By Michael D. Colgan, PICPA CEO and executive director
The IRS has notified us that scammers have been reaching out to CPAs impersonating state accounting and professional associations. Please be on guard. The PICPA frequently sends members emails with links to our website, however, we never ask you to share, confirm, or reply to an email with your username and password. We only use secure log-in pages that ask for these items when purchasing a course, contributing to the Pennsylvania CPA Foundation or CPA-PAC, or accessing the “My Account” section.
Here are a few tips to help you identify a scam directed at PICPA members:
- Check the URL address at the top of the email. It should always include picpa.org.
- Watch for weirdly phrased sentences or odd modifications of a name. Scammers usually don’t take the time to be accurate. For instance, if you receive something from the “Pennsylvania Society of CPAs,” this is not from us, and your radar should go up.
- The PICPA occasionally send emails encouraging members to update their profile on our website to ensure that you receive the information that appeals to your interests. This can be done at any time and would send you directly to the My Account section of PICPA’s website. Be familiar with the PICPA website so that you recognize any inaccuracies.
- If you believe that you have been scammed into providing password information, change your passwords immediately. You should also forward the emails to the IRS at email@example.com and to the PICPA at firstname.lastname@example.org.
The IRS provides these additional tips:
- Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider, or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: the IRS never initiates initial contact with a tax professional via email.
- Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals by the National Institute of Standards and Technology.
- Review internal controls:
-- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets, and phones), and keep software set to automatically update.
-- Create passwords of at least eight characters. Longer is better. Use different passwords for each account, and use special and alphanumeric characters and phrases. Password protect wireless devices, and consider a password manager program.
-- Encrypt all sensitive files/emails, and use strong password protections.
-- Back up sensitive data to a safe and secure external source not connected fulltime to a network.
-- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
-- Limit access to taxpayer data to individuals who need to know.
-- Check IRS e-Services account weekly for number of returns filed with EFIN.
- Report any data theft or data loss to the appropriate IRS stakeholder liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alerts, and social media.
This is one more reminder that CPAs must always be vigilant. Guarding sensitive client and member data is a top priority.