Security Summit: IRS reminds tax pros to plan, protect, defend against identity theft; special summer series concludes with important reminders

IR-2023-147, Aug. 15, 2023

WASHINGTON — Wrapping up a special awareness series, the Internal Revenue Service and the Security Summit partners urged tax pros to maintain robust security measures and take important steps to protect themselves and their taxpayer clients against identity theft.

Tax-related identity theft scams continue targeting tax professionals with a regular bombardment of scams and schemes that seek to gain access to sensitive taxpayer information. These schemes continue to evolve and ensnare victims, threatening both tax professionals and the clients they serve.

In today's conclusion of the special five-part "Protect Your Client; Protect Yourself" series, the IRS and Summit partners urge tax professionals to take critical steps to protect their information, including taking extra care with how they handle data and security at their business and at home.

"Tax professionals form a central part of the tax community's defense against identity thieves and cyberattacks," said IRS Commissioner Danny Werfel. "Ensuring strong security at a tax practice – regardless of its size – will help protect not just the business, but also help safeguard individual taxpayers as well as state and federal tax agencies from fraud. The IRS and the Security Summit partners continue to urge tax professionals to take important steps to protect their clients and themselves from identity thieves."

The Security Summit is a public-private partnership created in 2015 that works to protect the tax system against tax-related identity theft and fraud. The partnership has successfully strengthened fraud defenses inside the tax system to protect against identity theft, including by sharing information about emerging fraud and cyber schemes.

A key part of those defenses involves awareness among tax professionals and the taxpaying public. This news release series provides important information to help protect sensitive taxpayer data that tax professionals hold while also protecting their business from identity thieves. This marks the eighth year that the Security Summit partners have worked to raise awareness about these issues through the "Protect Your Clients; Protect Yourself" campaign as well as special seminars at the IRS Nationwide Tax Forums, which continue later this month in San Diego and Orlando.

The Security Summit partners also continue to remind tax professionals about the importance of setting up a Written Information Security Plan PDF or WISP. The 28-page, easy-to-understand document was developed by and for tax and industry professionals to keep customer and business information safe and secure. The special template is designed to help tax professionals, especially smaller practices, make data security planning easier. Special sessions on the WISP have had standing room only audiences at the Tax Forum sessions so far this summer, with more than 300 attending last week's session in Washington D.C.

Important reminders for tax pros, taxpayers to reduce identity theft risk:

  • Be cautious of email attachments and web links. Do not open a link or attachment that arrives unexpectedly. Many scammers can imitate legitimate businesses, taxpayer clients and government agencies, including the IRS. If in doubt about something you receive, independently contact the sender to confirm receipt and the validity of any unexpected links or attachments before opening.
  • Do not send sensitive business information to personal email devices. Do not conduct business, including online business banking, on a personal computer or device. Likewise, do not engage in web surfing, gaming or video downloading on business computers or devices. All of these can add to security risks.
  • Do not share USB drives or external hard drives between personal and business computers or devices. Never connect an unknown/untrusted piece of hardware to the tax pro's system or network. Also do not insert any unknown CD/DVD or USB drives. Disable the "Autorun" feature for USB ports and optical drives on business computers to help prevent malicious programs from being installed.
  • Be careful with downloads. Do not download software from an unknown web page. Always exercise caution with freeware or shareware.
  • Use strong passwords. Never give out usernames or passwords to others. Strong passwords consist of a random sequence of upper and lower-case letters that include numbers and special characters. Ideally, passwords should be at least 14 characters long. For systems or applications that have sensitive information, use multiple forms of identification (multifactor or dual-factor authentication).
  • Change default passwords. Many devices come with default administrative passwords. Change them immediately and regularly thereafter. Default passwords are easily found or known by hackers.
  • Change passwords often. Every three months is recommended. Consider using a password management application to store passwords. Passwords to devices and applications that contain business information should not be reused.

In addition, because many continue working from home either full- or part-time, the IRS and Security Summit partners also urge:

  • The use of virtual private networks, or VPNs, to securely conduct business, a step that can reduce the threat of data loss.
  • Use caution with online business/commerce and banking. This should only be done while using a secure browser connection and never at a coffee shop, restaurant or other business offering 'free' Wi-Fi.
  • Use of separate personal and business computers, mobile devices and email accounts. This is particularly important for those who may share hardware with other family members, especially children, who may not be aware of safety protocols.

Additional resources

If a tax pro or their firm are the victim of data theft, they should report it to their local IRS Stakeholder Liaison. Speed is critical. IRS Stakeholder Liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients' names and will assist tax pros through the process.

In addition to reviewing IRS Publication 4557, Safeguarding Taxpayer Data PDF, tax professionals can also get help with security recommendations by reviewing Small Business Information Security: The Fundamentals PDF, by the National Institute of Standards and Technology.

The IRS' Identity Theft Central pages for tax pros, individuals and businesses have important details as well.

Publication 5293, Data Security Resource Guide for Tax Professionals PDF, provides a compilation of data theft information available on IRS.gov.