Cybersecurity Expert Shares 3 Ways to Protect Taxpayer Data Against Cyberthieves

In a recent SmartVault webinar, Randy Johnston, one of accounting’s Top 25 Thought Leaders, and Luke Kiely, a law enforcement veteran and SmartVault’s Chief Information Security Officer, discussed a group of people that plague CPA firms at tax time: cyberthieves.  

Read a summary of their conversation below. You can watch the full webinar on-demand here. 

Why Are Accounting Firms So Vulnerable to Cyberattacks? 

From January through April, tax fraud and scams are rampant, and each year, criminals only get bolder and cleverer. And unfortunately, the costs to taxpayers are enormous. Here’s an example to put “enormous” into perspective: The government estimates billions of dollars were stolen by fraudsters from programs meant to help taxpayers during the pandemic. In fact, they’re calling the massive amount of theft “the biggest fraud in a generation.” 

This isn’t meant to scare you. Instead, it’s intended to emphasize just how seriously you and your accounting practice staff need to take cybersecurity this tax season. In the webinar, Luke and Randy talked about vulnerabilities hackers expose, the types of scams you might encounter, and a few ways you can proactively protect yourself. 

So, what’s meant by “vulnerability?” Luke says when experts use this term, they’re referring to what a criminal needs to exploit to get what they want. Generally, email is the biggest source of cybercrime. According to Luke, “It’s low impact in terms of what [criminals] need to do to access your data and requires little sophistication. You can buy phishing software online [to do the job for you].” This goes for malware and ransomware as well. Picturing some clever hacker in a dark room writing lines and lines of code, Matrix-style? That’s actually not the case. All it takes to get into your system these days is a credit card and knowledge of where to buy the right software. 

Even though everyone is aware that they need to protect themselves against cyberthieves (and, as Randy points out, IRS Publication 5293 requires you to have a way to keep taxpayer data safe), Luke says CPA firm leaders’ biggest problem is that they’re not aware of what their assets are: data. “You need to know what you’re protecting,” he cautions. And, you need to be aware of your internal and external vulnerability. Accounting is one of the most commonly attacked professionals globally for clear reasons. “That’s where the money is.” And, since firms are so busy during tax season, it can be easy for cybercriminals to trick people.   

What Can Firms Do to Safeguard Data? 

Whether your firm is large or small, Randy and Luke agree: You should expect criminals to try to circumvent your defenses, especially at tax time. And regardless of whether you purchased the most expensive software or the least, remember that no platform is 100% perfect at stopping things like phishing. And, many firms not only fail to train their teams, but practice leaders don’t often take a top-down approach to security.  

Both of these things are fixable, says Luke. Various vendors offer security training tools, so spend some time researching and pick the one that’s right for you and your staff. Additionally, remind your team members to examine things like emails carefully. Phishing emails often have odd reply addresses, strangely worded content, and a sense of urgency – hackers frequently try to push people into responding hastily to get what they want. “Ask yourself, ‘Am I likely to get an email from a CEO asking to make a change to a bank account at 5pm on a Friday?’” Luke suggests. And, if one of your team members believes they might have made a mistake, it’s crucial that they don’t wait to tell you. “One of the saddest calls I get is when a non-client CPA firm contacts me, and they’ve had a team member who got a spam email, compromised the system late on a Friday night, and then said, ‘Yeah, that doesn’t look right, but I’ll deal with it Monday.’ This just lets the process take off,” Randy says. 

Additionally, firm leaders should make sure they lead by example when it comes to taking security measures. Explain the measures you’re taking to your team and tell them the reasons why. Not only does it give the business a competitive edge and help with compliance, but, simply put, it’s just good practice. 

What Do Real-Life Cyber Attacks Look Like? 

Earlier, we dismissed the idea of the hooded hacker in a dark room writing lines of green code. Instead, say Randy and Luke, cyberthieves frequently target small businesses that weren’t even aware something in their system was vulnerable. The attackers get into the system and encrypt the data with ransomware, rendering the files completely useless. Frequently, they demand a lot of money – more than many small firms have available – to unlock the information and “return” it to the business owner. These attacks are usually well planned, and the thieves choose which firms to target three to six months in advance. When it comes to accounting firms, they’re well aware of the tax season schedule and often plant malware months in advance. Then, they make a move right before a crucial tax deadline, leaving accounting practices struggling and in a bad position.  

According to Randy, in the last year or two alone, law enforcement saw a huge jump in fraudulent e-filing cases where cybercriminals used sophisticated techniques to take advantage of taxpayers who would be getting refunds of $5,000 or more. “They didn’t take the small stuff,” he says. Instead, they used codes to look for larger refunds and then intercept the e-file, rerouting the money from the taxpayer to an offshore bank account. Worse still, even though the IRS and security software vendors are well aware of attacks like these, they haven’t yet come up with systems that can completely protect accountants and taxpayers alike. 

3 Ways to Protect Taxpayer Data Against Cyberthieves 

While all of this sounds frightening, there are ways you can protect yourself. When prompted to choose his top three security measures, Luke offered the following: 

1. Identify data that is essential to operating your firm. Then, back it up to a cloud provider who isn’t attached to a network. This will protect it in the event of machine failures, power outages, and ransomware attacks. Randy offered this additional advice: “The Department of Homeland Security has their 3-2-1 philosophy: Three copies in two different media with at least one off-site.” Don’t just trust your hosting provider to safeguard your data. It’s not paranoid: Backing everything up is critical. 
2. Protect yourself against malware by installing recognized, commercial antivirus software. Furthermore, take the time to educate your staff about cyberattacks and security measures, including avoiding downloading – as Luke calls them – “dodgy apps.” Then, keep your firmware and IT system up to date. Once machines and software get old, they become more vulnerable to exploitation. Having the right, updated tools is a big deal, so watch for software developments and make sure you have the latest and greatest. 
3. If your firm has a BYOD (bring your own device) policy, create rules about what employees can and cannot do on the device. Many people now use their own smartphones and personal laptops to access company servers, so the use of personal devices for work purposes needs to be considered. Think about it: When you’re on your own computer, you often do things you wouldn’t if you were using a work laptop. Randy recommends supplying all your staff with company devices, but if this isn’t possible for your firm, at least make sure everyone has security systems that are maintained and updated by a professional IT team and that they are following the safety rules you’ve created. 

Some final takeaways: There will always be vulnerabilities, so keep a watchful eye out for things like phishing emails and anything that seems off, back your systems up regularly, and follow the basics. Along with following proven strategies, another powerful way is to use a document management system and client portal that allows you to securely store and share files and data online. These are the best ways to protect yourself, your team, and your clients. 

Built with bank-level security, SmartVault is the most secure way to store and share your documents. Schedule a 15-minute demo to see why over two million people trust SmartVault with their data.