IR-2017-132, Aug. 22, 2017
WASHINGTON – The IRS, state tax agencies and the tax industry today reminded tax professionals that they are responsible for protecting access to their IRS e-Services account and safeguarding their Electronic Filing Identification Number (EFIN) from thieves.
National and international criminal syndicates routinely attempt to steal tax professionals’ usernames and passwords so they may access IRS e-Services to obtain the EFIN, which allows a criminal to steal clients’ sensitive information.
Increasing awareness about protecting e-Services and EFINs is part of a “Don’t Take the Bait” campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to protect themselves from password thefts. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
“For tax professionals working with the IRS, protecting these account numbers is critical,” said IRS Commissioner John Koskinen. “Practitioners should maintain, monitor and protect their Electronic Filing Identification Number. Failing to do so can be disastrous for their business and their clients.”
Cybercriminals routinely use spear phishing emails to target tax practitioners. The emails impersonate IRS e-Services, trying to trick practitioners into disclosing their username and password. Once the thieves have these credentials, they access e-Services accounts and steal EFINs to file fraudulent tax returns. Cybercriminals also are savvy enough to know to steal Centralized Authorization File (CAF) numbers, which are unique, nine-digit ID numbers assigned to those who represent others before the IRS. The con artists also know how to file fraudulent powers of attorney documents to access clients’ accounts.
Password thefts are one reason the IRS has moved to Secure Access, a two-factor authentication process, to offer more protection for online tools. Secure Access requires not only a username and password but also a security code that is sent to a mobile phone previously registered with the IRS. The IRS is moving toward multi-factor protections for e-Services as well, and hopes to have this system in the near future.
In addition, the IRS is working with Security Summit partners in the states and the private-sector tax industry to help protect taxpayers and their tax filings against these threats.
Once the EFIN application process is complete and an EFIN has been issued, it is important to keep accounts up-to-date. This includes:
Help safeguard the EFIN. During the filing season, check on the EFIN’s status to ensure that it is not being used by others. The e-Services account will give practitioner’s the number of returns the IRS received, which can be matched to practitioner records. The statistics are updated weekly. Contact the IRS e-help Desk at 866-255-0654 if there’s a higher volume shown than the number transmitted by the practitioner.
After logging into the e-Services account, follow these steps to verify the number of returns electronically filed with the IRS:
Increasingly, identity thieves are targeting tax professionals to gain access to client data or other sensitive information. A common scam involves efforts by criminals to steal the tax professional’s e-Service account password and EFIN. Here are some steps to protect the EFIN:
Please note: The IRS continuously reviews EFINs and takes the necessary actions to inactivate any EFINs that are found to be compromised by an un-authorized firm or individual. The firm using the invalid EFIN will encounter Business Rule 905 when it e-files returns. The firm must call the e-help Desk at 866-255-0654 to request a new one.
Authorized IRS e-file providers should maintain contact with the IRS to learn of any e-file updates. E-Service users can subscribe to Quick Alerts. Tax practitioners also can sign up for e-News for Tax Professionals or e-News for Payroll Professionals.