For companies and individuals alike, tax records run a close second to medical records in terms of the amount of sensitive data they contain. That’s why the 2015 attack on the Internal Revenue Service (IRS), which compromised more than 700,000 taxpayer accounts, caused a nationwide uproar.
Taking advantage of the “Get Transcript” function, which was designed to make tax records more accessible to the average taxpayer, hackers took taxpayer information acquired elsewhere and used it to correctly identify the necessary questions required to receive a transcript. They then used the stolen Social Security numbers, birth dates and addresses to file false refunds and collect more than $50 million in fraudulent returns. These startling revelations had American taxpayers asking one deceptively simple question: will our tax information ever be safe again?
A New Round of Attacks
After repeated attacks, in June 2016 the IRS removed its electronic filing PIN tool, or e-File PIN, from its website and its toll-free phone line. The IRS also implemented a strong, two-factor authentication process meant to protect taxpayers who’d already been victimized, but it still relied on the same knowledge-based security authentication questions to access accounts and Social Security numbers.
In early 2016 the IRS disclosed that it had detected efforts to gain access to e-File personal identification numbers for more than 450,000 Social Security numbers that had already been compromised, resulting in about 100,000 successful efforts.
Since e-Filing links were woven into “almost all” commercial tax software consumers used to file their taxes, the IRS could not move away from the PIN system. Instead, the agency implemented additional security defenses, including measures that run invisibly in the background and look for improper or repetitive IP addresses.
Tax Scams for 2017
With 47 million tax transcripts ordered through the “Get Transcript” function, the IRS has learned some hard lessons about providing taxpayers access to their tax data while also safeguarding their security. The agency is also struggling to keep up with the fast-paced demands of an ever-evolving security landscape, since government salaries are not high enough to recruit the industry’s top talent.
In early 2017, the IRS assembled state tax authorities, accountant organizations, tax software developers and tax preparation chains at its second-annual Security Summit. New 2017 security-system upgrades include “trusted customer” features for taxpayers during the 2017 tax season, which aim to ensure the authenticity of taxpayers and tax returns before, during and after a return is filed. This new process builds on last year’s successes, which saw a 50 percent reduction in the number of taxpayer identity theft affidavits filed.
In addition to implementing data elements in tax software to help authenticate taxpayers, the new safeguards include authentication software that logs a preparer out of a computer that sits idle for more than 30 minutes. The IRS is also educating preparers about keeping client information safe, and taxpayers about recognizing unscrupulous tax preparers.
Individual Taxpayer Identification Numbers (ITIN) that have gone unused for more than three years will no longer be valid, and taxpayers may be required to enter last year’s adjusted gross income number to access their files.
Keeping Your Tax Information Safe
Since more than 50 percent of all returns are filed by professionals, taxpayers can check the tax identification number and credentials of their preparer on the IRS website. They should also review their return before signing it, never file a blank tax return and make sure any refund is delivered to their actual address. If filing personally, it is important to use a secure e-Filing option listed on the IRS’s website.
Other tax safeguards include installing antivirus software and keeping all software web browsers up to date. Taxpayers and tax professionals should also use strong passwords, beware of phishing scams, limit personal identification information available on social media, be skeptical of “IRS” calls and emails and never file their taxes over a public WiFi network.
In 2013 alone, the IRS paid out more than $5 billion worth of refunds to identity thieves. Since the IRS processes most refunds within 21 days, you can beat the hacking rush by filing early — before tax-hacking season reaches full swing. Around this time of year, thieves are also searching the mail for W-2s and 1099s, so you can reduce your hacking risks by having your documents delivered electronically, since all thieves need to file a fake return is your birthdate and Social Security number.
A New Era of Tax Security
By verifying the authenticity of who is filing a tax return, the system is becoming safer for taxpayers, the government and the private sector alike. This new “trusted customer” process ensures the security of both the taxpayer and tax preparer and will allow the IRS to speed up the review of questionable returns.
With 153 million tax returns expected this year, April 18th will be a momentous day for the IRS. While Bluefin can’t help you file your return or make tax day disappear altogether, Bluefin can secure your networks via robust P2PE encryption solutions. For more information on how you can protect your customers and your businesses, contact Bluefin today!