The Internal Revenue Service (IRS) along with the tax industry and state tax agencies organized the 5th Yearly National Tax Security Awareness Week from 30th November to 4th December 2020. The agenda of the program was to encourage individuals as well as business taxpayers to employ additional security measures to safeguard their data and identities against the modern cybercrime threats.
Through the program, the IRS urged common taxpayers to stay vigilant against fraudsters and impersonators who constantly try to exploit the covid-19 situation to earn easy money.
Considering the current pandemic situation and the upcoming tax season, it was an important and well-timed program that made taxpayers aware of various tax-related threats. The program presented many effective measures you can adopt to remain protected against these threats. Let’s discuss the event on a day by day basis and try to learn about various security steps that are helpful for all of us.
The Day 1
On the first day of the awareness week, the IRS warned all the taxpayers and tax professionals about the identity theft scams being run by cybercriminals. The current holiday shopping season combined together with the pandemic situation and the upcoming tax season offers a conducive atmosphere to the online fraudsters.
The opening of the National Tax Security Awareness Week coincided with Cyber Monday which is the conventional beginning of the holiday shopping season. The coincidence emphasizes the importance of online security in these highly vulnerable times.
The IRS Commissioner, Chuck Rettig said that various elements at play make this a very dangerous combination amidst the pandemic. He feels this is a hunting season for online criminals. He further said that this overall situation is putting people at a bigger risk. However, you can take proactive measures to safeguard yourself in this situation and protect your critical tax and financial data.
The following are some of the basic steps that the IRS urges you to follow during the holidays and the approaching tax season 2021:
- Use effective security applications for your smartphones and computers. Don’t forget to update them regularly.
- Ensure that your anti-virus software is capable of stopping malware and a firewall is there to avert intrusions.
- The imposters primarily use phishing emails, chats, and calls to steal your data. Do not respond to emails having suspicious attachments or links. Scams related to the Economic Impact Payment and COVID-19 are the most common way online thieves lure you.
- It is recommended that you use unique and strong passwords for your online accounts. Use phrases or a combination of words that you can remember easily. Alternatively, you can also use a password manager.
- To avoid being a victim of hacking, use multi-factor authentication.
- Always shop at sites that have a web address beginning with ‘https’. The ‘s’ stands for secure communications.
- Always remember that cybercriminals can eavesdrop. Hence, do not use unsecured public Wi-Fi networks for shopping.
- Your wireless printers, door locks, or thermometers can be an identity thief’s access points. Therefore, secure all your connected systems by using strong Wi-Fi passwords at home.
- Back up all your personal files present on your mobile phones and computers on secure cloud storage or an external storage device.
- Create a Virtual Private Network (VPN) while working from home. It ensures a secure connection with your workplace.
The Summit partners emphasize the need to secure your mobile phones as the modern thieves are getting more adept at compromising them. Also, you are more vulnerable to a phishing scam on a mobile phone compared to a computer. You can check the Federal Communications Commission’s Smartphone Security Checker for specific security recommendations for your mobile phone.
The IRS reiterates that it does not email, call, or text you about your tax refund or Economic Impact Payment. Nor does it call you with threats of lawsuits or jail over your unpaid taxes. In case you receive such calls, know that these are scams.
The Day 2
The Summit partners comprising of the IRS, the tax industry, and state tax agencies, announced an enhanced functionality on the second day of the National Tax Security Awareness Week. The feature will be available on all online tax preparation products from the 2021 season. These products will have multi-factor authentication for both taxpayers as well as tax professionals.
The multi-factor authentication feature is an effective outcome of the ongoing collaboration by the tax industry, the IRS, and state tax agencies, together known as the Security Summit. It will require users to enter two pieces of information for securely accessing the application or their accounts. For instance, you may be required to enter a unique numerical code sent on your mobile phone, in addition to your username and password.
The feature is an easy and cost-free method to step up the security of your data, said the IRS Commissioner. It is a critical security measure introduced by the tax software industry and is one of the many actions introduced by the Security Summit in the past five years.
Some of the products already have the multi-factor authentication feature. However, it would be a standard feature of all the products for the upcoming tax season 2021. All the providers have not only agreed to include the feature but also as per the requirements laid down by the National Institute of Standards and Technology. Although, the feature may not be available on retail hard disk tax products.
