WASHINGTON – The Internal Revenue Service and the Security Summit partners warned tax professionals that savvy cybercriminals target IRS-issued identification numbers to help impersonate practitioners as well as taxpayers.
To help protect against this threat used on the Dark Web, the IRS, state tax agencies and the tax industry reminded practitioners that they must maintain, monitor and protect their Electronic Filing Identification Numbers (EFINs) as well as keep tabs on their Preparer Tax Identification Numbers (PTINs) and Centralized Authorization File (CAF) numbers.
This is the sixth in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.
Although the Security Summit — a partnership between the IRS, states and the private-sector tax community — is making progress against tax-related identity theft, cybercriminals continue to evolve, and data theft at tax professionals’ offices is on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.
Cybercriminals sometimes post stolen EFINs, PTINs and CAF numbers on the Dark Web as a crime kit for identity thieves who can then file fraudulent tax returns. EFINs are necessary for tax professionals or their firms to file client returns electronically. PTINs are issued to those who, for a fee, prepare tax returns or claims for refund. CAF numbers are issued when tax practitioners or their firms file a request for third-party access to client files.
These identification numbers may only be obtained directly from the IRS.
Here’s what tax professionals can do to protect these important numbers from identity thieves:
Once a tax professional has completed the EFIN application process and received an EFIN, it is important that they keep their account up-to-date at all times. This includes:
Monitoring EFINs, PTINs and CAFs
Tax professionals can obtain a weekly report of the number of tax returns filed with their EFIN and PTIN. For PTIN holders, only those preparers who are attorneys, CPAs, enrolled agents or Annual Filing Season Program participants and who file 50 or more returns may obtain PTIN information. Weekly checks will help flag any abuses by cybercriminals. Here’s how:
For EFIN totals:
For PTIN totals:
For those with a Centralized Authorization File (CAF) number, make sure to keep authorizations up to date. Tax professionals should make an annual review to identify outstanding third-party authorizations for people who are no longer their clients. It is important that tax professionals remove authorizations for taxpayers who are no longer their clients.
See “Withdrawal of Representation” in Publication 947, Practice Before the IRS and Power of Attorney. Information also is available in the instructions for Form 2848, Power of Attorney and Declaration of Representative, or Form 8821, Tax Information Authorization, for additional information on withdrawing representation.
The same good security habits for protecting client data also can protect the EFIN. Those include the use of strong anti-virus software, strong and unique passwords, two-factor authentication where available.
In addition to these steps, the Security Summit reminds all professional tax preparers that they must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. They can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.