The Perfect Storm - Identity Theft, Tax Fraud and Cyber Crime

On July 2, 2024, the Internal Revenue Service (IRS) issued a critical warning to tax professionals regarding the escalating threat of identity theft. This urgent alert addresses the dangerous convergence of identity theft, tax fraud, and cybersecurity vulnerabilities, which collectively pose a significant risk to both individuals and businesses. The warning serves as a stark reminder of the persistent dangers faced by tax professionals and their clients.

The IRS alert, part of the annual "Protect Your Clients; Protect Yourself" campaign, comes at a critical time. With nearly 200 tax professional data incidents reported through spring 2024, potentially affecting up to 180,000 clients, the scale of the problem is alarming. Equally as concerning is the IRS's struggle to keep pace with the flood of identity theft cases. As of April 2024, it was taking over 22 months to resolve these cases, with approximately 480,000 unresolved cases in their inventory. This backlog leaves victims in financial limbo for extended periods, underscoring the urgent need for preventative measures.

From a fraud and cyber crime investigation perspective, the increased sophistication in the methods used by cybercriminals isn't the only issue. The sheer volume and velocity of attacks have reached unprecedented levels, creating a perfect storm for potential breaches across the industry. This relentless barrage of attempts significantly increases the probability that attackers will eventually find a vulnerable point of entry somewhere within a financial institution.

It's important to consider the IRS warning with clear eyes and in the context of the actual threats facing tax professionals. The simple reality is that conducting business online inherently exposes organizations to these risks, making potential cyber security problems an unavoidable aspect of modern commerce and business operations.

The truth is, the scale of cyber security attacks is staggering, with thousands of attempts occurring simultaneously across multiple targets on a continual basis. This statement is not fear mongering, it is the reality of the environment in which firms operate.There is a high-frequency assault on the accounting profession happening every moment of every day.

Criminals cast a wide net in their efforts to cause havoc for unsuspecting firms and their clients, probing for weaknesses in various systems and organizations. The law of large numbers comes into play here: even if the success rate of individual attacks remains low, the sheer quantity of attempts dramatically increases the odds of a successful breach occurring at some point, somewhere within the profession.

The IRS’s inability to process the necessary investigations is a by-product of this issue and something that affects law enforcement authorities globally. It's not just opportunistic hackers who are the driving force; there are many well-organized groups with resources rivalling those of small corporations that exploit vulnerabilities in both technology and human behaviour, often combining social engineering tactics with advanced technical exploits to breach even well-protected systems.

IRS Commissioner Danny Werfel's statement emphasizes the evolving nature of these threats: "Security threats against tax professionals and their sensitive taxpayer information continue to evolve, and it's critical to stay on top of the latest developments to protect their business and their clients." This evolution of criminal tactics necessitates an equally dynamic approach to cybersecurity.

The importance of a cybersecurity strategy for accounting firms cannot be overstated.

What should firms be implementing now that they are not already doing? The answer is a lot.

This starts with the basics:

• Implementing email security, anti-malware technology and multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data.

• Tax professionals should ask themselves if they are genuinely equipped to defend against these threats on their own or whether it’s time to enlist the help of professional services.

• The shift towards cloud-hosted services and managed service providers (MSPs) offers a compelling solution to these challenges, providing enhanced efficiency with security and scalability.

From a security perspective, cloud-based cyber security services typically employ advanced protection that often surpass what individual accounting firms can implement. These include enterprise-grade encryption, multi-factor authentication, and continuous monitoring for potential threats. By leveraging these services, tax accountants can significantly reduce the risk of data breaches and unauthorized access to client information.

MSPs further bolster this security posture implementing tailored security controls, conducting regular vulnerability assessment, and providing rapid response to emerging threats. This proactive approach is crucial in an environment where cyber attacks targeting financial data are becoming increasingly sophisticated.

Compliance management is another area where cloud services and MSPs demonstrate value. Their platforms often include built-in compliance features, audit trails, and encrypted data storage that align with regulatory standards. However, technology alone isn't enough.

The human element remains a critical factor in cybersecurity. Regular employee training and awareness programs are essential. These should cover not just the basics of password hygiene and phishing recognition but also more advanced topics like social engineering tactics and the importance of data minimization.

For individuals, the threat of identity theft looms large and this is no different for your team members at the individual level. The steps to protect oneself may seem basic, but they're crucial:

• Use unique, complex passwords for each online account.

• Enable MFA wherever possible.

• Regularly monitor credit reports and financial statements, and maintain a healthy scepticism towards unsolicited communications, whether via email, phone, or text.

The collaboration between law enforcement, cybersecurity professionals and the public is more important than ever. The Security Summit effort between the IRS, states, and the nation's tax industry is a step in the right direction, but it's just the beginning. We need ongoing dialogue, information sharing and co-ordinated action to keep pace with the threats we face.

The threat we face today is real, complex and something every firm needs to address as part of their ongoing operations. By staying informed, implementing robust security measures and fostering a culture of cybersecurity awareness, together we can weather this storm. Your firm, your identity and data, as well as your client base are among your most valuable assets. Protect them as you would any other precious resource. The stakes are too high to pay anything but your highest attention to these potential issues and the negative consequences that ignoring them may have on your firm and your clients.