The multi-factor authentication feature makes it difficult for cybercriminals to access your sensitive information and thus, reduces the chances of identity theft. Though the feature is voluntary, the Summit partners urge all the tax professionals and taxpayers to use it.
You can check the security section of your online tax product to enable the feature. It may be named as two-step verification or two-factor authentication or something similar. It is critical for the tax professionals to incorporate the feature as they are the primary targets of identity theft.
The IRS also mentions that most of the identity theft cases from the tax professional offices reported to it may have been averted just by utilizing the multi-factor authentication.
It is easier for present-day online fraudsters to steal your account credentials. However, it is extremely unlikely for them to steal your mobile phone. Hence, the multi-factor authentication makes it difficult for them to get access to the other piece of information to be able to access your account. It prevents them from completing your pending refunds, modifying your refund information, and using your e-filing and preparer number for filing fraudulent returns.
The Security Summit concludes that while a product may not be fool-proof, multi-factor authentication does diminish the chances of identity theft by protecting your account and personal information. Thus, you must use the feature wherever possible.
The Day 3
The third day of the event was dedicated to making people aware of the IRS’s Identity Protection Personal Identification Number (IP PIN) program. The IRS announced that it is expanding the IP PIN Opt-In Program to all taxpayers nationwide, starting January 2021. The program is expanded to offer taxpayers proactive protection against identity theft.
The IP PIN is a unique, six-digit number that helps you prevent the misuse of your Social Security Number (SSN) on fraudulent income tax returns. The IRS verifies your identity through the PIN and then accepts your electronic or paper tax return. You can use the online ‘Get An IP PIN’ tool at IRS.gov/ippin to obtain your IP PIN.
Chuck Rettig, the IRS Commissioner said that this special PIN protects you against someone else filing a return using your identity. He further recommended using the online tool to get your IP PIN quickly. However, the Commissioner reminded that you must go through a rigorous verification process as the IRS needs to make sure that it is you and not somebody else who is asking for the PIN.
The ‘Get an IP PIN’ tool incorporates Secure Access authentication which has various ways to validate your identity. The IRS, therefore, recommends you to go through the requirements of Secure Access before using the online tool. You can visit IRS.gov/secureaccess to know about the requirements.
In case you are not able to get past the Secure Access authentication, you have alternative ways to get your IP PIN. If your annual income is $72,000 or less, you can complete Form 15227 and fax or mail it to the IRS. You must have access to a telephone for this method. On receiving your Form 15227, an IRS assistor will give you a call and ask a series of questions to verify your identity.
If you fail to verify your identity or are ineligible to submit a Form 15227, you can make an appointment and visit the nearest Taxpayer Assistance Center. You must carry two picture identification for the in-person identity verification. You will receive your IP PIN via mail, within three weeks after successfully verifying your identity through this process.
The IRS also listed the things you must know about the IP PIN before applying for one. They are as follows:
- The online ‘Get An IP PIN’ tool is the only method that instantly assigns you a PIN. It will be available for all taxpayers in mid-January.
- If you are opting in the IP PIN program voluntarily, you need not file an Identity Theft Affidavit (Form 14039).
- Taxpayers with either an Individual Taxpayer Identification Number (ITIN) or a Social Security Number (SSN) are qualified for the opt-in program if they can verify their identities.
- Your IP PIN is valid for one year. You will obtain a fresh PIN each January.
- In order to avoid delays and rejections, you must accurately enter your PIN on electronic as well as paper tax returns.
- All the primary (mentioned first on the return), secondary (mentioned second on the return), or dependent taxpayers can get an IP PIN if they are able to get through the identity verification.
- In case you feel the IP PIN program is not right for you, the IRS plans to introduce a feature for you to opt-out of it in 2022.
The IRS has made no changes to the IP PIN program for the confirmed tax-related identity theft victims. They still need to submit a Form 14039 if their returns are rejected due to duplicate SSN filing.
The IRS also reminded the taxpayers about not sharing their IP PIN with anybody except their trusted tax professionals. Also, the IRS never requests your IP PIN. So, beware of the potential IP PIN fraud calls.
