Cybersecurity Tips for Tax Season

With new and ongoing data security threats, a cybersecurity expert offers his advice for protecting taxpayer data this filing season.

Cliff Steinhauer is the Director of Information Security and Engagement at the National Cybersecurity Alliance — a nonprofit that advocates for safe technology use. He shared steps tax professionals can take, tips for guiding clients on data security, and emerging threats to watch for.

Tax professional best practices.

Steinhauer told Checkpoint that tax professionals can start by making sure their “network and computer systems are running updated current software” and that they have an antivirus program installed.

He also recommends using multifactor authentication and “forcing strong and unique passwords to be used for the tax preparer to login to their software.” In addition, tax professionals should be “encrypting data that they store about their clients” and “using encrypted transmission platforms” such as a VPN or HTTPS connections.

Beyond these proactive steps, tax firms should be monitoring their network for “unusual activity.” That includes making sure staff is trained on “what phishing looks like, what impersonation scams look like, and what business email compromise looks like.”

Steinhauer added that “going into tax season is a great time to do an audit” with your IT team or service provider. He recommends asking the IT team to do testing to ensure there are “no holes in your infrastructure.”

Guiding clients on cybersecurity.

In their conversations with clients, tax preparers should be “communicating what they’re doing to keep the customer’s data secure” as well as “what the customer should be looking out for.”

Advise clients to watch out for phishing and scams — and offer them tips on identifying suspicious activity. Steinhauer suggests tax preparers make sure clients know what email you’ll use to communicate with them and what your website looks like.

“We see attackers impersonating trusted individuals,” he said, and a “tax preparer could be impersonated by a criminal to ask questions and to try to steal information or money from the customer.” Steinhauer recommends informing clients of your “standard processes” for communicating, so that “unexpected behavior and unexpected communications raise a red flag for the customer.”

For example, you might tell clients you will never text them. “A lot of scams start with text messages,” said Steinhauer, so a client knowing up front that you will not communicate via text messages is “really important.”

He also recommends offering clients a “trusted method of communication” — which could simply be handing them your business card with your phone number. “When unexpected things happen, they can go back to that business card and call the number on the business card,” Steinhauer explained.

Beyond just communications between the tax preparer and client, Steinhauer suggests “the tax preparer could become an advocate for secure behaviors.” For example, a tax preparer can advise clients to use multifactor authentication on all financial accounts; to avoid reusing passwords or using weak, short, or easily guessable passwords; and to keep software updated on their computer.”

Extra precautions for data breach victims.

One rising threat, said Steinhauer, is attackers trying to use taxpayer information to file a fraudulent tax return and get any refund sent to them instead of to the taxpayer. “It’s a little more prevalent because of how many data breaches we’ve seen in the past couple of years,” Steinhauer explained.

“If you’ve gotten a letter in the past year or two that you were the victim of a data breach and the information included your Social Security number, there’s two things you should do,” he said. First, “freeze your credit with all three credit reporting bureaus so that accounts can’t be opened in your name.” Second, he suggests requesting an IRS filing pin from the IRS “so that you have to provide that pin number to file your taxes.”

Though the filing season is already well underway, Steinhauer said that data breach victims may also want to file taxes “sooner rather than later … before the attackers have the chance to do so.”

AI threats.

“AI is helping bad guys construct more convincing scams,” said Steinhauer.

AI can be useful to scammers in creating “well-written, well-crafted, convincing phishing emails or text messages.” He described how scammers use an AI chatbot connected to a text message platform where “the AI actually has the conversation for the attacker.”

Another way scammers use AI is for voice cloning – pretending to be somebody that’s trusted and using their voice or creating “their own trusted voice that masks what their voice actually is.” Steinhauer explained that “for a CPA, tax attorney, or tax preparer that maybe has some YouTube videos they’ve put out in the past, or they’ve done a webinar, the attacker can take their voice and clone it and then use it to pretend to be that person.”

Attackers also might spoof a phone number, so it looks like their call is coming from the tax professional. Steinhauer suggests advising clients that if they are suspicious of a call purporting to be from their tax preparer, they should hang up and call back to a trusted phone number.

AI in software. But beyond watching for attackers using AI to implement scams, Steinhauer cautioned that tax professionals should be sure any software incorporating AI contains security features. For example, tax software with a chat feature “has to be implemented in such a way that you could not ask a question to the AI, and it gives you an answer that involves somebody else’s private data.”

Make sure the software is “walling off” individuals’ data, said Steinhauer. “People put sensitive data into these AI models, and they don’t realize that that sensitive data becomes part of the model,” he added. “It’s possible later on for somebody to either intentionally or accidentally access the sensitive data.”

Thomson Reuters is committed to protecting the data privacy of our customers. For more information about Thomson Reuters’ security commitment see https://www.thomsonreuters.com/en/trust-center.