Preparer Security and Tax Identity Theft


Preparer Security and Tax Identity Theft

By Mark Castro, CPA

This page is designed to give tax preparers the information they need to meet their security obligations and to improve their defenses against tax related identity theft, which includes safeguarding their computer systems from cybercriminals. This page will also let tax preparers know the latest ways identity thieves are attempting to obtain personal information from individuals.

Tax preparers have become key targets of criminal syndicates that are well funded and tech-savvy. They target tax preparers because they are custodians of highly sensitive personal financial information that they can use to create fraudulent tax returns and claim fake refunds.

They not only wish to steal the client data from a tax preparer, therefore they are targeting the tax preparer’s identity as well. They then use the preparer’s PTIN, EFIN, and/or CAF numbers to file fraudulent tax returns or steal even more information.

Because they increasingly have become targets, tax preparers need to take steps to protect their client’s data and their computer networks from these threats.

Just to give you an idea of how this threat continues to grow, as of June 30, 2021, there had been 222 data theft reports for the 2021 filing season from tax professionals. This outpaces the rate of 211 in 2020 and 124 in 2019.

Lastly, it is important to note that tax preparers are required by federal law (Gramm-Leach-Bliley Act of 1999) to create and maintain a written data security plan. The Federal Trade Commission administers this law and created a Safeguards Rule to administer it.

Here are basic security steps that preparers should take:

  • Learn to recognized phishing emails. Never open a link or any attachment from a suspicious email.

    For more information see:

  • Create Better and Stronger Passwords

    All preparers should review the new, stronger password guidance for all of their online accounts.

    This new guidance suggests using a passphrase such as a favorite line from a movie or a series of associated words rather than using a traditional password.

    For more details on this guidance see:

  • Review internal controls
    • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets, and phones) and keep software set to automatically update.
    • Encrypt all sensitive files/emails.
    • Back up sensitive data to a safe and secure external source not connected to a network.
    • Wipe clean and destroy old computer hard drives and printers that contain sensitive data.
    • Limit access to taxpayer data to individuals that need to know.
    • Check IRS e-Services account weekly for number of returns filed with EFIN.
    • Create and secure Virtual Private Networks - A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. Search for "Best VPNs" to find a legitimate vendor; major technology sites often provide lists of top services.
  • Use Multi-Factor Authentication
    Based on reports to the IRS in 2020, many tax professionals whose client data was stolen failed to use multifactor authentication, and the feature could have prevented some of the thefts. Tax professionals should use multi-factor authentication features anywhere it is offered, such as commercial email products and cloud storage providers.
  • Report any data theft or data loss to appropriate IRS Stakeholder Liaison

Additional Links for More Information on Identity Theft and Preparer Security