransomware schemes<\/a> in which the thief gains control of the tax professional\u2019s computer systems and holds the data hostage until a ransom is paid. The Federal Bureau of Investigation (FBI) has warned against paying a ransom because thieves often leave the data encrypted.<\/p>\n <\/p>\n Security plan requirement and recommended data theft plan <\/strong><\/p>\n In addition to the required information security plan, tax pros also should consider an emergency response plan should they experience a breach and data theft. This time-saving step should include contact information for the IRS Stakeholder Liaisons<\/a>, who are the first point of contact for tax professional data theft reporting to the IRS and to the states.<\/p>\n <\/p>\n IRS Publication 5293, Data Security Resource Guide for Tax Professionals<\/a>, provides a compilation of data theft information available on IRS.gov, including the reporting processes.<\/p>\n <\/p>\n In addition to reviewing IRS\u00a0Publication 4557, Safeguarding Taxpayer Data<\/a>, tax professionals can also get help with security recommendations by reviewing Small Business Information Security: The Fundamentals<\/a>\u00a0by the National Institute of Standards and Technology. The IRS Identity Theft Central<\/a> pages for tax pros, individuals and businesses have important details as well.<\/p>\n <\/p>\n Employers can share Publication 4524, Security Awareness for Taxpayers<\/a>, with their employees and customers and tax professionals can share with clients.<\/p>\n <\/p>\n <\/p>\n\n
\n