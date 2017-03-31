Cybercriminals and scammers are targeting both taxpayers and tax professionals as the April 18 filing deadline nears, local business leaders warn.

“We’ve definitely seen a significant increase in tax-related cyber threats over the past few years. This tax season [marks] even a new high water mark for these type of threats,” Chris Blees, president and CEO of BiggsKofford CPAs, said in an email.

The Business Journal spoke with Blees; Dan Reilly, president of CMIT Solutions of Northern Colorado Springs; and Gina Sacripanti, Better Business Bureau of Southern Colorado’s vice president of marketing and public relations, about precautions businesses and taxpayers should take this tax season.

Reilly: Steps for tax professionals

Hacking, phishing, malware and ransomware threaten individuals and tax preparers alike, Reilly said, but tax professionals have fiduciary responsibilities to their clients and generally face higher levels of risk.

“A tax preparer [is] a target for hackers and identity thieves like you can’t believe,” he said. “Think about it: If I’m an accountant and I have 500 sets of taxes that I’m preparing this season, that’s 500 chances to steal somebody’s identity.”

Reilly said one precaution tax professionals should have is a firewall with the latest security software.

“What I hear a lot is, ‘I bought this firewall three years ago off Amazon; I just plugged it in and it’s working.’ You have no idea what’s been updated. Have someone come in and install a real firewall,” he said.

Preparers should also have a separate server in the office or in the cloud.

“Many offices have a computer that they call a server,” Reilly said. “A real server has additional security features that the IRS requires.”

Preparers should also implement physical safeguards.

“Do you lock your server room at night? Do you have a security system in your office? Are the computers locked to the desk?” Reilly said. “If it’s Saturday night and someone throws a brick through the window and walks off with the laptop from the CPA’s desk and that laptop is not encrypted, guess what — all those files are available to them.”

A secure back-up is also a must. Reilly said ransomware — in which cybercriminals encrypt files and demand payment to unlock them — is becoming increasingly popular.

“Especially for the tax preparer, you need to have a backup in place, preferably cloud-based, that is encrypted and secured,” he said.

Reilly recommended backing up several times a day during tax season.

“If I have yesterday’s backup and they encrypt today’s version of QuickBooks… I recover yesterday’s version and the most I’ve lost is eight hours of work, as opposed to five years of being in business.”

Reilly recommended avoiding wireless networks. But if those networks are used, be sure to encrypt them.

“With hacking… what I’m really concerned about is your wireless network,” he said.

“[Tax preparers] should use a wired ethernet network inside the office and be very limited on wireless, but if they are [using a wireless network] make sure it’s encrypted.”

And public wireless networks should not be trusted.

“Small business owners in particular live on their laptops and their tablets and [need to] be very cautious about using Wi-Fi,” he said. “Never work on your taxes at Starbucks. Go to Starbucks to drink coffee, OK? Don’t do anything personal on those networks. You don’t know who’s listening.”

Reilly said tax professionals should also:

• Have a written information security plan and staff training based on the plan;

• Have complex passwords that are changed every 60-90 days;

• Have up-to-date antivirus software on all computers and email services;

• Perform background checks on new employees;

• Remove access to all systems for departing employees; and

• Stay up to date on ‘IRS Publication 4557 — Safeguarding Taxpayer Data, A Guide For Your Business.’

Blees: Cyber threat warnings

Blees shared examples of cyber threats encountered and avoided by BiggsKofford and its clients.

He said they’ve seen many phishing scams in the form of emails purporting to be from banks, brokerage companies, the IRS or the Colorado Department of Revenue, generally claiming that there is a problem with the recipient’s refund claim, bank account or credit card.

The recipient is asked to click a link or respond with account information or a Social Security Number — an effort to collect data cybercriminals can use for fraud or identity theft.

“The IRS in particular will never contact a taxpayer through email. So if you’re receiving an email that says it’s from the IRS, it is almost always a scam,” Blees wrote.

Another scam involves “emails that look like they are sent from the president or owner of a company to the accounting staff, complete with duplicated email signatures and even pleasantries in the email text,” Blees said.

The email asks the accounting department to wire money — and for companies that regularly wire funds, these can be easily mistaken for the real thing, he said.

“Employees want to be responsive when their boss emails them with an urgent wire transfer request, especially when the email looks legit. If your company does wire money on a routine basis, we recommend that you create a code-word or verbal verification system with your accounting staff — so they can verify it’s you.”

Blees said tax professionals were seeing a new scam this year: emails that appear to be from prospective clients, asking to them to prepare their tax return — and to click a link or download a document they say is information necessary to prepare their return.

“Of course, we treat these all as scams and just delete them immediately,” Blees said. “If there is a real client out there trying to hire us, we encourage them to call and discuss their situation. Then, we prefer using a secure web-portal for delivery of sensitive tax information.”

Sacripanti: Tips for taxpayers

Sacripanti said tax-related scams were the No. 1 type reported to the BBB in 2015 and 2016, with 8,000 tax scams reported nationally last year.

The list of scams targeting taxpayers is constantly evolving, but Sacripanti said they fall into four main categories: IRS impostors, tax ID theft, phishing and fraudulent tax preparation.

IRS impostors “are intimidating, they’re sophisticated, they claim to be an IRS employee and say that you owe taxes,” Sacripanti said. “A lot of times people are threatened that if they don’t pay immediately they will be arrested or deported.”

Tax ID theft allows the scammer to file a fraudulent refund using another person’s Social Security Number, claim someone else’s children as dependents or file using a deceased person’s information, Sacripanti said.

Phishing emails “look trustworthy, but the first rule of thumb is never give out your personal information,” Sacripanti said. “The IRS… has that information already; the No. 1 red flag is if someone asks you for personal information.”

Corrupt tax preparation services can defraud taxpayers by offering refund advances on bad checks, and requiring a check from the taxpayer for their services. “People don’t recognize that even though a check is deposited into their bank account, it could be a couple of weeks before the check is returned as fraudulent or non-sufficient funds,” Sacripanti said. The taxpayer loses both the tax preparation fees and their tax refund.

Sacripanti said to protect themselves, taxpayers should know the IRS will never:

• Call to demand immediate payment;

• Request payment via prepaid debit card, gift card or wire transfer;

• Threaten to immediately bring in local police or other law enforcement;

• Demand payment without giving the taxpayer a chance to question or appeal the amount; or

• Ask for credit, debit, bank account or personal information over the phone.

If a taxpayer does fall victim to a scam, Sacripanti advised following these steps.

1. Report it to the BBB at bbb.org/scamtracker/southern-colorado/reportscam

2. Call the IRS, specifically the hotline for the Treasury Inspector-General for Tax Administration at 1-800-366-4484

3. Notify the three major credit reporting agencies — Experian, TransUnion and Equifax.