3 ways to protect taxpayer data against cyberthieves

In a recent SmartVault webinar, Randy Johnston of K2 Enterprises, and Luke Kiely, a law enforcement veteran and SmartVault’s chief information security officer, discussed a group of people that plague tax and accounting firms at tax time: cyberthieves.  

Why are accounting firms so vulnerable to cyberattacks? 

From January through April, tax fraud and scams are rampant, and each year, criminals only get bolder more clever. Unfortunately, the costs to taxpayers are enormous. Here’s an example to put “enormous” into perspective: The government estimates billions of dollars were stolen by fraudsters from programs meant to help taxpayers during the pandemic. In fact, they’re calling the massive amount of theft “the biggest fraud in a generation.”

This isn’t meant to scare you. Instead, it’s intended to emphasize just how seriously you and your accounting firm staff need to take cybersecurity this tax season.

Even though everyone is aware they need to protect themselves against cyberthieves—and, as Randy points out, IRS Publication 5293 requires you to have a way to keep taxpayer data safe—Luke says a firm leader’s biggest problem is that they have what cybercriminals want: data.

“You need to know what you’re protecting,” he cautions. “Accounting is one of the most commonly attacked professionals globally for clear reasons: that’s where the money is.”

Since firms are so busy during tax season, it can be easy for cybercriminals to trick people.

What do real-life cyberattacks look like? 

Cyberthieves frequently target small businesses that weren’t even aware something in their system was vulnerable. The attackers get into the system and encrypt the data with ransomware, rendering the files completely useless. Frequently, they demand a lot of money—more than many small firms have available—to unlock the information and return it to the business owner. When it comes to accounting firms, thieves are well aware of the tax season schedule and often plant malware months in advance. Then they make a move right before a crucial tax deadline, leaving accounting firms struggling and in a bad position.  

According to Randy, in the last several years, law enforcement saw a huge jump in fraudulent e-filing cases where cybercriminals used sophisticated techniques to take advantage of taxpayers who would be getting refunds of $5,000 or more.

“They didn’t take the small stuff,” he says. “Instead, they used codes to look for larger refunds and then intercept the e-file, rerouting the money from the taxpayer to an offshore bank account. Worse still, even though the IRS and security software vendors are well aware of attacks like these, they haven’t yet come up with systems that can completely protect accountants and taxpayers.”

What can firms do to safeguard data? 

Whether your firm is large or small, Randy and Luke agree: You should expect criminals to try to circumvent your defenses, especially at tax time.

Remind team members to examine email carefully. Phishing emails often have odd reply addresses, strangely worded content, and a sense of urgency:  hackers frequently try to push people into responding hastily to get what they want. 

“Ask yourself, ‘Am I likely to get an email from a CEO asking to make a change to a bank account at 5 pm on a Friday?’” asks Luke. And if one of your team members believes they might have made a mistake, it’s crucial that they don’t wait to tell you.

Randy: “One of the saddest calls I get is when a non-client CPA firm contacts me, and they’ve had a team member who got a spam email, compromised the system late on a Friday night, and then said, ‘Yeah, that doesn’t look right, but I’ll deal with it Monday.’ This just lets the process take off.”

3 ways to protect your clients’ data

While all of this sounds frightening, there are ways you can protect yourself. When prompted to choose his top three security measures, Luke offered the following: 

1. Identify data that is essential to operating your firm. Then back it up to a cloud provider, such as SmartVault, that isn’t attached to your network. This will protect it in the event of machine failures, power outages, and ransomware attacks. Randy offered this additional advice: “The Department of Homeland Security has their 3-2-1 philosophy: Three copies in two different media with at least one off-site.” Don’t just trust your hosting provider to safeguard your data. It’s not paranoid: Backing everything up is critical.
2. Protect yourself against malware by installing recognized, commercial antivirus software. Furthermore, take the time to educate your staff about cyberattacks and security measures, including avoiding downloading, as Luke calls them, “dodgy apps.” Then keep your firmware and IT system up to date. Once machines and software get old, they become more vulnerable to exploitation.
3. If your firm has a BYOD (bring your own device) policy, create rules about what employees can and cannot do on the device. Many people now use their own smartphones and personal laptops to access company servers, so the use of personal devices for work purposes needs to be considered. If you are unable to supply all your staff with company devices, at least make sure everyone has security systems that are maintained and updated by a professional IT team and that they are following the safety rules you’ve created. 

Some final takeaways: There will always be vulnerabilities, so keep a watchful eye out for phishing emails and anything that seems off, back your systems up regularly, and follow the basics.

Protecting your practice

Hackers always look for new, more sophisticated ways to access sensitive information. Along with following proven strategies like those above, another powerful way is to use a document management system and client portal such as SmartVault, that allows you to securely store and share files and data online.

Partnering with security-focused vendors who offer solutions built for your unique needs is crucial. This way, you and your clients can rest assured that robust security measures safeguard your most valuable information.