Keeping client data secure: How’s your cybersecurity immunity?

By Michael T. Odom, CPA, CVA, Fouts & Morgan, CPAs, Memphis, Tenn.

Editor: Todd Miller, CPA

Not a single day goes by without an email or text tempting a tax practitioner to follow a link or respond in such a way that will allow a nefarious scammer to infiltrate the practitioner's computer, network, or cellphone. The author's standard operating procedure is to mark such an email as junk and immediately delete it without previewing, opening, or forwarding it. As the partner overseeing information technology and risk management, the author takes seriously the responsibility to educate staff regarding the importance of protecting client data and personally identifiable information.

In 2015, the IRS, state tax agencies, tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations, and financial institutions created the Security Summit to combat identity theft and protect taxpayers from refund fraud. The IRS and the Security Summit partners have for the last six years conducted awareness campaigns urging tax professionals to take actions to prevent data theft from their offices.

The 2021 campaign is titled "Boost Security Immunity: Fight Against Identity Theft." Per the IRS campaign webpage, data thefts reported by tax professionals to the IRS have continued to rise, from 124 in 2019, to 211 in 2020, and to 222 in 2021 as of June 30. Not only have these thefts affected taxpayers negatively, but they can also threaten a tax practitioner's business. Therefore, all practitioners need to take this issue seriously and be on the alert to identify any suspicious activity.

This year's campaign focuses on five things tax professionals can do to boost their security immunity.

Protect tax preparation and other software accounts

If you have not already done so, you should implement multifactor authentication immediately. Multifactor authentication provides greater security because it adds another layer of verification to access an account or computer, in addition to the username and password, such as sending a security code to a mobile phone, using a personal identification number (PIN), or using a biometric feature such as face recognition or a fingerprint (see IRS News Release IR-2021-155). Usernames can be stolen and passwords can be broken, but without the additional feature, a thief cannot access the account. Many who reported data theft to the IRS in 2020 indicated they did not use multifactor authentication, which could have prevented the data breach.

Tax software providers already offer multifactor authentication free, and most have already mandated its use with their tax preparation products, whether installed on an office computer or used in the cloud. But multifactor authentication is not just for tax preparation software. It should be used wherever available, such as when accessing web-based email accounts or client portals. It especially should be used when initially logging on to your computer and network, as well as every time your computer is unlocked, whether you are working in the office, at home, or at a client's office. You should make it a habit to lock your computer every time you leave your desk.

Additional things you should do to protect sensitive data include:

  • Use up-to-date antivirus software to regularly scan local computers, network drives, and mobile phones to protect them from malware;
  • Require different passwords for every program and website (passwords should be strong, which means they should include uppercase and lowercase letters, special characters, and numbers, with a minimum of 12 characters, and passwords should be changed at least every 90 days, if not more frequently);
  • Use a firewall to protect against external attacks;
  • Have a robust backup routine that copies crucial files off-site multiple times a day, so they can be recovered in the event of a ransomware attack;
  • Encrypt all computer drives so that unauthorized users cannot read them;
  • Use a secure virtual private network when connecting remotely via the internet to your office computer or network; and
  • If employees are using their own equipment to work remotely, make sure the same security protocols are in use there.
Encourage clients to sign up for the identity protection PIN opt-in program

The IRS's new, voluntary identity protection (IP) PIN opt-in program is available to anyone who can verify his or her identity. It is designed to prevent someone else from filing a tax return using the taxpayer's Social Security number (SSN) (see IRS News Release IR-2021-158). Taxpayers must obtain their own IP PIN, which is a six-digit number known to them and the IRS. It should not be shared with anyone other than the taxpayer's trusted tax preparer, who should enter it into the electronic tax return to verify the taxpayer's identity. The IP PIN is valid for one calendar year, and a new one must be obtained for each filing season. New IP PINs for filing 2021 returns will be available starting January 2022.

The Get an IP PIN online tool is available on The tool is offline between mid-November and January.

There is no change to the IP PIN process for confirmed victims of identity theft. As before, they will automatically receive a new IP PIN each year.

Help clients fight unemployment compensation fraud

Because of the COVID-19 pandemic, many employees were laid off. As a result, state workforce agencies' websites were inundated with new applications, resulting in a delay in processing claims (see IRS News Release IR-2021-163). In addition, identity thieves took advantage of this opportunity to redirect benefits to themselves. A client who received multiple Forms 1099-G, Certain Government Payments, reporting unemployment income may have been a victim of unemployment fraud.

You can assist your client by reporting the fraud to state workforce agencies and requesting corrected Forms 1099-G. Also, file a return reporting the actual unemployment income received by the client. Recommend the client obtain an IP PIN. Direct the client to the Federal Trade Commission and U.S. Department of Labor websites, where identity theft victims can take recommended actions.

