Home > Insights > Blogs > Cybersecurity Bits and Bytes > Beware this years’ taxpayer refund scams and data breaches: 8 steps recommended by the IRS

Beware this years’ taxpayer refund scams and data breaches: 8 steps recommended by the IRS

The IRS recently released a statement regarding emerging scams that are cropping up this tax season.

Besides phone-based scams targeting individuals, thieves are also stealing client data from tax accountants and using it to file fraudulent tax returns; they use the individual’s bank account information for the deposit, then utilize various techniques to access the accounts and claim the funds.

If they haven’t already, tax preparers and businesses should ensure that they have adequate security to protect their clients’ tax and financial information from cyber-attacks. This may include an annual review of the security of workstation and server computer systems as well as any cloud service providers (Microsoft Office 365, Google Apps Suite, and others), internal policies and procedures (password policies, acceptable use policies), software application security (remote access software, anti-malware, server operating system updates) and employee training programs (resistance to phishing emails, scams and malware).

If you or your clients have been the victim of these sorts of attacks, there are steps to consider taking to protect yourself.

Contact an attorney that has experience in assisting companies that have been the victim of a cyber-attack. The attorney can help you navigate any of the IRS’ recommended steps (described below), and engage outside experts under attorney-client privilege.

  1. Contact the IRS, FBI and local police right away.
  2. Report the data theft to state agencies (where they prepare state tax returns).
  3. Contact and engage a forensic computer expert to determine the cause and scope of the theft—and prevent it from happening again.
  4. Inform your insurance company and see if your policy covers expenses related to the data loss.
  5. Send letters to clients whose information may have been breached, and notify state attorneys general as required under applicable data breach notification laws. (The FTC also provides guidance for businesses in this situation.)
  6. Notify credit reporting agencies.
  7. Consider obtaining credit monitoring and identity restoration services for your clients.
  8. Contact relevant software and client portal providers to reset passwords and prevent the compromised accounts from being accessed by an attacker.

For more information, refer to IRS Tax Tip 2018-23.

Melissa Ventrone is a partner and Frederic Roth is an associate, both in Thompson Coburn's Chicago office. Melissa is also chair of the firm's cybersecurity practice.