As the saying goes, “A fool and his money are soon parted.”
“The rest of us wait until income tax time,” adds the comedian.
By the time America’s tax day — April 15th — has passed, many bypassed the traditional paper tax forms and submitted their taxes electronically to the Internal Revenue Service (IRS). And while some do their own taxes, many hire a professional tax preparer.
Whether you file for yourself, family, company, or as a team member of a firm handling taxes, it’s important to remember the content of the documents contain important confidential personal data.
Which brings me to the story of a family friend who became a victim of tax-related identity theft.
A True Tax Crime Story
Every year, my family friend uses a small CPA business to file their taxes. Little did they know, this CPA firm was one of many tax preparation offices bad actors infected with malicious code. The code impacted computers used to prepare and electronically file taxes with the IRS. These infected machines provided the criminals access to complete return data on an undetermined number of clients. Using stolen data, the criminals were able to file refund claims under the victim’s information.
One of those victims, my family friend, will now have their refund delayed up to four months while this is sorted out.
In addition, when electronically filing, there is an option to have a refund electronically deposited into a bank account. This information was also made available to the criminals spreading the malicious code. With the electronic fund transfer information, social security number and other details, gaining access to a bank account would be easy. What happened to my family friend was bad, but it could have been worse.
Can you imagine falling victim to this type of crime? The dollars lost combined with the time and frustration involved with rectifying the situation is mind-boggling.
Protecting Your Tax Data
There are some actions the government is taking to protect you from income tax identity theft, but to avoid getting caught in this situation, there are some things you can do proactively.
How the Government Protects Your Identity
In 2016, the IRS, state tax agencies and others in the tax community banded together for a security summit to help mitigate and combat data theft. In my mind, this is a little late in the game, as electronic storing and filing tax information has been around longer than the age of some of you readers.
Since the Security Summit of 2016, the IRS has been doing due diligence to ensure that information and guides are available to tax preparing entities. This information can be found on the IRS website:
- Taxes. Security. Together. We all have a role to play in protecting your data.
- Protect Your Clients; Protect Yourself
- Safeguarding Taxpayer Data
- Identity Theft Information for Taxpayers
How You Can Protect Your Taxes
What can you do to ensure that your confidential data is secured?
First, get to know your tax preparer and ask questions about the protection they have before you divulge your private information. Even the old-school preparers should have an idea of how they will protect you. Some good examples are:
- Secure paper shredding
- Physical security
- Employee background checks
- Endpoint detection & response
- Log monitoring
- Credential policies/practices
- Redundant backups
- VPN for private data transmission
- File encryption
You should also evaluate their policies against the CIA Triad of confidentiality, integrity and availability. Ask the following questions to identify what potential risks can occur with your data:
- Will you keep my private data confidential by restricting its access?
- Will my data be safe from unauthorized modification and keep its integrity?
- Do you have a security policy that allows reliable access to my data when I want to view it?
Asking these questions might make you a bit uncomfortable, but it’s not rude to ask. You could even be helping the preparer identify a shortcoming that, when fixed, will benefit them and their clients. Don’t forget that the organization that prepares your taxes may be liable for your information, but so are you.
As I learned first-hand from my family friend’s experience, getting your funds and identity back to normal will require a great deal more work and frustration than some preventative preparations. In the event that your information has been captured by an attacker, be it from your tax preparer or otherwise, the government does offer guidelines for what to do in these situations. Additionally, one may fill out an Identity Theft Affidavit for any parties that may need to have their account marked for abnormal activity.