With more tax professionals working remotely during the coronavirus pandemic, the IRS is warning them to take additional security steps to protect client data.
The IRS, state tax agencies, and the tax industry are seeing more instances of data theft as cybercriminals take advantage of the confusion surrounding COVID-19 by creating new scams.
"Identity thieves view the pandemic as a chance to exploit tax professionals as well as taxpayers," IRS commissioner Chuck Rettig warned.
"They are using every trick of their criminal trade to con people as well as steal valuable personal and financial information to help enable tax-related identity theft."
He said tax professionals can play an important role thwarting scammers.
"We urge the entire tax community to take additional steps and protect their sensitive data," he said.
Tax professionals working remotely should use a virtual private network, which connects business networks securely and allows remote access.
The IRS Security Summit, which includes state tax agencies and the private sector tax industry, urges the use of multi-factor authentication for VPNs, tax professionals, and taxpayers.
This means a user signing onto tax software must enter a username, password, and a security code, generally sent as a text to a mobile phone.
"Multi-factor authentication protects the software account from being breached and from client data being stolen," the IRS said in a release.
"Tax professionals should activate this feature immediately."
Everyone, especially tax professionals, should also be using broad-based security software that protects computers and mobile phones.
Security features will help identify and stop potentially dangerous malware that can infect digital networks.
Identity thieves have also ramped up phishing scams on tax professionals and taxpayers.
Tax professionals should beware of emails from criminals posing as potential clients and adopt these three steps:
- Know your customers
- Use the phone to confirm identities
- Don't take the bait
Thieves also seek to impersonate tax software providers, cloud storage providers, banks and others, including the IRS.
The IRS will not call, email, or text anyone about stimulus or other payments.
And remember, phishing emails usually have an urgent message—such as "your account password expired"—and direct you to a link or attachment.
Taxpayers can report suspicious emails to the IRS.