Skip to main content

Tax Preparers Beware: Hackers in Your Rear View

If a CPA or tax pro receives their clients’ W2s, 1099s, 4562s, 8829s, pay stubs, banks statements, TINs and SSNs in email, they are putting their clients at risk. The CPA or tax pro is also putting themselves and their business at risk.

Feb. 21, 2017

Whether we are prepared for it or not, a new era of hacker freedom is dawning that will impact every small business owner at some point. This hacker freedom is the result of new “off-the-shelf” hacking tools that are now available to anyone who wants to buy them. These tools make hacking as simple as deploying automated script, executed with a single click, to launch email attacks by the thousands.

The nearly effortless, far reaching nature of these attacks makes small businesses very appealing to hackers. After all, the small guys are easy targets because they lack the resources to fend off attacks. For a small accounting practice or individual tax pros with a limited client base, there is a lot to lose if a breach occurs.

Consider a large corporation; they typically have a team of lawyers, risk managers, IT professionals and others who are skilled in dealing with the aftermath of an attack. Large companies also have the capital to invest in expensive hardware and software designed to keep hackers out.

On the other hand, most small CPA firms and individual tax pros don’t have those means. And hackers know it. Every credit card number, every social security number, every bank statement is a little bit of gold in the pocket of your new enemy: the semi-professional data thief.

Sadly, this is the time of year when small businesses become even more vulnerable to these attacks. Between now and April 15, literally tens of millions of small business owners and individuals will be emailing their most sensitive information to their tax preparers simply because email is convenient. And because email was never meant to be secure, CPAs and tax pros who serve small businesses and individuals are putting themselves and their clients at risk when sharing this information over email.

When email was built, it was done simply for the purpose of sending messages from one person to another, across a vast array of connected servers. Data travels across many servers, through different (sometime international) jurisdictions, bouncing from one node to the next in plain text. Encrypted email, which is very popular right now, requires installed software at both ends in order to be effective – meaning you cannot simply send an encrypted email to anyone you want. It is complicated and painful.

Therefore, if a CPA or tax pro receives their clients’ W2s, 1099s, 4562s, 8829s, pay stubs, banks statements, TINs and SSNs in email, they are putting their clients at risk. The CPA or tax pro is also putting themselves and their business at risk.

Unfortunately the options for sharing information securely aren’t great. To make matters worse, every cloud-sharing platform out there claims that they are secure, even when they are not. We regularly see headlines where these services get hacked, or they suddenly realize they’ve been storing millions of documents that their users had deleted years ago.

While this all may sound dire, there are things CPAs and tax pros can do to better protect their clients’ information during tax season and year round. With a little education, risks can be minimized. Here are a few things to get you started:

  • Encryption “in transit and at rest” means almost nothing. You can describe your service this way and still be extremely vulnerable to getting hacked through temporary directories or a master key. This is table stakes.
  • Look for individual encryption of each document, and for keys that are unique to the sender and recipient.
  • Look for and use options like 2-factor authentication so that if your password is compromised, your data will still be safe.
  • The “reset my password” function is a hidden vulnerability that is almost never discussed. If a company can reset your password, it means they have the keys and they can get into your account (under subpoena or otherwise). Try to find services that allow you, and only you, to get into your account under any circumstances.
  • Train yourself, and your employees to use unique passwords (or better yet, passphrases) and not to leave passwords written on notes posted to their computer screen.

With a little bit of effort you can prevent a catastrophic loss of data. Aren’t your clients worth it?

 —————–

David Martin is Vice President of VeriFyle.