Tax professionals are frequently reminded to protect the personally identifiable information and financial data stored in their databases. It makes sense: Why should identity thieves settle for getting PII one person at a time when cracking one, big egg can make thousands of omelets? As you work on turning your tax practice into the data security equivalent of Fort Knox, it helps to know all the types of data that identity thieves want.
In recent years, identity theft tax refund fraud has expanded its scope to target the credentials paid tax return preparers use to file tax returns, including professional tax software login information and EFINs. This change is already reflected in the increased number and type of phishing scams deployed by identity thieves. That means tax pros now have to add “protect my EFIN from scammers” to the list of information they closely guard.
How do identity thieves try to steal EFINs?
“Increasingly, identity thieves are targeting tax professionals in an effort to gain access to client data or other sensitive information,” the Internal Revenue Service explains on IRS.gov. “A common scam involves efforts by criminals to steal the tax professional’s e-Service account password and EFIN, sometimes posing as the IRS or e-Services.”
Since phishing scams are the most common way criminals steal private information, you can use similar strategies to avoid falling victim to EFIN theft. Here are the tips provided by the agency:
- Secure your devices with security software and let it automatically update.
- Use strong passwords of 10 or more mixed characters; password protect all wireless devices.
- Encrypt all sensitive files/emails and use strong password protections.
- Backup sensitive data to a safe and secure external source not connected fulltime to your network.
- Wipe clean or destroy old computer hard drives that contain sensitive data.
- Create a data security plan; see Publication 4557, Safeguarding Taxpayer Data PDF.
And, as we’ve noted in the past, identity thieves are more than happy to scour social media accounts for any information. If they only get a little info, they use it to make more convincing phishing scams. If they get enough information, they might be able to apply for financial services or file a fraudulent tax return.
Just like you wouldn’t post your EFIN on Facebook, you shouldn’t include it in email signatures or other routine communications. Instead, treat it like your Social Security Number: Only provide an EFIN to trusted organizations when it is required.
Keep an eye on your EFIN!
The IRS says tax pros need to closely monitor their EFIN or suspicious activity, especially during filing season. While the January-through-April stretch certainly brings a raft of phishing scams, it’s also a good idea to keep an eye on your EFIN all year long. Like the blazing eye atop Barad-dûr, identity thieves are always watching.
Since the filing statistics tied to your EFIN are updated every week on your e-Services account, the IRS says checking it against your own records can quickly identify fishy activity. If there seems to be a discrepancy, the agency says you should call the IRS e-Help Desk: 866.255.0654.
But how do you actually find the number of returns filed by your EFIN in e-Services? Here are the instructions from the IRS:
- Select your name,
- In the left banner, select ‘Application’,
- In the left banner, select ‘e-File Application’,
- Select your name again,
- In the listing, select ‘EFIN Status’ and on this screen you can see the number of returns filed based on return type.
For more information on the steps you should take to keep your EFIN safe, visit “How to Maintain, Monitor and Protect Your EFIN” on IRS.gov.