Cybersecurity: Is Your Tax and Accounting Practice Secure?
Few professions have felt the brunt of identity theft like the tax and accounting profession. This profession is in the crosshairs; clients may have their identities stolen and have to deal with fraudulent tax returns, and financial professionals may get hit with spoofing emails. It is important to understand that many of these issues are not truly hacks but rather careless uses of passwords and/or poor office policies.
This overview is meant to provide some insight and best practices to help protect your practice and your clients from bad actors. Know that CPAs, enrolled agents and other tax professionals are attractive targets to hackers. Never say, “It won’t happen to my practice.”
Do Not Send Clients Files via Email
The most common hack involves a third party gaining access to an email account—either yours or one of your client’s. A hacker can gain access to an email password by using brute-force attacks, or by sending spoofing emails. The majority of intrusions are due to poor password management.
First, be sure that each account has a unique and very strong password. Nothing is worse than letting a hacker gain access to multiple accounts because you use the same password across the board. If hackers gain access to your email, they can then send spoof emails to your client base. This is very dangerous because the clients likely will trust the message because you are the sender and actually open it. Spoof emails come in various formats. Sometimes they are sent posing as password-reset emails from common sites such as DropBox, PayPal or Intuit QuickBooks. The IRS just warned of a new ransomware scam where the email impersonated the IRS and FBI in one message. These are the types of tactics that unsuspecting people can fall for. In addition, if you have sent private client files via email, any hacker who gets access to your email account (or your client’s) can use this information to commit identity theft.
Sample ransomware scam email::
Utilizing a client-portal system that requires unique usernames and passwords and that uses a secure SSL connection can help minimize this risk. Make sure that any such system has safety mechanisms built in—for instance, to limit the number of incorrect passwords that a user can enter before being locked out. Most portals also encrypt files stored on their servers, which adds another layer of protection.
Best Office Policies for Security
If you are still using paper, add a shredder to your office equipment list. In addition, make sure that you install an office security system—including camera surveillance—to help deter thieves. Crooks often target CPA offices and other accounting firms because of these offices’ bounty of private data, including social security numbers. Do not write down clients’ personal data such as credit card numbers or banking information. If you use file cabinets, make sure they are secure and locked. Do not write usernames or passwords on sticky notes near your computer. Although many of these best practices seem obvious, many people are guilty of breaking our own rules. Mistakes can occur if you get careless. For instance, when disposing of old tax records, always do so properly; thieves do go through the trash, and so if you are not careful, they can easily access private data in this way.
When it comes to securing your digital office, you can take a number of steps:
- Keep your operating systems updated: While doing so may be annoying or time-consuming, always keep your workstations, iPads, phones, and so on up to date with the latest security patches.
- Lock your screen when it is idle: Passersby can quickly jump on unlocked devices to access users’ email, reset their passwords, and so on.
- Use equipment-tracking software: This technology is not automatically loaded on every workstation, but device-location tools help in case of theft or lost devices. These tools even let users lock and erase data if a device is stolen.
- Use hard-drive shredders: When disposing of old computers and other digital devices, make sure to use a certified hard-drive shredder to ensure that the data on those devices is really destroyed.
- Do not use insecure Wi-Fi networks: When traveling, you will off come across insecure networks. Try to only use secure connections, and when in doubt, be careful about what sites you log into.
- Train your staff about email best practices: All it takes is one careless staff member opening a spoofing email for an entire office to be compromised. Communicate your security policies to all staff members.
- Use background checks when hiring: Anyone can make the mistake of trusting that they are hiring high-caliber employees. Sometimes, though, a background check can reveal surprises. Use a service such as checkr.com.
- Look into cybersecurity insurance: Recent high-profile breaches have made cybersecurity insurance a growth area. Particularly if you are dealing with personal client data, it would be wise to look into anti-hacking insurance
- Use high-security account passwords and update them often: Updating your passwords limits the amount of time that hackers can use stolen login information. However, studies have argued that changing passwords is a hassle and can drain productivity, so the best practice is to change the passwords for sensitive accounts every 60 to 90 days.
- Be very careful when clicking on email attachments: A Las Vegas CPA made the mistake of clicking on a file that was attached to an inbound email; the file was posing as a resume for an internship. The CPA did not have any openings or job listings but clicked on it anyway. The file turned out to be ransomware. When in doubt, delete the email or ask the sender to confirm that the file is safe.
- Install antivirus / anti-malware software: The first line of defense is antivirus / anti-malware software. This is especially true for Microsoft operating systems. However, you must ensure that this software automatically updates so that it protects you from the latest threats.
- Be wary when sharing private data offline: If third parties are probing you for personal data in a way that seems out of place, do not provide that information. You can always call a vendor directly. Use common sense.
- Use a SSL certificate on your website: If you are collecting data from clients on your website, use a SSL certificate. This will be evident to clients because of the https:// before your domain name. Starting October 1, Chrome browsers will start alerting visitors to sites that contain forms without SSL certificates.
- Don’t wait until a breach occurs: Act now to set up the above protections. A little bit of effort today can save a lot of pain later.
Identity Thieves, the IRS and Your Clients
The IRS and the Federal Trade Commission have taken steps to combat fraud resulting from identity theft. Many of their safeguards have already helped to cut down of the amount of fraud. However, it is hard to stop all of the fraud, especially after intrusions such as the recent Equifax hack of 143 million consumers. If any of your clients’ Social Security numbers were part of the breach, please direct them the special IRS identity theft website, which includes the steps to take if you are a victim. This includes access to IRS Form 14039.
Tax professionals are often in the middle of this issue, as they need to help both individuals and business owners who are victims of tax-related identity theft. They may become aware of such problems when clients’ returns are rejected as duplicates.
The IRS suggests that tax and accounting professionals take the following steps when this occurs:
- If the client has received an IRS notice, respond immediately.
- Instruct the client to complete the IRS Identity Theft Affidavit, IRS Form 14039.
- Recognize that, if the federal return was affected, the state return might be affected as well.
- If you need to represent your client before the IRS, make sure to complete a power of attorney form before trying to make contact.
The best defense is keeping your guard up. Hackers and identify thieves probe tax and accounting professionals daily. Using common sense and integrating cybersecurity best practices into your business will help minimize your risk.
Lee Reams II
I am a marketing junkie who has spent the last 20 years developing and executing "best in class" word-of-mouth marketing campaigns. With over 10,000 happy clients I think we are on to something. The explosion in web marketing and social media have redefined the way independent professionals market their practices. Follow my blog to see if you can take some of our actionable ideas to market your own practice.