You knew this busy season would be a tough one. But just like every other season before it, you’ve rocked the challenge. With a little more than two weeks left to go, you’re well on your way to a hard-earned vacation.
At this point, what could go wrong? A lot if you’re not paying attention to the security of your clients’ information.
I caught up with Minh Graham, CPA, of the AICPA Tax Practice & Ethics team, who shared her insights on the top five identity theft issues you should be considering as you head into the final stretch.
A reminder about electronic communications
A text message may seem like a quick way to get an answer from your client, but Graham said this is a bad idea. “You could be sending or receiving confidential data,” she said. “Remember, you’re sending a message to an unsecured phone. These messages need to be handled carefully.” She also stressed that CPAs should avoid giving out tax advice in text messages. “Confirming client information or agreements via text isn’t a good practice,” she said. “It raises issues of sufficient documentation of client approvals or confirmations of requests.”
If you must offer tax advice electronically, Graham suggests using encrypted email servers. Be sure to include a legal disclaimer in these messages too. And never forget that emails aren’t perfectly secure either. Don’t use them to send sensitive information.
Rejected returns and unexpected deliveries
No one likes rejection. This holds especially true when a practitioner tries to e-file a return, but it’s rejected. If this happens to your client’s return because a tax return was previously filed under his or her Social Security number (SSN), individual taxpayer identification number (ITIN) or employer identification number (EIN), there’s a good chance your client is a victim of tax identity theft. This applies to extension requests too. “If this happens, print and mail in your client’s return,” Graham said. “Attach Form 14039, Identity Theft Affidavit, to the back of the paper-filed tax return.”
If you or your client received an unexpected transcript or IRS notice in the mail, consider it a red flag. Likewise, if you or your client fails to receive an expected transcript or another tax document, this could mean an identity thief has made an unwelcome address change on your behalf.
Each year, the IRS issues a slew of warnings about phishing attacks targeting taxpayers. More recently, these warnings have been aimed at tax preparers. Sometimes these email scams are easy to spot. Other times, they seem innocent until it’s too late. “Identity thieves may pose as tax software or data storage providers, the IRS or a prospective client,” Graham said. “They can easily steal your data through these kinds of phishing scams.” Forward any suspicious emails to the IRS at firstname.lastname@example.org.
Our article, Cybersecurity facts tax practitioners need to get right, has more guidelines and tips on keeping client data secure. You can read more about what Americans think about these identity theft threats in this report from the AICPA.
Small business concerns
“Small businesses are just as vulnerable to identity theft as individuals,” Graham said. Thieves can use small business EINs to create fake W-2 forms. These can then be used to file fake individual tax returns, she said. The IRS announced an increase in the number of fraudulent Forms 1120, 1120S and Schedules K-1. See the IRS’s Tax Practitioner Guide to Business Identity Theft for additional guidance.
Performing a PTIN checkup
Just like your SSN, your preparer tax identification number (PTIN) is in high demand among identity thieves.
“If you filed 50 or more returns with your PTIN in a calendar year, you can do a PTIN checkup,” Graham said. “Go to your online PTIN account to access a summary of how many returns were filed under this number.” Graham suggests doing weekly checks to catch problems early. “If the number of returns filed with your PTIN is significantly higher than the number you know you’ve prepared, your PTIN may be compromised.” If this occurs, file Form 14157, Return Preparer Complaint, immediately to report the issue.
Tax preparers should review their electronic filing identification numbers as these can also be used by identity thieves to file fake returns. Access your e-Services account and check for inconsistencies with what you have filed during tax season.
Consider contacting your local IRS stakeholder liaison if you believe your firm has experienced a client data breach.
Some criminals have made their livelihoods from stealing other people’s identities. As much time as you put into taking care of your clients’ private data, they’ve put in double trying to steal it.
If the worst does happen, get your clients on the road to recovery with this identity theft checklist. It’s available to all AICPA members and is one of the many valuable resources found in the Tax Practitioner’s Marketing Toolkit. And don’t forget to bookmark the AICPA’s identity theft hub. It’s full of tools you can use to protect your clients’ precious information throughout the year.
The threat of identity theft is a year-round concern. Busy season just tends to bring it to the surface for tax practitioners. But like all the other challenges facing you this spring, you can handle this one, too.