CPAs continue to be tempting targets for cybercrooks looking to steal data to file tax returns and steal identities. High-net-worth clients’ information is especially prized, and the IRS and other tax agencies have made recommendations and established electronic requirements for tax preparers to protect that data.
“In addition to the obvious financial information handled by tax oriented CPAs and other practitioners, practitioners often serve as advisors to client businesses and other financial affairs,” said Dr. Sean Stein Smith, a CPA and assistant professor at the department of economics and business at Lehman College in New York. “Data security and protecting information is a high profile issue, and clients -- especially HNW individuals -- certainly understand the value that comprehensive security policies provide.”
Thieves use stolen data from tax practitioners to create fraudulent returns that the IRS says are harder to detect. Cybercriminals also post stolen info on the Dark Web as a crime kit for ID thieves. Especially desirable from preparers’ vaults: taxpayer identification numbers, electronic filing identification numbers and preparer tax identification numbers.
Tax preparers must adhere to a number of guidelines for protecting client data. They must enact security plans to protect client data, select service providers that can maintain appropriate safeguards, and consistently evaluate security programs. After a cyberbreach, preparers should contact the IRS, the FBI, state authorities and others.
Recently the IRS also began masking some ID information on tax transcripts, showing only the last four digits of any Social Security number, employer identification number or any account or phone number.
Yet the IRS Electronic Tax Administration Advisory Committee has said that that they believe “far fewer than half of tax professionals are aware of their responsibilities … and that even fewer professionals …have implemented required security practices.”
“Reports have shown that the IRS [faces] its own challenges when it comes to improving internal security measures and protocols.” Stein Smith noted the reasons resembling those plaguing CPA firms and practitioners: funds, training and technical expertise.
According to Stein Smith, tax prep clients are primarily interested in what measures are in place and whether practitioners keep up to date with changes in technology. “My responses and advice focus on the need to not only prevent breaches and data hacking but to also focus on building proactive capabilities to prevent future such incidents,” Stein Smith said.
“We recommend all firms adopt some form of multi-factor authentication. We also see the major portal vendors either offering or mandating the use of MFA,” said Roman H. Kepczyk, CPA, accounting and tax technology expert and director of consulting for the Phoenix accounting and technology firm Xcentric.
“Cybercrooks are out to get any taxpayer information they can [and] use of this information doesn’t necessarily require the victim to have a high worth. This makes all CPA offices a target,” said John Seale, CPA and managing partner at RBSK Partners, Greensburg, Ind.