The season for filing 2018 tax returns is almost upon us, which means tax practitioners will need to ensure they are properly securing their clients’ data. Torpey White, CPA, CISA, CITP, a partner with Wipfli and Consultants in Media, Pa., discusses potential new scams and what practitioners should do before, and during, tax season to protect sensitive data.

If you’d like, you can download this episode’s audio file. Additionally, you can follow us on iTunes, Google Play, or subscribe to our RSS feed.

By: Jim DeLuccia, PICPA Communications Manager

Podcast Transcript

The season for filing 2018 tax returns is nearly upon us. Naturally, it will be critical for tax practitioners to be sure they are securely protecting client data. Joining me to discuss in best practices in this area is Torpey White, CPA, who is a partner with Wipfli CPAs and Consultants in Media. Torpey is also a certified information technology professional and a certified information systems auditor. He's someone who knows technology.

I wanted to start off, what types of new scams have you seen over the last few months that tax practitioners should be aware of?

[White] The most prevalent new scams involve individual cell phones, where hackers are trying to convince or entice people to respond to a text, or a cell phone message that may or may not seem legitimate. Commonly, the scam will revolve around a callback to the IRS, or a callback to a financial institution. Whether it's a credit card company, an investment company, your bank. The individuals, as well as tax practitioners, should keep in mind that the IRS will never communicate with you via phone, they'll always communicate via US mail. Your financial institution will never call you to ask you for your personal information.

If you have a question about particularly your financial institution calling you, you should call them and indicate you've received a call and see if it's legitimate or not. As far as the IRS, know that they will never contact you by phone and if you're receiving some of those phone calls or text messages, you can immediately feel confident that they are fake and a scam, and you should delete them or block those callers or numbers immediately.

What are a few steps practitioners should take before tax season officially begins to be sure they are securely protecting their client data?

[White] There's several things that practitioners can do now before the heat of busy season really starts. It's some of the more commonsensical, like indicating to your clients that, "Hey, tax season's coming up. Great time to start to get your information together, but if you're going to send it to the practitioner electronically, please use whatever secure mechanism the practitioner has set up." It's very common for individuals that are trying to get their tax return done at the last minute or under some kind of pressure, to avoid security protocols for the sake of efficiency.

Practitioners find themselves in a tough spot when a client is pressuring them to do that because the risk is tremendous that, that information, if it got in the wrong hands, could really come back and backfire on the client. You don't want, as a practitioner, to have the finger pointing to you. It really does behoove the practitioner to remind their clients and encourage their clients to use the secure mechanisms that are in place. With that said, the practitioner now should really make sure that whatever that secure mechanism they're using is up to date with patches from the vendor.

It works properly, all of their employees within the office know how to use it and are well versed in how to make sure it's easy for clients to use, because that's the other obstacle most practitioners run into. If it's not easy for a client to use the technology that you've put in place, they're not going to use it. It's just one more obstacle to them, and it's frustrating. Maybe a practitioner could put themselves in the shoes of their client and try the technology themselves to make sure it's working and is easy to use.

It's always good to do that testing and obviously be sure you've got everything tied up on your end from a practitioner standpoint.

[White] Absolutely. There's nothing more frustrating for both parties than for technology to not work and by Murphy's Law, it always seems to happen at the worst time.

I'm sure. What are a few steps practitioners should take during tax season, to be sure the data is being properly protected?

[White] During tax season, those precautions apply, but in addition, they want to make sure that as data comes into their office, whether it's electronically or in hard copy, that it's secured in the proper manner. From an electronic standpoint, if your data is coming in through an electronic means, you want to make sure the right people have access to that data within your office. If you've had some turnover in the past year, make sure that the individuals that have left the firm still don't have access to that mechanism. And you want to make sure that any data you receive is kept secure, and if it needs to be returned to a client at the end of the processing of the return, get it back to them.

On the manual side, really same kind of caveats apply, in that you don't want to leave that paper laying around. If you have a clean desk policy, or a policy where data that comes in, in hard copy is handled in a certain manner, you want to make sure your employees are following that routine. At the end of the processing of that return, either return the hard copies to the client, or if they don't want them back then shred them through either an onsite shredder or some kind of shredding service to prevent and reduce the risk that that hard copy can get into the wrong hands.

