Identity Theft and the Tax Practice Edward K. Zollars, CPA www.cperesources.com www.currentfederaltaxdevelopments.com New Mexico Tax Conference Today s Session Identity Theft in General Size of the Problem Working with an Affected Client Avoiding Being Part of the Problem 2 1
Identity Theft Size of the Problem 3 It s a Growth Industry for Tax ID Theft Easy to monetize Electronic filing used fast refunds as a selling point Criminals dump fake returns into the system early in the process By design the system cannot easily catch this Information reporting (including withholding) not required to be filed until long after return processing begins Only a single factor generally used for system to identify the taxpayer (social security number) Problem is growing each year Treasury Inspector General (TIGTA) issued two reports in 2013 4 2
12/4/15 #PSTECH 5 #PSTECH 6 TIGTA has reason t o believe a much larger number escaped detection the real numbers may be twice as high 3
12/4/15 #PSTECH 7 #PSTECH 8 4
#PSTECH 9 IRS Criminal Prosecutions Number is rising But clearly the vast majority of criminals get away with their crime Statistics through April 10, 2014 reported by IRS Criminal Investigation Division 10 5
First Lady of Tax Fraud Used prepaid debit cards loaded with refunds from falsified returns from 2009 through 2012 Filed from Perpetrator s home Various hotels around Tampa, Florida (the capital of tax refund fraud) Scheme netted her and her partner nearly $4.5 million 11 Identity Theft Working with the Affected Client 12 6
IRS Advice to Reduce Chance of ID Theft Don t carry documents with SSNs on them with you Limit giving out SSN Protect financial information Check credit report at least annually Secure all personal information at home Computer safety Firewalls Anti-spam/virus software Password security Ed s tip DON T BE AN IDIOT Don t give out personal information You did not initiate contact Not verified ID 13 The One Thing Clients Need to Be Told: The IRS does not initiate contact with taxpayers by email or social media tools to request personal or financial information. The IRS does not send emails stating you are being electronically audited or that you are getting a refund. This includes any type of electronic communication, such as text messages and social media channels. - IRS FAQ on Identity Protection Tips 14 7
The One Thing Clients Need to Be Told: The IRS does not initiate contact with taxpayers by email or social media tools to request personal or financial information. The Note IRS does Neither not send do emails stating you are being electronically banks, brokers, audited or that etc. you are getting a refund. This includes any type of electronic communication, such as text messages and social media channels. - IRS FAQ on Identity Protection Tips 15 IRS Procedures 16 8
IRS Indicators of Tax ID Theft Notice more than return has been filed for taxpayer s identification number Collections for year in which no tax was due IRS shows more wages than taxpayer received Taxpayer has state or federal benefit cancelled due to reported income change 17 What to Do Next? IRS Notice Received Contact IRS to stop the computer s autopilot functions Get Power of Attorney Document all communications with IRS Consider use of taxpayers advocate office if process threatens to roll over client Reach out to IRS ID Theft Unit (800-908-4490) No IRS Notice (Yet) Contact IRS ID Theft Unit (800-980-4490, x245) Explain why taxpayer believes at risk Lost or stolen wallet/purse Home robbery Questionable credit activity Ask IRS to secure account and flag as potential ID theft victim 18 9
IRS Form 14039 IRS Form 14039 Used to document issues related to identity theft Also provides a cover sheet for information needed to document client s identity Remember IRS needs to conclude your client is who they say they are 19 Form 14039 20 10
Form 14039 21 Hurry Up and Wait Client needs to understand this is going to take time Refunds are likely going to be delayed (significantly) Executor may have issues closing an estate Mortgages/refinancings will be difficult to obtain Other taxing agencies may be involved May have other, nontax, ID theft issues IRS unlikely to be able to speed this up much without creating a bigger problem 22 11
IRS Identity Protection PIN (IP PIN) Six digit number issued by IRS Originally limited to prior victims of identity theft IRS testing expansion in 3 highest risk markets (Florida, Georgia, DC) Submitted with return Electronic returns will be rejected without it Paper returns will take much longer to process 23 IRS Identity Protection PIN (IP PIN) 24 12
IRS Identity Protection PIN (IP PIN) What if find out: Taxpayer never noticed he/she was assigned one? Taxpayer loses the document? Recovery of IP PIN Originally had to call IRS, have new IP PIN issued after IRS confirmed identity Online option started this year to use taxpayer must have Social security number Date of birth Email address and Filing status and mailing address from most recently filed tax return 25 Identity Theft Avoiding Being Part of the Problem 26 13
CPA Firms and Data CPA Firm Clients are High Worth Targets Professionals Just Want to Work in Their Area Look at Protecting Your Clients 27 IRS Publication on Protecting Data FS-2015-24, Publication 4557 Outlines steps preparers should take Reminds us of our responsibilities Remember New Mexico has its own law in this area as well Most likely to be cited as standard of care if breech occurs 28 14
