Data theft is a very real threat to professional tax preparers, accountants, and bookkeepers. The type of personal information you deal with on a regular basis is very valuable to hackers and criminals: Social Security Numbers, banking details, EINs, and more can be used for identity theft and to breach and steal from sensitive accounts.
If you or your tax business have been impacted by data or information theft, it’s vital to deal with the problem thoroughly and efficiently and get the right cybersecurity in place to stop it from happening again. Here’s what you need to do in the event of a breach.
1. Establish how your business has been impacted by data theft
The first thing to do is to understand whether you’ve actually had tax, accounting, or client data stolen. Once you find out about possible theft, you must investigate and analyze the following areas.
What type of data breach was it?
There are a few different ways a hacker could gain access to a business, including:
Social engineering — This is a criminal pretends to be someone that a tax employee trusts and convinces the employee into handing over their login and password information. An attacker may be posing as IT support, a colleague, or someone else.
Brute force attack — Hackers run all sorts of combinations of logins and passwords against your internal systems and break in due to weak login and password combinations.
Vulnerability exploit — Some software has inherent security flaws and vulnerabilities, that if left unpatched allows an attacker to take advantage and get into the system.
What information was stolen?
Did the attackers get client tax records, SSNs, banking details, internal business information, or something else? Once you know the breadth and depth of the accounting data breach, you can handle it more effectively.
When did the breach happen?
The attackers may have been in your systems for some time. You should find out when your security was compromised and how long they had access to your data.
Other areas you can look at are who the attackers were, where did the attack originated, and any weaknesses you still have in your cybersecurity. If you don’t have the in-house expertise to get details on the breach, you can hire data breach and security specialists who can investigate on your behalf and help you protect yourself in the future.
2. Contact relevant parties
You must notify the correct parties as soon as possible, including:
Official tax agencies and related organizations
• The Internal Revenue Service via local stakeholder liaisons
• Your local police
• The local offices of the FBI and the Secret Service
• The local state agency responsible for tax filings and payment, together with the State Attorneys General
Other official organizations
• Your insurance company to check if your policy covers you for data breaches.
• The Federal Trade Commission to provide guidance on how to proceed.
• Credit and identity theft protection agencies that you offer credit monitoring and identity theft protection to victims of data and identity theft. Certain states require these.
• Credit scoring bureaus – let them know there is a compromise and clients may seek their services.
Your clients
Finally, you will need to contact your clients and let them know. You should be honest and transparent. Explain the data that was stolen, the impact it might have, what you are doing about the breach, and what your clients need to do. Recommend that they put a freeze on various accounts, change their passwords, and offer them a credit and ID monitoring service.
You may also direct them to IdentityTheft.gov, an online resource powered by the Federal Trade Commission, where individuals can report identity theft and establish a personal recovery plan. The site includes step-by-step guidance, streamlined checklists, and pre-filled letters and forms for victims.
3. Prevent future theft
Once you’ve dealt with the breach and notified the relevant parties, work with cybersecurity specialists to reduce the possibility of this happening again. Get security tools in place, train your staff, patch any vulnerabilities, and carry out penetration testing and vulnerability scanning on your systems.
Spear phishing is a type of “social engineering” attack that fools people into revealing logins, passwords, and other confidential information that allows a criminal to break into your systems. For an accountant, bookkeeper, or tax professional, this can result in exposing business and client data.
If a hacker can access financial and bank information or Social Security and tax records, this can lead to identity theft, fraud, and a loss of reputation for your business. That’s why it’s vital to protect yourself from an email spear phishing attack. Fortunately, it’s not as hard as you think.
What is a spear phishing email attack?
Spear phishing is a targeted email attack against a specific person, business, or organization such as an accounting or tax preparation firm. These emails appear to come from a trustworthy or authoritative sender and ask the recipient to visit a particular website, open a file or software, or otherwise share personal or sensitive information. Spear phishing attacks are deliberately designed to be used against the target rather than coming from a random hacker or appearing as a standard scam.
Because these emails seem to come from a trusted source, the recipients may be less vigilant and will inadvertently compromise the security of themselves, their clients, or their accounting business. If the recipient inadvertently shares information including logins and passwords, a hacker can use those details to log in, steal account, financial, or tax information, and carry out a data breach.
How can tax professionals protect themselves against spear phishing email attacks?
There are several steps you can take to protect yourself and your tax preparation business from this type of cyber attack. Because they are often engineered and customized to be convincing, it’s important to follow these steps.
• Train Your Tax Preparers, Electronic Return Originators, and Other Employees. User awareness training is the most effective way to identify and avoid spear phishing emails.
• Check the domain that the email comes from. For example, if your business email is employeename@verysimpletaxes.com, someone might spoof that address as coming from employeename@verysimpletexas.com. Note that the “a” in taxes has been replaced by an “e,” and the “e” has been replaced with an “a” to spell a similar word.
• Check the information being requested in the email. If it asks you to click on something to enter your password, call the sender of the email and check to see if it really did come from them.
• Look at the links shared in the email to see if they are genuinely directing you to a real system or if it’s a scam domain setup to capture logins and passwords.
• Check the wording of the message to see if it’s something the “real” sender would have written.
• Introduce Technology into Your Tax Business to Reduce the Risk of Spear Phishing Attacks. You can also introduce some technology to reduce the risk of spear phishing attacks. This technology is known as two-factor or multifactor authentication. Your employees will have to authenticate themselves by entering their password and some other form of data to access the system.
For example, you may require that tax preparers and other employers use security tokens that generate a unique code whenever they want to access the system. Because this code changes over time, and you need it to get into tax software and data, a password without the token is useless.
Other types of authentications include biometrics, like scanning a fingerprint or iris pattern and plugging a key into a computer to gain access.
Security Plan
The Security Summit partners today unveiled a special new sample security plan designed to help tax professionals, especially those with smaller practices, protect their data and information.
Read More
IRS Phishing Warning
The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
Read More
IRS Data Protection
Combatting today’s cybercriminals takes all of us working together. TheInternal Revenue Service works with state tax agencies and the taxindustry to fight these 21st century identity thieves.
Read More
IRS Security Plan
This document was prepared by the Security Summit, a partnership of the Internal Revenue Service, state taxagencies, private-sector tax groups as well as tax professionals. The mission of the Security Summit is to fightidentity theft and tax refund fraud.
Read More
Tax Prepers Attack
Microsoft is warning of a phishing campaign targeting accounting firms and tax preparers with remote access malware allowing initial access to corporate networks.
Read More
IRS What to do if you are hacked
When a tax profesional's computer is hacked, it creates a significant threat to their clients. The practicioner's livelihood and the US tax system.
Read More