Avoid spear-phishing scams

Much has been reported of phishing emails and, more recently, SMS/texts (known as "smishing") that attempt to trick the recipient into clicking on a link by which malware and remote-access Trojans are introduced on the device, allowing the thief to capture usernames, passwords, and bank account information (see IRS News Release IR-2021-166). Tax professionals have become prominent targets of spear-phishing, which targets a specific individual or business by crafting a very specific and enticing phishing email known as a lure. A very successful scam this year is a series of emails coming from a potential client. Once trust was established, an email was sent with an attachment that purported to include the prospective client's tax information. Once the tax professional opened the attachment or clicked on a link, the computer was infected, and the hacker was able to steal client information and file fraudulent returns, with refunds going into the hacker's bank account.

Employees should be instructed not to read, preview, or forward any unsolicited emails. If they do not know the source of the email, they should delete it. The same is true for text messages; do not reply to messages from people you do not know. Also be wary of any text message coming from a number that does not look like a phone number, such as a "4000" phone number. This is a sign that the message is really an email sent to the phone, not a text.

As an added precaution to assist in verifying the sender of an email, add a new column to your Outlook email display showing the sender's email address in addition to the sender's display name. If the email address and display name are inconsistent, then the email should be deleted without being opened. Instructions for doing this can be found at

You can also make it a policy not to accept attachments via email or text. Your email system can be set to flag the attachments and quarantine the message so that someone can investigate and determine whether the email and attachment are legitimate. Client documents should instead be uploaded to your secure portal.

Know the signs of identity theft

According to the IRS, tax professionals have been reporting data thefts that they did not immediately recognize (see IRS News Release IR-2021-170). Tax professionals need to be aware of the following items that could indicate that their data has been compromised:

  • Multiple rejections of e-filed client returns due to the use of SSNs on previously filed returns.
  • More e-file acknowledgments received than returns filed.
  • The "Responsible Official" listed on the application to become an authorized IRS e-file provider should review and compare the number of returns accepted by the IRS to that of your e-filing system at least quarterly to make sure the two numbers are in line with each other. To do so, access your e-file application on and select "EFIN Status." The section "Electronic Return Originator Activity by EFIN and Return Type" will be displayed, showing you by return type the number of returns that have been transmitted, accepted, and rejected.
  • You receive many client email responses to emails you did not send.
  • You experience slow or unexpected computer network responsiveness.
  • You are unexpectedly locked out of your computer or network.

Warning signs can also come from clients. Here are few you should watch for:

  • IRS authentication letters (e.g., 5071C, 4883C, or 5747C) when no return has been filed. These mean the IRS has flagged the return as a potential case of identity theft, and your client needs to contact the IRS to confirm his or her identity.
  • A client receives a refund when no return has been filed.
  • A client receives a tax transcript that was not requested.
  • A client receives a notice that someone created an IRS online account without the client's consent.
  • A client receives a notice that someone accessed his or her IRS online account.
  • A client receives notification that the IRS has disabled his or her online account.
Actions to take if you or your firm is a victim of data theft

Report data theft to your local IRS Stakeholder Liaison, who will then notify IRS Criminal Investigation and others within the agency. Time is of the essence. You can find the liaison for your area at

Email the Federation of Tax Administrators at to get information for reporting victim information to the states. You should also contact the state attorney general for each state for which you prepare returns.

You should also contact:

  • A security expert to determine the cause and scope of the breach, to assist you in stopping the breach, and to design procedures to prevent further breaches;
  • The insurance company that underwrites your cybersecurity insurance policy if you have one (if you do not, consider purchasing a policy); and
  • Clients, in accordance with the laws of your state.
Create and implement a data security plan

Federal law requires all professional tax preparers to create, implement, and maintain a data security plan to protect sensitive client and firm data. This requirement is flexible enough to accommodate a tax preparation firm of any size. Key areas of focus for tax practitioners are employee management and training; information systems; and detecting and managing system failures.

A good starting point is IRS Publication 4557, Safeguarding Taxpayer Data. This publication gives you an overview of your legal obligations to protect taxpayer data. It also provides a step-by-step checklist to create and maintain your data security plan.

IRS Publication 5293, Protect Your Clients; Protect Yourself: Data Security Resource Guide for Tax Professionals, can be downloaded from and distributed to all your staff as part of an ongoing education initiative.For other resources, visit the IRS's "Identity Theft Information for Tax Professionals" webpage at

How's your immunity?

As you head into another filing season, assess whether your firm is immunized against identity theft. If not, now is the time to take action to boost your immunity and fight back against identity theft by creating and implementing your security plan. CPAs are targets, and attacks come daily. Don't let your firm be a victim; immunize today.


Todd Miller, CPA, is a tax partner at Maxwell Locke & Ritter in Austin, Texas.

For additional information about these items, contact Todd Miller at 352-727-4155 or

Contributors are members of or associated with CPAmerica Inc.

Tax Insider Articles


Business meal deductions after the TCJA

This article discusses the history of the deduction of business meal expenses and the new rules under the TCJA and the regulations and provides a framework for documenting and substantiating the deduction.


Quirks spurred by COVID-19 tax relief

This article discusses some procedural and administrative quirks that have emerged with the new tax legislative, regulatory, and procedural guidance related to COVID-19.