tax professionals are a hacker’s dream. 
by donny shimamoto, cpa, citp, cgma
on cybersecurity for accountants
center for accounting transformation
in 2015 the u.s. internal revenue service (irs) held its first security summit[i]. by creating a public-private partnership via the summit, the irs is seeking to protect more taxpayers and more tax dollars from tax-related identity theft.
more: how hacker-proof is your firm? | donny shimamoto: future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.
partners in the summit included the irs, state tax agencies and the private sector tax industry—for example, financial institutions, cybersecurity practitioners and tax practitioners.
the summit brought together people from the full value chain of tax compliance. taxpayers submit information to tax practitioners, who prepare the returns and submit them to the tax authorities.
the tax authorities process the returns and pay out refunds, as appropriate, via the financial institutions. the financial institutions deliver the funds to the taxpayer completing the chain. cybersecurity practitioners and solution providers help protect the entire value chain, whether it be personal cybersecurity software (e.g., antivirus for mobile phones or other personal devices), defining cybersecurity standards and practices for the businesses or governmental agencies involved, and providing the cybersecurity intelligence and software to protect these entities from the threats. by working together in a coordinated fashion, we should be able to better identify the gaps in the value chain that fraudsters are taking advantage of and fill the gaps from both sides.
remember that cybersecurity is only as effective as its weakest link. we often focus on the links within our own organization. but it takes a consortium, like the summit partners, to strengthen the links among organizations and further reduce the risk for all.
initially, taxpayers were the target.
in the early years of the summit, most of the risk that was seen was directed at taxpayers themselves. an example of this that we’re hearing is still going around, is an email telling taxpayers their refund is ready, but the irs needs their bank account information verified to send out their payment. the taxpayer is instructed to click on a link that takes them to a website that looks like an official irs website and prompts them to enter their bank routing and account numbers. once the taxpayer does this, they receive a confirmation that their refund will be processed. instead, the fraudsters use the bank information to pull money from the taxpayer’s bank account.
the threat quickly shifted to tax practitioners.
in 2017, fraudsters changed their tactics and started targeting tax practitioners, stealing their clients’ tax information and the preparers’ own efin numbers.
in an evolution of the first tactic described above, fraudsters would submit a fraudulent return and have the refund deposited into the bank account of a taxpayer whose bank account they already knew. then they would send an email from a supposed debt collector telling the taxpayer that a tax refund was incorrectly deposited to their bank account ending in the last four digits of a person’s bank account and that they had to forward the money lest they become liable for the money. the taxpayer would check their bank account, see that the funds were indeed there and that it didn’t match their tax refund amount, so they would comply with the fraudster sending them the money. using this scheme, the number of potential taxpayer victims jumped from a few hundred to several thousand in just days.[ii]
your gut reaction may be, “that’s truly sad for the taxpayer, but it doesn’t really affect me.” well, if that taxpayer was your client, it does impact you because if the fraudster got the refund issued by submitting a false return, then you’ll have to fix it for your client. you’ll usually only find out about the issue when you try to submit the real return, and it gets rejected, saying that a return has already been filed and the refund has been paid out.
so how does the fraudster get the taxpayer information in the first place? by stealing information from tax firms.
during a december 2020 cybersecurity panel for the washington society of cpas that i moderated, irs representative, matthew gamble, senior tax analyst for the rics business performance lab, shared how this worked. fraudsters would steal the client list, and information from a tax practitioner and also potentially steal the preparer’s efin. then they submit fraudulent returns for the clients under another tax practitioner’s efin so that the true preparer isn’t alerted to any issues until they try to file a return. because the fraudulent return isn’t tied to their efin, it makes it difficult for them to obtain information about the return, buying the fraudster more time to stay undetected.
make no mistake, even if the money was stolen from taxpayers, the tax preparer is in just as much jeopardy. having the right cybersecurity measures in place is, therefore, that much more critical.