10 Signs of Client Data Theft

 – August 6, 2019
10 Signs of Client Data Theft

Tax professionals need to learn the tell-tale signs that their office may have experienced a data theft that resulted in fraudulent tax returns being filed in their clients’ names.

The IRS, state tax agencies and the private-sector tax industry, working together as the Security Summit, warned practitioners that global criminal syndicates remain active, and they are well financed, high skilled and tax savvy in their attempts to gain sensitive tax data.

“Learning the signs of identity theft is critical for anyone handling taxpayer data,” said IRS Commissioner Chuck Rettig. “It can be as subtle as an unusually slow computer system or as obvious as multiple clients unexpectedly receiving the same IRS notice. Paying attention to these details is critical, and fast action alerting the IRS and calling in a security expert can help protect taxpayers and your business.”

Recognize the Signs of Client Data Theft

The IRS and Summit partners have created a list of warning signs that a tax professional or their office may have experienced a data theft:

  1. Client e-filed returns begin to be rejected by the IRS or state tax agencies because returns with their Social Security numbers were already filed;
  2. Clients who haven’t filed tax returns begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS to confirm their identity for a submitted tax return.
  3. Clients who haven’t filed tax returns receive refunds;
  4. Clients receive tax transcripts that they did not request;
  5. Clients who created an IRS Online Services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. Another variation: Clients unexpectedly receive an IRS notice that an IRS online account was created in their names;
  6. The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients;
  7. Tax professionals or clients responding to emails that the firm did not send;
  8. Network computers running slower than normal;
  9. Computer cursors moving or changing numbers without touching the keyboard;
  10. Network computers locking out employees.

“Tax professionals should be on the lookout for these scary scenarios that have hit firms across the country, jeopardizing data of the company and their clients,” Rettig said.

Because IRS and state tax systems will only accept one unique Social Security number, taxpayers often discover they are a victim when they attempt to e-file and their tax return is rejected because a return with their SSN already is in the system. Or, more commonly, the IRS identifies a return that could be an identity theft return and sends a letter to the taxpayer asking them to contact the agency to let the IRS know if they filed the return.

Identity thieves sometimes try to leverage the stolen data by using taxpayer information to access the IRS Get Transcript system. Taxpayers who receive transcripts by mail but did not order them are sometimes victims of this approach. Get Transcript Online is protected by a robust, two-factor authentication process. But crooks may still try to use stolen identities to try to create Get Transcript accounts, which results in the IRS disabling the account and sending the taxpayer a letter.

During the tax filing season, tax professionals should make a weekly review of returns filed with the office’s Electronic Filing Identification Number, or EFIN. A report is updated weekly. Tax preparers can access their e-File applications and select “check EFIN status” to see a count. If the numbers are inflated, practitioners should contact the IRS e-Help Desk. Tax professionals may also notice IRS acknowledgements for returns they did not e-file. Acknowledgements are sent soon after a return is transmitted.

Tax professionals who fall victim to spear phishing email scams, a common way cybercriminals access office computer, may suddenly see responses to emails they never sent. If a practitioner mistakenly provides username and password information to the thief, the thief often harvests the practitioner’s contact list, stealing names and email addresses of colleagues and clients and enabling the crooks to use the tax firm to expand their spear phishing scam.

Always be alert to phishing scams, even if the emails appear to come from a colleague or client. If the language sounds a bit off or if the request seems unusual, contact the “sender” by phone to verify rather than opening a link or attachment.

Finally, there are several signs that office computer systems may be under attack or may be under remote control, such as the cursor moving with no one at the keyboard. The IRS is aware of many examples in which cybercriminals gained access to practitioners’ office computers, complete the pending Form 1040s, change electronic deposit information to their own accounts and then e-filed the returns – all performed remotely.

Tax professionals who notice any signs of identity theft should contact their state’s IRS Stakeholder Liaison immediately. The process for reporting data theft to the IRS is outlined in Data Theft Information for Tax Professionals.

In some states, data thefts must be reported to various authorities. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings.