Identity Theft - Problems and Prevention Steps

Identity Theft and the Tax Practice

Edward K. Zollars, CPA

www.cperesources.com

www.currentfederaltaxdevelopments.com New Mexico Tax Conference

Today’s Session

¤ Identity Theft in General

¤ Size of the Problem

¤ Working with an Affected Client

¤ Avoiding Being Part of the Problem

Identity Theft

Size of the Problem

3

It’s a Growth Industry for Tax ID Theft

¤ Easy to monetize

¤ Electronic filing used fast refunds as a selling point

¤ Criminals dump fake returns into the system early in the process

¤ By design the system cannot easily catch this

¤ Information reporting (including withholding) not required to be filed until long after return processing begins

¤ Only a single factor generally used for system to identify the taxpayer (social security number)

¤ Problem is growing each year

¤ Treasury Inspector General (TIGTA) issued two reports in 2013

#PSTECH 5

TIGTA  has  reason  to  believe  a  much  larger  number  escaped   detection  – the  real  numbers  may  be  twice  as  high

#PSTECH 7

#PSTECH 9

IRS Criminal Prosecutions

¤ Number is rising

¤ But clearly the vast majority of criminals get away with their crime

¤ Statistics through April 10, 2014 reported by IRS Criminal Investigation Division

First Lady of Tax Fraud

¤ Used prepaid debit cards loaded with refunds from falsified returns from 2009 through 2012

¤ Filed from

¤ Perpetrator’s home

¤ Various hotels around Tampa, Florida (the “capital” of tax refund fraud)

¤ Scheme netted her and her partner nearly $4.5 million

11

Identity Theft

Working with the Affected Client

IRS Advice to Reduce Chance of ID Theft

¤ Don’t carry documents with SSNs on them with you

¤ Limit giving out SSN

¤ Protect financial information

¤ Check credit report at least annually

¤ Secure all personal information at home

¤ Computer safety

¤ Firewalls

¤ Anti-spam/virus software

¤ Password security

¤ Ed’s tip – DON’T BE AN IDIOT

¤ Don’t give out personal information

¤ You did not initiate contact

¤ Not verified ID

13

The One Thing Clients Need to Be Told:

The IRS does not initiate contact with taxpayers by email or social media tools to request personal or financial information. The IRS does not send emails stating you are

being electronically audited or that you are getting a refund. This includes any type of electronic communication,

such as text messages and social media channels.

- IRS FAQ on Identity Protection Tips

The One Thing Clients Need to Be Told:

The IRS does not initiate contact with taxpayers by email or social media tools to request personal or financial information. The IRS does not send emails stating you are

being electronically audited or that you are getting a refund. This includes any type of electronic communication,

such as text messages and social media channels.

- IRS FAQ on Identity Protection Tips

15

Note  – Neither  do   banks,  brokers,  etc.

IRS Procedures

IRS Indicators of Tax ID Theft

¤ Notice more than return has been filed for taxpayer’s identification number

¤ Collections for year in which no tax was due

¤ IRS shows more wages than taxpayer received

¤ Taxpayer has state or federal benefit cancelled due to reported income change

17

What to Do Next?

¤ IRS Notice Received

¤ Contact IRS to stop the computer’s autopilot functions

¤ Get Power of Attorney

¤ Document all

communications with IRS

¤ Consider use of taxpayers advocate office if process threatens to roll over client

Reach out to IRS ID Theft

¤ No IRS Notice (Yet)

¤ Contact IRS ID Theft Unit (800-980-4490, x245)

¤ Explain why taxpayer believes at risk

¤ Lost or stolen wallet/purse

¤ Home robbery

¤ Questionable credit activity

¤ Ask IRS to secure

IRS Form 14039

¤ IRS Form 14039

¤ Used to document issues related to identity theft

¤ Also provides a cover sheet for information needed to document client’s identity

¤ Remember – IRS needs to conclude your client is who they say they are

19

Form 14039

Form 14039

21

Hurry Up and Wait

¤ Client needs to understand this is going to take time

¤ Refunds are likely going to be delayed (significantly)

¤ Executor may have issues closing an estate

¤ Mortgages/refinancings will be difficult to obtain

¤ Other taxing agencies may be involved

¤ May have other, nontax, ID theft issues

¤ IRS unlikely to be able to speed this up much without creating a bigger problem

IRS Identity Protection PIN (IP PIN)

¤ Six digit number issued by IRS

¤ Originally limited to prior victims of identity theft

¤ IRS testing expansion in 3 highest risk markets (Florida, Georgia, DC)

¤ Submitted with return

¤ Electronic returns will be rejected without it

¤ Paper returns will take much longer to process

23

IRS Identity Protection PIN (IP PIN)

IRS Identity Protection PIN (IP PIN)

¤ What if find out:

¤ Taxpayer never noticed he/she was assigned one?

¤ Taxpayer loses the document?

¤ Recovery of IP PIN

¤ Originally had to call IRS, have new IP PIN issued after IRS confirmed identity

¤ Online option started this year – to use taxpayer must have

¤ Social security number

¤ Date of birth

¤ Email address and

¤ Filing status and mailing address from most recently filed tax return

25

Identity Theft

CPA Firms and Data

¤ CPA Firm Clients are High Worth Targets

¤ Professionals Just Want to Work in Their Area

¤ Look at Protecting Your Clients

27

IRS Publication on Protecting Data

¤ FS-2015-24, Publication 4557

¤ Outlines steps preparers should take

¤ Reminds us of our responsibilities

¤ Remember – New Mexico has its own law in this area as well

¤ Most likely to be cited as “standard of care” if breech occurs

IRS Recommended Steps

¤ Top-notch security software that includes a firewall, anti- malware and anti-virus programs; make sure they are set to automatically update so that the software can stay current against the latest threats; and consider having firewalls for both hardware and software.