IRS Recommended Steps Top-notch security software that includes a firewall, antimalware and anti-virus programs; make sure they are set to automatically update so that the software can stay current against the latest threats; and consider having firewalls for both hardware and software. 29 IRS Recommended Steps An education program for all employees to ensure they understand the dangers of phishing emails and other threats to taxpayer data. Publication 4557 has several items related to employees such as halting their access to the preparer s computer systems if they leave employment. 30 15
IRS Recommended Steps Strong passwords that are changed periodically; consider having different levels of password protection. For example, have one password to access the computer system and a separate password to access tax software or client files. That way, if the computer system is breached, perhaps not all of the information will be exposed. 31 IRS Recommended Steps Secure wireless connection. If Wi-Fi is used, protect taxpayer data by making sure it is password protected and encrypted email programs to exchange PII information with taxpayers. 32 16
IRS Recommended Steps Back up taxpayer data frequently, perhaps on an external hard drive, and ensure that the hard-drive is kept in a secure location with limited access by others 33 IRS Recommended Steps Store any paper files in a secure location. 34 17
IRS Recommended Steps Access IRS e-services weekly during the filing season and periodically throughout the year to see the number of returns filed using the preparer s EFIN. If the number is excessive, contact the e-help Desk for e-services immediately. 35 Full Disk Encryption Microsoft Windows BitLocker In Windows Professional for Windows 7 and later Not obvious how to install if computer lacks TPM module Inexpensive non-enterprise laptops often lack it Can be installed http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-ondrives-without-tpm/ Apple OSX Filevault 2 Third Party Options Veracrypt Symantec PGP Full Disk Encryption Can be used on removable drives as well 36 18
Small is Convenient and Easy to Lose Content of the drive Users copy all kinds of data onto thumbdrives Often only delete data when the drive fills up A thumbdrive used by a CPA could contain Client personal information Firm detailed information Security information (passwords, etc.) Data files that contain personal information clients obtained from their customers, employees, vendors, etc. (think payroll) Generally no record is kept of data that has been transferred to a drive 37 Phones, Tablets, Etc. ios Device Locking options Erase if fail 10 times option Long password option Remote device management Fingerprint reader (iphone 5S only) Android Devices Locking options Additional options (though likely less secure if use them) Can use long passwords Remote device management Fingerprint reader (currently Galaxy S5) 38 19
Organizations and Identity Theft 39 Organizations and Identity Theft We have met the enemy and he is us. -Walt Kelly, Pogo 40 20
End User Behavior Problems Far more important than all the security hardware software you have installed Cannot delegate or outsource this issue Issues Targeted phishing attacks The disaster that is Outlook (or any mail client) Every user (even rainmakers, managing partners, senior tax partners, etc.) must understand risks of what they do with their computers and devices 41 Issue Most employees are exposed to their firm's IT and computer policies on the day they are hired, but seldom are reminded after that. Firms should review their policies annually and incorporate new IT considerations, such as tablet device and smartphone usage and social media concerns, and then provide annual training on any updated policies. Employees should also be educated on current cyber security threats and social engineering scams impacting them and their clients, to further minimize the possibility of becoming a victim. PPC Auditing and Accounting Update, May 2014 42 21
SANS Recommended Program Perform gap analysis (find the weak links) Provide training to address the weak link problems Security program implemented to Common attacks directed against the individual user (phishing, attachments, etc.) Make delivery short and convenient for users Continually update for current attacks (watch for notices of phishing attacks from organizations like AICPA, IRS, etc.) Mandate annual completion for every employee ENFORCE THE POLICY (ESPECIALLY AT THE TOP) Test employees from time to time to see if they are following the policy 43 Risk to the Firm Requirement to maintain confidentiality Ethics Rule 301/New ET Sec. 1.700.001 Note upcoming codification s use of terms safeguards and threats as key concepts State data breach laws In all U.S. states, territories and District of Columbia except for Alabama, New Mexico and South Dakota See links in material to state(s) of interest to you 44 22
Additional Issues Definition of personal information under statute Basically name Along with any of the following Social security number Driver s license Account number, etc. that grants access to financial account Nature of notification defined by statute Realize NOT JUST LIMITED TO CLIENTS 45 Contact Information Edward K. Zollars, CPA edzollars@thomaszollarslynch.com www.cperesources.com Twitter: @edzollars 46 23