Today s Session. Identity Theft and the Tax Practice 12/7/15. Identity Theft in General. Size of the Problem. Working with an Affected Client

Identity Theft and the Tax Practice

Edward K. Zollars, CPA

61st_{Annual MNCPA Tax Conference}

http://www.cperesources.com

http://www.currentfederaltaxdevelopments.com

Today’s Session

¤ Identity Theft in General ¤ Size of the Problem

¤ Working with an Affected Client ¤ Avoiding Being Part of the Problem

Identity Theft

In General

3

Types of Identity Theft

¤ Criminal Identity Theft ¤ Financial Identity Theft ¤ Identity Cloning ¤ Medical Identity Theft

Types of Identity Theft

¤ Criminal Identity Theft ¤ Financial Identity Theft ¤ Identity Cloning ¤ Medical Identity Theft

¤ Child Identity Theft

5 CPAs  in  tax  practice  will   see  these  types  most   often

How Identity Information is Obtained

¤ Dumpster diving

¤ Discarded IT equipment (including copiers) ¤ Public records

¤ Stolen credit cards, documents, etc.

¤ Common knowledge verification schemes to retrieve

How Identity Information is Obtained

¤ Credit card skimming (Target, Home Depot) ¤ Contactless credit cards

¤ Shoulder surfing ¤ Computer malware

¤ And more…

It’s a Growth Industry for Tax ID Theft

¤ Easy to monetize

¤ Electronic filing used fast refunds as a selling point

¤ Criminals dump fake returns into the system early in the process

¤ By design the system cannot easily catch this

¤ Information reporting (including withholding) not required to be filed until long after return processing begins

¤ Only a single factor generally used for system to identify the taxpayer (social security number)

¤ Problem is growing each year

¤ Treasury Inspector General (TIGTA) issued two reports in 2013 9

#PSTECH 11 TIGTA  has  reason  to  believe  a  much  larger  number  escaped  

IRS Criminal Prosecutions

¤ Number is rising

¤ But clearly the vast majority of criminals get away with

their crime

¤ Statistics through April 10, 2014 reported by IRS Criminal

Investigation Division

15

Prior Year Statistics

17

First Lady of Tax Fraud

¤ Used prepaid debit cards loaded with refunds from

falsified returns from 2009 through 2012

¤ Filed from

¤ Perpetrator’s home

¤ Various hotels around Tampa, Florida (the “capital” of tax refund fraud)

Identity Theft

Working with the Affected Client

19

Client Issues

¤ Teaching clients how to reduce their exposure ¤ Dealing with an actual or potential problem ¤ Form 14039 and dealing with the IRS

IRS Advice to Reduce Chance of ID

Theft

¤ Don’t carry documents with SSNs on them with you

¤ Limit giving out SSN

¤ Protect financial information ¤ Check credit report at least

annually

¤ Secure all personal information at home

¤ Computer safety

¤ Firewalls

¤ Anti-spam/virus software ¤ Password security

¤ Ed’s tip – DON’T BE AN

IDIOT

¤ Don’t give out personal information

¤ You did not initiate

contact

¤ Not verified ID

21

The One Thing Clients Need to Be

Told:

The IRS does not initiate contact with taxpayers by email or social media tools to request personal or financial information. The IRS does not send emails stating you are

being electronically audited or that you are getting a refund. This includes any type of electronic communication,

such as text messages and social media channels.

The One Thing Clients Need to Be

Told:

The IRS does not initiate contact with taxpayers by email or social media tools to request personal or financial information. The IRS does not send emails stating you are

being electronically audited or that you are getting a refund. This includes any type of electronic communication,

such as text messages and social media channels.

- IRS FAQ on Identity Protection Tips

23

Note  – Neither  do  

banks,  brokers,  etc.

Act Smart

¤ Just cause someone claiming to be “official” calls or

emails you, don’t respond until you verify their identity

¤ Check IRS Phishing page for current scams

¤ Smart internet usage – understand how to spot a truly

#PSTECH 25

IRS Procedures

27

IRS Indicators of Tax ID Theft

¤ Notice more than return has been filed for taxpayer’s

identification number

¤ Collections for year in which no tax was due ¤ IRS shows more wages than taxpayer received

What to Do Next?

