The Internal Revenue Service recently reminded tax professionals to be on the lookout for phishing emails designed to steal sensitive data, such as user names, passwords, account numbers or Social Security numbers. Despite major progress by the IRS and its Security Summit partners, including representatives of the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators, evolving tactics continue to threaten the tax community and the sensitive data of taxpayers. Some of the tactics used by thieves to steal data include: (1) spear fishing; (2) key logging; (3) pretending to be a client; (4) sending links; and (5) ransomware. Cybercriminals launch thousands of attacks like these each day in an attempt to obtain large amounts of sensitive taxpayer data to create fraudulent returns that are harder to detect. Not only do tax professionals need to know how to recognize such threats, but so must their employees. Educating personnel on the risks posed by phishing emails is part of the "Taxes –Security-Together" Checklist, which was released back in July to help tax professionals protect sensitive taxpayer data. Tax professionals are asked to focus on key risk areas such as employee management and training, information systems, and detecting and managing system failures.

Another key security feature highlighted on the Checklist is the importance of creating a data security plan. Federal law requires all "professional tax preparers" to create and maintain an information security plan for client data. Such plans provide an inventory of a company's safeguards, helping companies to spot potential security gaps and better assess how they are protecting their information. This practice has become essential as new and amended laws continue to include specific safeguards that businesses are required to implement. Further, companies are not absolved from liability just because their practices meet this bare minimum. Companies must still implement safeguards that are "reasonable" for their business drawing upon such sources as industry standards (such as the National Institute of Standards and Technology Cybersecurity Framework), regulatory guidelines and the laws themselves.

Companies, which fail to take action now, risk not only regulatory fines and private suits, but also business interruption from successful cyberattacks that could have been avoided. Cybercrime is no longer a coincidence, but a business that attackers continue to adapt to drain more and more of its victims' assets.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.