GAO Issues Report Recommending Stronger Oversight of IT Security for E-File Providers and Software Developers

The Government Accountability Office (GAO) turned out to have excellent timing, releasing its report on the overall security of components of the commercial tax preparation systems in the week when Wolters Kluwer took down its online systems used by tax preparers due to a discovery of malware in their network.  The report (IRS Needs to Improve Oversight of Third-Party Cybersecurity Practices, United States Government Accountability Office, GAO-19-340, May 2019) recommends generally that the IRS attempt to impose specific security rules on all participants (tax preparers, electronic return originators and software developers), but the IRS disagreed with the recommendation, primarily based on their view that they lack statutory authority to take the actions suggested.

Read More

Wolters Kluwer CCH Systems Recovering from Malware Incident, Axcess Systems Partially Restored for Users

It’s been a tough few days for users of Wolters Kluwer’s CCH tax products, especially for those using CCH Axcess.  Wolters Kluwers’ systems were affected by malware, per a company release issued the day after the outage triggered by the malware began.

The problem began early on Monday as users discovered CCH’s online systems were not accessible.  While those using the on-site version of CCH’s tax product (ProsystemFX) lost access to electronic filing and the ability to obtain additional single return licenses to run returns if the user ran out of already downloaded permissions, those on the hosted Axcess products lost access to all programs they had licensed on the platform.

Read More

IRS Warns Professionals About Requirement for Data Security Plan

In News Release IR-2018-175 warned tax professionals that a failure to prepare a written data security represents a violation of the FTC’s Safeguards Rules and the that the IRS may treat a violation of the FTC Safeguards Rule as a violation of the standards for authorized IRS e-file providers under Revenue Procedure 2007-40.

The IRS Electronic Tax Administration Advisory Committee (ETAAC) members noted in June that they believe fewer than half of all tax professionals are aware of the FTC rule and have written plans in compliance with the rule.

Image copyright badboo / 123RF Stock Photo

Read More

Only Accounts Established Using Detailed Secure Access Methods Will Now Have Access to e-Services Accounts

The IRS announced on their website page “e-Services - Online Tools for Tax Professionals”[1] that all access to e-Services beginning on December 10, 2017 requires the use of an account that was established using the IRS’s Secure Access authentication.  If a professional has not established an e-Services account by going through the more detailed process, the professional will be required to sign up again using the more detailed (and difficult to complete) process.

Secure Access is meant to make it more difficult for an individual to impersonate a taxpayer or professional.  As the IRS describes the program in their announcement made on December 8[2]:

Secure Access helps protect online tools in two ways: it has a more rigorous identity-proofing process which helps ensure the users are who they say they are, and it requires returning users to use a two-factor access process by entering their credentials (username and password) plus a security code sent as a text message to their mobile phone or a security code generated by the new IRS2Go app feature. This two-factor authentication process meets required federal standards for protecting information.

The IRS is technically correct that both methods are currently allowed under the National Institute of Science and Technology (NIST) standards, the use of SMS as the two-factor vehicle is less secure and the NIST has stated it is being deprecated and may no longer be acceptable at some point in the future.[3]  The NIST issued this statement over a year ago.

Image copyright pixelbrat / 123RF Stock Photo

Read More

New Phishing Email Masquerades as e-Services Security Notice and Then Steals the Professional's Credentials

Scams to steal information from tax professionals just keep coming, and the latest is a phishing email detailed in IRS News Release IR-2016-145.  This phishing scam is looking to obtain e-services credentials for tax professionals and, like most good phishing scams, the email looks just credible enough to get someone not paying attention (or simply not aware of how email and phishing works) to provide the requested information.

A good phishing email must look like something the recipient would expect to see—and often takes advantage of a mark’s awareness that something has changed, relating the email to that change.  In recent years that’s quite often been to cloak the email scam in the guise of increased security (and, yes, I’m sure the scammers find the irony amusing).

Image Copyright weerapat / 123RF Stock Photo

Read More

IRS Announces Plan to Require Secure Access Registration to Use e-Services, Follows Up with Indefinite Delay

The IRS looked to expand their “Secure Access” to e-Services used by tax professionals, but on October 14 the agency announced an indefinite delay in implementing that requirement.  The announcement of the delay did not provide any details on when the program would begin operations or what changes, if any, might be made to the program.

On September 22 the IRS announced it was going to expand the secure access program to cover access to e-Services (Questions and Answers Related to e-Services Migration to Secure Access).  However, as has been discussed regarding the roll-out of this program to other services (like the online transcript system), there is a far from insignificant number of individuals who generally cannot complete the process online.