¤ IRS Notice Received ¤ Contact IRS to stop the

computer’s autopilot functions

¤ Get Power of Attorney

¤ Document all

communications with IRS

¤ Consider use of taxpayers advocate office if process threatens to roll over client

¤ Reach out to IRS ID Theft

Unit (800-908-4490)

¤ No IRS Notice (Yet)

¤ Contact IRS ID Theft Unit (800-980-4490, x245)

¤ Explain why taxpayer

believes at risk ¤ Lost or stolen wallet/purse ¤ Home robbery ¤ Questionable credit activity

¤ Ask IRS to secure

account and flag as potential ID theft victim

29

IRS Form 14039

¤ IRS Form 14039

¤ Used to document issues related to identity theft

¤ Also provides a cover

sheet for information needed to document client’s identity

Form 14039

31

Form 14039

33

Filling Out the Explanation

¤ Interview client to be sure you obtain all facts

¤ Advise client that non-tax issues are also potentially involved ¤ Additional steps for client to consider

¤ Get counsel ¤ Report to FTC

¤ File police report

¤ Contact fraud departments at all three major credit bureaus

¤ Equifax – www.equifax.com, 800-525-6285 ¤ Experian – www.experian.com, 888-397-3742

¤ TransUnion – www.transunion.com, 800-680-7289

¤ Close affected accounts

35

Form 14039

37

Form 14039

39

Form 14039

41

Form 14039

43

Hurry Up and Wait

¤ Client needs to understand this is going to take time

¤ Refunds are likely going to be delayed (significantly)

¤ Executor may have issues closing an estate

¤ Mortgages/refinancings will be difficult to obtain ¤ Other taxing agencies may be involved

IRS Identity Protection PIN (IP PIN)

¤ Six digit number issued by IRS

¤ Originally limited to prior victims of identity theft

¤ IRS testing expansion in

3 highest risk markets (Florida, Georgia, DC)

¤ Submitted with return

¤ Electronic returns will be

rejected without it

¤ Paper returns will take

much longer to process

45

IRS Identity Protection PIN (IP PIN)

¤ What if find out:

¤ Taxpayer never noticed he/she was assigned one?

¤ Taxpayer loses the document?

¤ Recovery of IP PIN

¤ Originally had to call IRS, have new IP PIN issued after IRS confirmed identity

¤ Online option started this year – to use taxpayer must have ¤ Social security number

¤ Date of birth

¤ Email address and

¤ Filing status and mailing address from most recently filed tax return

CPA Firms and Data

¤ CPA Firm Clients are High Worth Targets ¤ Professionals Just Want to Work in Their Area ¤ Look at Protecting Your Clients

49

IRS Publication on Protecting Data

¤ FS-2015-24, Publication 4557

¤ Outlines steps preparers should take ¤ Reminds us of our responsibilities

¤ Remember – Minnesota has its own law in this area as

well

¤ Most likely to be cited as “standard of care” if breech

IRS Recommended Steps

¤ Top-notch security software that includes a firewall,

anti-malware and anti-virus programs; make sure they are set to automatically update so that the software can stay current against the latest threats; and consider having firewalls for both hardware and software.

51

IRS Recommended Steps

¤ An education program for all employees to ensure they

understand the dangers of phishing emails and other threats to taxpayer data. Publication 4557 has several items related to employees such as halting their access to the preparer’s computer systems if they leave employment.

IRS Recommended Steps

¤ Strong passwords that are changed periodically;

consider having different levels of password protection. For example, have one password to access the

computer system and a separate password to access tax software or client files. That way, if the computer system is breached, perhaps not all of the information will be exposed.

53 http://www.grc.com/haystack

IRS Recommended Steps

¤ Secure wireless connection. If Wi-Fi is used, protect

taxpayer data by making sure it is password protected and encrypted email programs to exchange PII information with taxpayers.

IRS Recommended Steps

¤ Back up taxpayer data frequently, perhaps on an

external hard drive, and ensure that the hard-drive is kept in a secure location with limited access by others

55

IRS Recommended Steps

IRS Recommended Steps

¤ Access IRS e-services weekly during the filing season and

periodically throughout the year to see the number of returns filed using the preparer’s EFIN. If the number is excessive, contact the e-Help Desk for e-Services immediately.