The Day 4
On the fourth day of the National Tax Security Awareness Week, the Security Summit focused on the security of businesses. It urged businesses to stay vigilant against identity thefts. It reiterated that businesses must enact strong, proactive measures to protect their data and identity.
Similar to individual taxpayers, businesses can also be victims of identity theft. The cybercriminals try to steal your business identity to file fraudulent business tax returns. The IRS commissioner said that online thieves are trying out new ways to get access to your important company information. Therefore, it is critical for you to stay alert and protect your business.
The IRS said that more than 70 percent of the online attacks target businesses having 100 or fewer employees. Thieves try to steal credit card details, employee identity information, or business identity. Therefore, the IRS encourages businesses to follow the best practices recommended by the Federal Trade Commission (FTC). Some of them include:
- Using up to date security software
- Backing up critical business files
- Using strong passwords for all devices
- Using multi-factor authentication
- Encrypting devices
For more information, you can go through the FTC’s Cybersecurity for Small Businesses.
You, as a business owner, must remain alert to phishing email frauds related to COVID-19 or tax. The IRS has started masking sensitive information in tax transcripts as well as the summary of corporate tax returns. This will prevent online thieves from gaining identifiable business information for filing fake returns.
All information, except financial entries, will have different masking rules. For example, just the first four letters of the first and last name of businesses and individuals will be visible. Similarly, the Employer Identification Number (EIN) will have only the first four digits visible.
The Business Identity Theft Affidavit (Form 14039-B) has been launched publicly by the IRS. It will enable businesses to proactively report any possible identity theft when their e-filed return is rejected.
The IRS recommends businesses to submit the Form 14039-B if they receive any of the following:
- Rejection of e-filed return because of an already-filed return for that period
- Notice of a return that the company did not file
- Notice about Forms W-2 that the company did not file
- Notice about a due balance that is not owed
The Form 14039-B allows the IRS to respond to your business much quicker and work towards resolving issues created by a fraudulent return.
A business must not submit this form in case of a data breach that has no impact related to tax. You can have more information at Identity Theft Central’s Business section.
Towards the end of the day, the IRS mentioned a special reporting procedure meant for employers experiencing the Form W-2 scam. More information of the same is available in the Business section of Identity Theft Central.
The Day 5
The fifth and final day of the event was dedicated to various telework scams going on amidst the pandemic. The Summit partners focused on challenges that tax professionals face from cybercriminals and online fraudsters trying to exploit the COVID-19 situation.
The Summit partners created the ‘Tax-Security-Together’ Checklist to help tax professionals identify some basic measures they must take to remain protected in these testing times. These measures are even more critical if you, as a tax preparer, are working remotely amidst the novel coronavirus situation.
The Six Basic Security Measures
The following are some of the easy steps that make a huge difference for you, both as a taxpayer and a tax professional:
- Using standard anti-virus applications on all digital products including laptops, desktops, and mobile phones. Also, set the application at auto-update.
- Using firewalls to protect your systems against any outside attack.
- Using multi-factor authentication to protect all your online accounts. This should include various tax products, cloud applications, and email accounts.
- Backing up your sensitive data and files
- Encrypting data.
- Using a Virtual Private Network (VPN) to stay secure while working from a remote location.
The IRS also reminds you to have a written information security plan, as per federal law. The FTC has enforcement authority over this provision. This authority is provided by federal law. The IRS Publication 4557 has all the information you need about the FTC’s ‘safeguard rules’.
Other than the security plan, you must have an emergency response plan to combat a data theft or a security breach. You must also note that the IRS Stakeholder Liaisons are the first point of contact for reporting data theft or breach to the states as well as the IRS.
The IRS Publication 5293 (Data Security Resource Guide for Tax Professionals) has all details on data theft and its reporting process.
The vulnerable times of COVID-19, coinciding with the holiday shopping season and the forthcoming tax season 2021, present tremendous opportunities to online thieves and hackers across the globe. The Security Summit’s National Tax Security Awareness Week was a well-timed program to remind individual taxpayers, tax professionals, and businesses about various threats they may face during these times.
The 5-day long program not only discussed various security threats but also listed important measures one may adopt to stay protected against them. From identity theft warnings to making people aware of the IP PIN program, the event was dedicated to the overall protection of a common taxpayer, tax preparer, and business owner.