An effective WISP focuses on three key areas—employee management and training, information systems, and detecting and managing system failures, the IRS said.
“The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to protect customer data. Under this law, tax and accounting professionals are considered financial institutions and must implement a data security plan,” the agency said.
The Federal Trade Commission (FTC) requires tax professionals to designate one or more of their employees to coordinate the information security program.
Safety processes have to be regularly monitored and tested. Tax preparers are advised to hire external service providers who can maintain effective security safeguards.
According to the IRS, tax professionals must assess, test, and update their WISP on a regular basis.
“Adjustments should be made based on changes in the firm’s operations or security testing and monitoring results,” the agency said.
The IRS warned that every tax professional in the United States—from major accounting companies to one-person firms—is a potential target for cybercriminals.
These criminals seek to steal client data for filing fraudulent tax returns.
“Their tactics: using email, the phone, or other means to trick you into giving up computer passwords, e-Services passwords, to steal your EFINs or CAF numbers, or even to take remote control of your entire computer system,” the IRS said.
As part of the security plan, tax professionals should also consider developing a data theft response plan, including contacting their IRS stakeholder liaison when an incident occurs.
Tax professionals who are victims of a security incident must report the event to the FTC within 30 days of the breach when 500 or more people are affected, the agency said.
Phishing emails are messages sent by scammers attempting to trick a recipient into clicking a link and filling out a form or downloading malware.
Besides phishing, there is the whaling attack, which targets “leaders or other executives with access to large amounts of information at an organization or business,” the IRS said.
Some scammers may pose as potential new clients.
“Tax pros have been particularly vulnerable to emails where the sender is posing as a potential client. Criminals use the ‘new client’ scam to trick practitioners into opening email links or attachments that infect computer systems to steal existing client information,” said the agency.
IRS warned tax professionals to be careful when receiving an unexpected email or text, a duplicate email from what seems to be a trusted source containing a new link or attachment, or a message persuading them to open a link or attachment.
The agency advised installing anti-virus software and keeping it updated, using multi-factor authentication when storing data, and setting up firewalls to shield networks from malicious traffic.
The defendants wanted to swipe client information and file fraudulent tax returns to secure refunds, it said.







