November 2022 Foodman Website and JD Supra
identity theft

On 8/16/22As part of the IRS Security Summit, the IRS presented steps that tax professionals can recommend to help their clients battle identity theft risk.  The IRS Security summit is comprised of tax professionals including the IRS, state tax agencies, representatives of the software industry, tax preparation firms, payroll, and tax financial product processors. Given that tax-related identity theft continues to be an ongoing national crisis, all taxpayers and tax practitioners ought to be diligent in protecting themselves from becoming identity theft victims.  That said, CPAs can assist taxpayers with taking preventive actions and in correcting problems after an identity theft incident has occurred.

How can taxpayers protect themselves against tax-related identity theft? The IRS recommends that:

  • If working from home either full- or part-time, the IRS and Security Summit partners urge the use of virtual private networks, or VPNs, to securely conduct business.
  • Online business/commerce and banking should only be done while using a secure browser connection -never at a coffee shop, restaurant, or other business offering ‘free Wi-Fi.’ One-way users can tell if they’re using a secure browser is by looking for a small lock visible in the lower right corner or upper left of the web browser window.
  • Be cautious of email attachments and web links. Do not open a link or attachment that arrives unexpectedly. Always call the sender to confirm receipt and validity of any unexpected links or attachments before opening.
  • Use separate personal and business computers, mobile devices, and email accounts. This is particularly important for those who may share hardware with other family members, especially children, who may not be aware of safety protocols.
  • Do not send sensitive business information to personal email devices. Do not conduct business, including online business banking, on a personal computer or device. Likewise, do not engage in web surfing, gaming or video downloading on business computers or devices.
  • Do not share USB drives or external hard drives between personal and business computers or devices. Never connect an unknown/untrusted piece of hardware into the system or network. Also do not insert any unknown CD/DVD or USB drive. Disable the “Autorun” feature for USB ports and optical drives on business computers to help prevent malicious programs from being installed.
  • Be careful with downloads. Do not download software from an unknown web page. Always exercise caution with freeware or shareware.
  • Use strong passwords. Never give out usernames or passwords to others. Strong passwords consist of a random sequence of letters to include upper and lower-case, numbers and special characters. Ideally, passwords should be at least 12 characters long. For systems or applications that have sensitive information, use multiple forms of identification (multifactor or dual-factor authentication).
  • Change default passwords. Many devices come with default administrative passwords. Change them immediately and regularly thereafter. Default passwords are easily found or known by hackers.
  • Change passwords often. Every three months is recommended. Consider using a password management application to store passwords. Passwords to devices and applications that contain business information should not be reused.

As per the IRS Taxpayer Guide to Identity Theft, IRS also recommends that taxpayers be alert if they:

  • Get a letter from the IRS inquiring about a suspicious tax return that they did not file.
  • Can’t e-file their tax return because of a duplicate Social Security number.
  • Get a tax transcript in the mail that they did not request.
  • Get an IRS notice that an online account has been created in their name.
  • Get an IRS notice that their existing online account has been accessed or disabled when they took no action.
  • Get an IRS notice that they owe additional tax or refund offset, or that they have had collection actions taken against them for a year that they did not file a tax return.
  • Received wages or other income from an employer they didn’t work for.
  • Been assigned an Employer Identification Number but they did not request an EIN.


A CPA can be instrumental to individual and corporate taxpayers in the prevention of identity fraud. A CPA can assist in the development and implementation of identity theft prevention programs to assist in the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Can your existing security systems provide confidentiality?  Do they have integrity? Can they prevent a disruption?   ©