On June 23rd, the IRS released information from its latest Security Summit, highlighting the fact that cybercriminals and hackers are again targeting tax professionals. This attack is similar to past scams, arriving in the form of a phishing email that tries to steal important information. The difference, however, is that these emails look like they come from a real tax software education provider requesting preparer information that could then be used by thieves to pilfer client data and file fraudulent tax returns.
In a security bulletin, the IRS reiterated the fact that legitimate businesses and organizations should never ask for usernames, passwords, or sensitive data via email. Although hackers are phishing for specific tax professional information like Electronic Filing Information Numbers (EFIN), Preparer Tax Identification Numbers (PTIN), and Centralized Authorization File (CAF) numbers, the bigger lessons learned from this recent attack are broadly applicable as well.
Tax preparers are targeted for a simple reason: if an accountant works on 500 sets of taxes each year, that’s 500 opportunities to steal somebody’s identity. But whether you’re a CPA, a lawyer, a doctor, or a banker, or any worker in any industry, one thing is constant: if your company houses confidential data, your systems are at risk.
Proactive monitoring solutions that keep a 24/7 eye on your computers and networks are important. So is compliance, both governmental and industry-based. An off-the-shelf firewall that was plugged in last year and a standard antivirus program that comes pre-installed on a computer aren’t enough to protect your systems and data from rapidly evolving malware, ransomware, and phishing threats. And properly deployed data backups, multi-layered network security, dedicated servers, and physical safeguards are also critical parts of any security plan.
No matter what industry you work in, here are a few more strategies for protecting your business, your systems, and your data:
1) Never share personally identifiable or sensitive information via email. This one seems self-explanatory, but we are all guilty of occasionally sending out our driver’s license or Social Security number in an unprotected way. If the IRS needs information from you, it will send you a letter in the mail first—not reach out via email or phone call. And everything from bank account numbers to username/password combinations should be treated like the valuable asset that it is (and that hackers want).
2) Know how to quickly identify illicit attempts to steal your data. The tax preparer phishing email outlined above arrives with the obvious hallmarks of a scam: misspelled words, strange phrases, and awkward grammar (here’s a sample: “In addition, we need a photo of the driver’s license, send all the data to the letter. Please do it as soon as possible, this will help us to revive the account.”) In addition, look closely at the address and domain name—and never click on strange links or attachments. This email assessment checklist can often be completed in less than a minute, and although it might seem frustrating, any time an email asks for any kind of personal information, put up a red flag and run through it again so you can save your data and prevent a hack.
3) Don’t rely on the same password for every account. Many times, all a cybercriminal needs is one login credential to unlock sensitive data stored across the Internet (and even on multiple devices). If you use the same password for several logins, you might be a hacker’s next target. So manually makeup variations on a long mix of numbers, letters, and special characters for your passwords. Consider an online password manager that regularly changes your logins while you only have to remember one secure master password. If two-factor authentication is available on your email, social media, or financial accounts, activate it now. Or give your company the highest level of protection with enterprise-grade password management solutions. The important thing is that you never use “password123” anymore.
4) Use caution when you’re using the Internet. CMIT Solutions recommends that anyone working with sensitive data do so via a wired Ethernet connection that can be protected by multiple layers of security. If you do use a Wi-Fi network, make sure it’s password protected and not public. Any time you’re accessing personal data on the Internet, look for “https” or the lock sign next to the web address in your browser. And definitely don’t click on any of those “malvertising” links or news headlines that are too good (or ridiculous) to be true.
5) Treat your employees as an integral part of your business’s security plan. In the IT industry, the “human firewall” is a term that essentially means your employees can serve as the first line of defense against phishing scams and cybercrime attempts—if they’re empowered with the right knowledge, training, and support. Make sure written security plans are in place and available to all employees, and work with a trusted IT provider to have thorough onboarding and offboarding policies and procedures that bring people on and usher them out in the safest way possible. All it takes is one errant click on one bad link or one piece of sensitive data included in an ill-timed email response to expose your business to risk. So addressing these threats early and often with the support of your staff is critical.
6) Most importantly, give your data the protection it deserves. No matter what industry you work in, chances are you take your responsibility to your clients seriously—which means you should take their data seriously, as well. (And if you are a tax preparer, you know that the IRS really wants to make sure you take their data seriously with a whole host of rules and regulations governing how that data must be stored, handled, transmitted, and encrypted). Regular, remote, redundant backups can protect you in the event of a data breach, ransomware attempt, or other cybersecurity snafus.
If you’re concerned about information security in this rapidly changing digital world, contact a trusted IT advisor and compliance expert like CMIT Solutions today. We understand the importance of data integrity and cyberthreat protection. We deploy multiple layers of network security to keep your systems, your employees, and your information safe. We offer local, one-on-one service backed by a nationwide system of business owners and technicians. We even understand the IRS’ Publication 4557 about Safeguarding Taxpayer Data.