57

Laptops That Go Missing

¤ Cost of a lost laptop

¤ $49,246 average cost (Ponemon Institute study)

¤ Cost of laptop is minor part of cost

¤ Bigger issues

¤ Costs incurred in dealing with lost client data ¤ Cost of data reconstruction and the like

¤ Less than 5% of laptops lost are recovered

¤ Only 1/3 of lost laptops had encryption

59

Laptops That Go Missing

¤ Expected Losses

¤ Over life of devices 7.12% will end up lost/missing/stolen

¤ 2.32% of devices per year

¤ Where Laptop Went AWOL ¤ 43% working offsite

¤ 33% in transit

Full Disk Encryption

¤ Microsoft Windows BitLocker

¤ In Windows Professional for Windows 7 and later

¤ Not obvious how to install if computer lacks TPM module

¤ Inexpensive non-enterprise laptops often lack it

¤ Can be installed

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

¤ Apple OSX Filevault 2

¤ Third Party Options

¤ Veracrypt

¤ Symantec PGP Full Disk Encryption

¤ Can be used on removable drives as well

61

Full Disk Encryption

¤ Microsoft Windows BitLocker

¤ In Windows Professional for Windows 7 and later

¤ Not obvious how to install if computer lacks TPM module

¤ Inexpensive non-enterprise laptops often lack it

¤ Can be installed

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

¤ Apple OSX Filevault 2

¤ Third Party Options

¤ Truecrypt (http://www.truecrypt.org)???????

Small is Convenient…and Easy to

Lose

¤ Content of the drive

¤ Users copy all kinds of data onto thumbdrives ¤ Often only delete data when the drive fills up ¤ A thumbdrive used by a CPA could contain

¤ Client personal information ¤ Firm detailed information

¤ Security information (passwords, etc.)

¤ Data files that contain personal information clients obtained from their customers, employees, vendors, etc. (think payroll)

¤ Generally no record is kept of data that has been transferred to a drive

63

Phone, Tablets, Etc.

¤ Easily misplaced devices

¤ Delay in reporting loss

¤ Simply not noticed since it’s not bothering the person

¤ User often not when they last had it

¤ Delay in reporting as they try and find it

¤ Tied into systems so user have all information at their fingertips

Phones, Tablets, Etc.

¤ iOS Device ¤ Locking options

¤ Erase if fail 10 times option ¤ Long password option ¤ Remote device management ¤ Fingerprint reader (iPhone 5S only) ¤ Android Devices ¤ Locking options ¤ Additional options (though likely less secure if use them)

¤ Can use long passwords ¤ Remote device management ¤ Fingerprint reader (currently Galaxy S5) 65

Organizations and Identity Theft

67

“We  have  met  the  enemy  and  he  is  us.”

-­Walt  Kelly,  Pogo

End User Behavior Problems

¤ Far more important than all the security hardware software you have installed

¤ Cannot “delegate” or “outsource” this issue ¤ Issues

¤ Targeted phishing attacks

Issue

69

Most  employees  are  exposed  to  their  firm's  IT  and  computer  

policies  on  the  day  they  are  hired,  but  seldom  are  reminded  

after  that.  Firms  should  review  their  policies  annually  and  

incorporate  new  IT  considerations,  such  as  tablet  device  

and  smartphone  usage  and  social  media  concerns,  and  

then  provide  annual  training  on  any  updated  policies.  

Employees  should  also  be  educated  on  current  cyber  

security  threats  and  social  engineering  scams  impacting  

them  and  their  clients,  to  further  minimize  the  possibility  of  

becoming  a  victim.  

PPC  Auditing  and  Accounting  Update,  May  2014

SANS Recommended Program

¤ Perform gap analysis (find the weak links)

¤ Provide training to address the weak link problems

¤ Security program implemented to

¤ Common attacks directed against the individual user (phishing, attachments, etc.)

¤ Make delivery short and convenient for users

¤ Continually update for current attacks (watch for notices of phishing attacks from organizations like AICPA, IRS, etc.)

¤ Mandate annual completion for every employee

Risk to the Firm

¤ Requirement to maintain confidentiality

¤ Ethics Rule 301/New ET Sec. 1.700.001

¤ Note upcoming codification’s use of terms “safeguards” and “threats” as key concepts

¤ State data breach laws

¤ In all U.S. states, territories and District of Columbia except for Alabama, New Mexico and South Dakota

¤ See links in material to state(s) of interest to you

71

Additional Issues

¤ Definition of personal information under statute

¤ Basically name

¤ Along with any of the following

¤ Social security number ¤ Driver’s license

¤ Account number, etc. that grants access to financial

Contact Information

Edward K. Zollars, CPA

[email protected] www.cperesources.com

Twitter: @edzollars