Image Copyright ratoca / 123RF Stock Photo

Read More

IRS Finds Two Dozen Preparer's Systems Breeched in Latest Attacks

The IRS stated in September of 2016 in News Release IR-2016-119 that the IRS had become aware of approximately two dozen cases of preparer’s systems taken over by identity thieves.  As the IRS described the issue:

Thieves are able to access tax professionals’ computers and use remote technology to take control, accessing client data and completing and e-filing tax returns but directing refunds to criminals’ own accounts.

Victims in the tax community learned of these thefts while reconciling e-file acknowledgements.

The IRS recommends specific steps that advisers should take to deal with this issue, in addition to the standard advice to run security scans and educate staff on phishing scams.

Image Copyright mikkolem / 123RF Stock Photo

Read More

Phishing Emails Claiming to be Software Update Notices from Tax Software Firms Being Sent to Preparers

The IRS issued a warning regarding attempts to trick tax professionals to install malware on their systems by clicking on an “update” link for their tax software.  [IR-2016-103]  Once clicked, the “update” will install a keystroke logger that will send all of the preparer’s keystrokes (which will likely include important client information) to a third party—and we can presume that party is planning to use that information for various nefarious purposes.

The use of email to trick users into installing malware is very common—because it’s very effective.  If the email fits the general context that users expect (email from the software provider we use for tax software that is formatted as expected) and the message itself seems reasonable (there’s an important software update—perhaps even an extremely important one to avoid having your systems compromised) we will often click through on the email and follow its instructions without a second thought.

Image Copyright pixelbrat / 123RF Stock Photo

Read More

Preparers Warned About Risk of Data Theft in Their Practices by the IRS

The IRS has issued a warning to tax preparers regarding the risk posed to the preparers and their clients from data theft in News Release IR-2016-96 and Fact Sheet 2016-23. The notice follows on the IRS’ promise to get information out to tax preparers following the 2016 Security Summit as part of its Protect Your Clients; Protect Yourself campaign.

The news release directs preparers to the fact sheet and to the more detailed Publication 4557, Safeguarding Taxpayer Dataa 21 page PDF document.

Read More

IRS Has Found Cases Where Preparer's IT Systems Taken Over and Used to File Fraudulent Returns

Another security issue has arisen in the tax arena, this time targeted not at the IRS, but rather at tax preparers.  In Issue 2016-15 of e-News for Tax Professionals newsletter published by the IRS the agency warned of criminals targeting tax professionals to take control of their systems to file fraudulent returns using the client’s information and redirect the fraudulent refunds to accounts the criminals control.

Read More

E-Filing PIN System Subject of Automated Attack Based on Information Obtained from Non-IRS Sources

The IRS web systems were again attacked using information that the perpetrators had acquired from other services.  In a statement the IRS described the attack on their system.

In this case the system under attack was the IRS’s Electronic Filing PIN web application used by some taxpayers to obtain a PIN to file a tax return when the taxpayers are not using a preparer and don’t have access to their tax year 2014 tax return information.

Read More

IRS Issues Program Manager Technical Advice on Business Related Identity Theft

In Program Manager Technical Advice 2015-19 the IRS indicated how the agency should deal with situations that arise when there is identity theft that occurs against a business.  

While identity theft at the individual level has gotten much attention in the press, there also exist situations where a third party attempts to hijack a business’s tax identity for nefarious purposes.  For instance, the hijack can be use to create fictitious W2s that can be used to make it more difficult for the IRS to detect individual tax return refund fraud or simply to claim fraudulent refunds for the “business” in question. 

Read More

IRS Reminds Preparers to Check EFIN Information and Monitor Use

The IRS has reminded those participating in the electronic filing program about their responsibilities with regard to their EFIN number in Fact Sheet FS-2015-27.

The IRS has expressed concern about legitimate EFIN accounts being “hijacked” by those perpetrating tax refund fraud by filing fraudulent returns and has indicated that the agency expects EFIN holders to take actions to secure and monitor their accounts at IRS e-services.

Read More

IRS to Test W-2 Verification Code on Some Payroll Service Issued 2015 Forms W-2

The IRS, along with certain payroll services, will be testing a 16 character W-2 Verification Code for the 2015 filing season the IRS announced on their website at

An important fact to note is that the IRS initially will not be doing anything with this code except to “test-and-learn” to see if it is useful in determining the integrity of W-2 information.  Thus, to put it a bit differently, using or not using the code is not going to do anything for the moment to improve the chances that a taxpayer will not be subject to ID theft.

Read More