The Internal Revenue Service Criminal Investigation Division’s Annual Report for 2020 (Pub 3583: https://www.irs.gov/pub/irs-pdf/p3583.pdf) emphasized coronavirus (COVID-19)-related tax fraud and cybercrimes, along with its more typical investigative activities. The pandemic was also the breeding ground for several of the schemes identified in this year’s IRS Dirty Dozen list of tax scams for 2020 (IR-2020-160). New York CPAs participating in the Annual Tax Software Survey for 2020 (see page 30) reported an increase in cybersecurity attacks during the extended tax season, potentially due to shifting to a work-at-home environment. Survey respondents indicated their receipt of phishing or malware e-mails was running at about the same level as last year. There was a slight improvement reported in the occurrence of client identity theft issues, which fortunately appear to be on a (slow) decline.

The IRS focused taxpayer and tax professional education efforts for 2020 on identity theft and data security resources that many practitioners may find to be quite useful.

Internal Revenue Service Initiatives

The IRS launched the “Identity Theft Central” webpage (https://www.irs.gov/identity-theft-central) to collect its information on identity theft and data security. The Identity Theft Central main page is an easy starting point to access IRS resources for individuals, tax professionals, and businesses, along with links to the Security Summit and reporting phishing and online scams. One of the useful overview resources highlighted on Identity Theft Central is the “Taxes. Security. Together” webpage (https://bit.ly/2Kx0Hle). This presents select resources on the IRS’ National Tax Security Awareness Week; discusses how taxpayers, tax professionals, and businesses can help prevent identity theft; and includes links to important webpages on the IRS and other federal websites.

The Taxpayer Guide to Identity Theft webpage (https://bit.ly/3nqBUhs) is a good educational tool to help individuals prevent identity theft or recognize if it has occurred. The Identity Theft Information for Businesses page (https://bit.ly/3gS53j7) provides similar resources for businesses. Examples of signs of identity theft include receiving notices from the IRS on a variety of unexpected matters and—well known to tax preparers—rejection of a tax return from e-filing. Several action steps are encouraged, with handy links and examples, along with connections to various IRS resources (see the Sidebar).

Identity Theft Information for Tax Professionals (https://bit.ly/3ml644d) highlights resources for tax practitioners to assist clients in reporting identity theft, and for reporting attacks on accounting CPA firm itself. Important actions in preventing client identity theft include tracking e-file acknowledgements of tax returns filed, tracking Electronic Filing Identification Number (EFIN) usage, and checking the weekly reports on Preparer Tax Identification Number (PTIN) returns filed. The webpage also includes a listing of practitioner-related IRS resources (see the Sidebar).

Two important “events” that the IRS used to promote identity theft and cyber-security awareness and best practices were the National Tax Security Week and the Security Summit.

National Tax Security Awareness Week (https://bit.ly/2WnKbqp) is an annual event that runs in early December, with daily focuses on specific topics. For example, Day 1 of 2020 included an overview with an extensive list of “best practices,” such as using security and antivirus software, avoid unse-cured public Wi-Fi, and backup computer and mobile phone files. Day 2 discussed the importance of multifactor authentication, which is further addressed in IRS Tax Tip 2020-169 (https://bit.ly/2WkWpQJ). The tip announced that online tax preparation products will offer multifactor authentication as a standard feature in 2021, although it will be optional for taxpayers and tax preparers to make use of it. Day 3 explained that all taxpayers will be able to proactively apply for an identity protection personal identification number (IP PIN) beginning in mid-January 2021. Tools for preventing cybersecurity attacks on businesses were the focus of day 4, including resources available on the IRS Identity Theft Central and Security Summit, as well as on the Federal Trade Commission’s website. Day 5 was a great summary of best practices for tax professionals, such as installing antivirus software, using multifactor authentication for online accounts, and backing up sensitive files.