I wanted to switch things up here a little bit and talk about the new tax laws and if you think that they will make fraud even easier for scammers out there. Really, what I'm trying to get to here is that with the tax tables changing, I wonder if more consumers are using calculators, and maybe entering data into these sites that may not be secure, or maybe they are secure? Do you think there could be some heightened level of insecurity out there this year?

[White] Certainly there's always the risk that whenever the tax law changes there could be a heightened extent and a number of scams or attempts to obtain individuals’ personal data. Your example of the online calculators is a great one because the uninitiated, or the ill-informed consumer may think, "Hey, what's the big deal? I'll go to this website and see what my future tax liability or refund may be." If they're not careful to determine whether that website is secured through proper protocols, they could be subject to having their data exposed on websites they don't even know about.

One of the easy ways to find out whether the site you're using is secure is look at the top and what's called the URL line, or the line at the very top of your website that shows where you are entering your data. It should start with something like, www.-whatever the name of the website is, and there should be an HTTPS, somewhere in that line of code. That “S” stands for security, and that is a good sign for the consumer to know that the site they're using has some security protocols that are going to be at a higher level than a site that may not have that level of security.

The other thing to be aware of is with tax law changes, people have questions. They don't know what it means for them, they don't know where they're going to end up. Rather than use one of the online calculators, call your tax practitioner and talk through it with them. It's much easier to have that conversation before your tax return's being processed, so you can anticipate things, than to be doing it at the last minute or again, in that heightened sense of pressured time when you want to get your return done. Again, like I'd mentioned before, security awareness may be reduced because it's being replaced by the duress of trying to get something done.

Really, consumers should be aware that with tax law changes come the risk that their data could be exposed if they're using some kinds of tools online that aren't from a reputable source.

This is good information for practitioners to share with their clients, maybe if they're having meetings in the coming weeks and months.

[White] Absolutely. If the practitioner has one of those tools on their own website, make sure that that is secure. Point your customers or clients to your own website so that they can feel confident that the data they enter is going to stay within the four walls of your IT environment.

Torpey, I'm going to have you look into your crystal ball here a little bit. Do you think, or do you foresee, an uptick in potential hacks this tax season?

[White] Always. Every year, and it seems tongue-in-cheek as an answer, but every year the number of attempts to hack data is increasing because it's such a lucrative field. More and more consumers and clients of tax practitioners are trying to do things through their mobile devices, through their online tools. Whether it's Quicken, whether it's TaxCut, whether it's H&R Block, there's any number of ways for data to be compromised. The hackers know that, they know that during tax season there is that lapse in security awareness that is the exchange for efficiency in trying to get things done. So, they are keenly aware that that's an area and a time when data is right for the picking.

Consumers, clients, tax practitioners should keep their guard up. Particularly during tax season because it can be when those hackers are trying to steal as much data as they can. Clients should keep in mind, and tax practitioners can remind them of this, that while an individual client's data may not seem like it's that valuable, most hackers are trying to grasp thousands and hundreds of thousands of records all at one time and find the path of least resistance. If your data is on an unsecured website, along with thousands of others, it's subject to much greater risk than if you're using a secure website or your tax practitioner's website.

The hackers, particularly in light of some of the data breeches that took place last year with Equifax, some of that data is still out there waiting to be used. Because hackers obtain the data, but they don't necessarily exploit it right away. They may wait months or even years before they decide it's time to do it. Tax season is a great time for exploits to happen. It is buyer beware, use caution when you're logging into any kind of sites, particularly from a mobile device because you don't want to be on unsecured Wi-Fi connections, like in a public place.

Whether it's an airport, a coffee shop, a hotel, be careful. Use a VPN if you have it, use your own organization's secure website if you have one. Just make sure that you're using some common sense before you start sending or entering data in a particular site.

Finally, what are a few resources tax practitioners can consult on security that you would recommend? I mean, you've provided some great tips here. To this point, I'm just wondering, where can people turn for more information?

[White] There's several great resources, starting with the PICPA. It is a terrific resource for articles and information on how to keep data secure, what's the latest threats or vulnerabilities to be aware of. The American Institute of CPAs, the AICPA, has a lot of great information as well related to the same topics. Some of the major vendors in tax software, Thomson Reuters, as well as Quicken, Intuit will have some good information to help you make sure that you're secure when you're using any kind of tools online.

From a tax practitioner perspective, the vendors that they use for their tax software are another great source of information to help with making sure your software and applications are up to date, and provide the best security for your clients. There's a plethora of information out there that you can start to search for, but I would particularly go to the PICPA and the AICPA.