29

IRS Recommended Steps

¤ An education program for all employees to ensure they understand the dangers of phishing emails and other threats to taxpayer data. Publication 4557 has several items related to employees such as halting their access to the preparer’s computer systems if they leave employment.

IRS Recommended Steps

¤ Strong passwords that are changed periodically;

consider having different levels of password protection.

For example, have one password to access the

computer system and a separate password to access tax software or client files. That way, if the computer system is breached, perhaps not all of the information will be exposed.

31

IRS Recommended Steps

¤ Secure wireless connection. If Wi-Fi is used, protect taxpayer data by making sure it is password protected and encrypted email programs to exchange PII information with taxpayers.

IRS Recommended Steps

¤ Back up taxpayer data frequently, perhaps on an

external hard drive, and ensure that the hard-drive is kept in a secure location with limited access by others

33

IRS Recommended Steps

¤ Store any paper files in a secure location.

IRS Recommended Steps

¤ Access IRS e-services weekly during the filing season and periodically throughout the year to see the number of returns filed using the preparer’s EFIN. If the number is excessive, contact the e-Help Desk for e-Services immediately.

35

Full Disk Encryption

¤ Microsoft Windows BitLocker

¤ In Windows Professional for Windows 7 and later

¤ Not obvious how to install if computer lacks TPM module

¤ Inexpensive non-enterprise laptops often lack it

¤ Can be installed

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on- drives-without-tpm/

¤ Apple OSX Filevault 2

¤ Third Party Options

¤ Veracrypt

¤ Symantec PGP Full Disk Encryption

¤ Can be used on removable drives as well

Small is Convenient…and Easy to Lose

¤ Content of the drive

¤ Users copy all kinds of data onto thumbdrives

¤ Often only delete data when the drive fills up

¤ A thumbdrive used by a CPA could contain

¤ Client personal information

¤ Firm detailed information

¤ Security information (passwords, etc.)

¤ Data files that contain personal information clients obtained from their customers, employees, vendors, etc. (think payroll)

¤ Generally no record is kept of data that has been transferred to a drive

37

Phones, Tablets, Etc.

¤ iOS Device

¤ Locking options

¤ Erase if fail 10 times option

¤ Long password option

¤ Remote device management

¤ Fingerprint reader (iPhone 5S only)

¤ Android Devices

¤ Locking options

¤ Additional options (though likely less secure if use them)

¤ Can use long passwords

¤ Remote device management

¤ Fingerprint reader

Organizations and Identity Theft

39

Organizations and Identity Theft

“We  have  met  the  enemy  and  he  is  us.”

-­Walt  Kelly,  Pogo

End User Behavior Problems

¤ Far more important than all the security hardware software you have installed

¤ Cannot “delegate” or “outsource” this issue

¤ Issues

¤ Targeted phishing attacks

¤ The disaster that is Outlook (or any mail client)

¤ Every user (even rainmakers, managing partners, senior tax partners, etc.) must understand risks of what they do with their computers and devices

41

Issue

Most  employees  are  exposed  to  their  firm's  IT  and  computer   policies  on  the  day  they  are  hired,  but  seldom  are  reminded   after  that.  Firms  should  review  their  policies  annually  and   incorporate  new  IT  considerations,  such  as  tablet  device   and  smartphone  usage  and  social  media  concerns,  and   then  provide  annual  training  on  any  updated  policies.  

Employees  should  also  be  educated  on  current  cyber  

security  threats  and  social  engineering  scams  impacting  

them  and  their  clients,  to  further  minimize  the  possibility  of  

becoming  a  victim.  

SANS Recommended Program

¤ Perform gap analysis (find the weak links)

¤ Provide training to address the weak link problems

¤ Security program implemented to

¤ Common attacks directed against the individual user (phishing, attachments, etc.)

¤ Make delivery short and convenient for users

¤ Continually update for current attacks (watch for notices of phishing attacks from organizations like AICPA, IRS, etc.)

¤ Mandate annual completion for every employee

¤ ENFORCE THE POLICY (ESPECIALLY AT THE TOP)

¤ Test employees from time to time to see if they are following the policy

43

Risk to the Firm

¤ Requirement to maintain confidentiality

¤ Ethics Rule 301/New ET Sec. 1.700.001

¤ Note upcoming codification’s use of terms “safeguards”

and “threats” as key concepts

¤ State data breach laws

¤ In all U.S. states, territories and District of Columbia except for Alabama, New Mexico and South Dakota

¤ See links in material to state(s) of interest to you

Additional Issues

¤ Definition of personal information under statute

¤ Basically name

¤ Along with any of the following

¤ Social security number

¤ Driver’s license

¤ Account number, etc. that grants access to financial account

¤ Nature of notification defined by statute

¤ Realize – NOT JUST LIMITED TO CLIENTS

45

Contact Information

Edward K. Zollars, CPA

[email protected] www.cperesources.com

Twitter: @edzollars