The Security Summit (https://www.irs.gov/newsroom/security-summit) is a coalition of state agencies and private-sector tax professionals working in partnership with the IRS to help increase taxpayer awareness, and conversely reduce tax-related cybercrime, with regard to identity theft and tax fraud issues. The five-part Security Summit awareness campaign for 2020 (https://bit.ly/3akQVxw) focused on the additional cybersecurity risks in a work-from-home environment. The IRS encouraged tax professionals to employ the ”Security Six,” such as a Virtual Private Network (VPN) and multifactor identification of a security code, as well as broad-based security software to protect devices from malware. Part 4 addresses how to avoid phishing emails from fraud-sters posing as potential clients in need of help with COVID-19 stimulus. Part 5 discussed the Federal Trade Commission’s requirement that all professional tax preparers create and maintain a written information security plan with specific features.

IRS Forms and Publications

IRS Impersonation Scam Reporting

https://www.treasury.gov/tigta/contact_report_scam.shtml

Publication 4524 Security Awareness for Taxpayers

https://www.irs.gov/pub/irs-pdf/p4524.pdf

Publication 4557 Safeguarding Taxpayer Data

https://www.irs.gov/pub/irs-pdf/p4557.pdf

Publication 5027 Identity Theft Information for Taxpayers

https://www.irs.gov/pub/irs-pdf/p5027.pdf

Publication 5199 Tax Preparer Guide to Identity Theft

https://www.irs.gov/pub/irs-pdf/p5199.pdf

Publication 5293 Protect Your Clients; Protect Yourself

https://www.irs.gov/pub/irs-pdf/p5293.pdf

Form 14039 Identity Theft Affidavit

https://www.irs.gov/pub/irs-pdf/f14039.pdf

Form 14039-B Business Identity Theft Affidavit

https://www.irs.gov/pub/irs-pdf/f14039b.pdf

More IRS Resources for Tax Professionals

The IRS website presents several more relevant resources beyond those discussed above. For example, the “Protect Your Clients; Protect Yourself” webpage (https://bit.ly/2LHtW5E) would be a good starting point for anyone unfamiliar with IRS materials. The “Tax Security 2.0: Taxes-Security-Together Checklist” (https://bit.ly/2Kbcx4P) summarizes best practices to defend against cybersecurity incursions, such as the Security Six, creating a data security plan and a data theft recovery plan, and recognizing the signs of phishing emails and client data theft. The Data Theft Information for Tax Professionals webpage (https://bit.ly/34hhYGa) is an excellent one-stop listing of contact information for the IRS, the Federal Bureau of Investigation, the Secret Service, the Federal Trade Commission, state agencies, and credit bureaus. Finally, the main IRS website has a webpage dedicated to information about IRS Criminal Investigations (https://bit.ly/3oRzHvI) with access to its annual report on tax crimes.

Other Federal Agency Resources

The National Institute of Standards and Technology published its “Small Business Information Security: The Fundamentals” (https://bit.ly/3mquHMQ) in November 2016. It is a readable 54-page guide to the basics of small business information security. The guide provides many best practices for safeguarding information and working safely and securely. Appendix C contains a summary of recommended actions: identify, protect, detect, respond, and recover. Appendix D provides customizable worksheets for identifying information types and threats, as well as other related activities.

The Federal Trade Commission has excellent internet security resources for nonexperts. The Cybersecurity for Small Business webpage (https://bit.ly/3oZjm8l) offers materials grouped into 12 categories, such as cybersecurity basics, understanding the NIST cybersecurity framework, and secure remote access. The FTC webpage Coronavirus (COVID-19) Pandemic: The FTC in Action (https://bit.ly/3oWizoG) contains extensive information about coronavirus scams. The Department of Justice National Center for Disaster Fraud (NCDF) (https://www.justice.gov/disaster-fraud) offers a COVID-19 fraud hotline and online complaint webpage (https://www.justice.gov/disaster-fraud) with links to eight federal agency fraud reporting functions. Last but not least, the Federal Communication Commission offers a handy Smartphone Security Checklist (https://bit.ly/34kCLsn) as an interactive tool or short PDF.

Susan B. Anders, PhD, CPA/CGMA is the Louis J. and Ramona Rodriguez Distinguished Professor of Accounting at Midwestern State University, Wichita Falls, Tex. She is a member of The CPA Journal Editorial Advisory Board.