The IRS and the tax industry are urging tax professionals to protect their IRS e-Services account and Electronic Filing Identification Number (EFIN) from cybercriminals. At the same time, the IRS is taking steps to offer more online tools for protection, such as multi-factor authentication.
Drawing the attention of national and international crime syndicates, EFINs that are obtainable through the e-Services accounts allow fraudsters to steal clients’ information.
“For tax professionals working with the IRS, protecting these account numbers is critical,” said IRS Commissioner John Koskinen in a statement. “Practitioners should maintain, monitor and protect their Electronic Filing Identification Number. Failing to do so can be disastrous for their business and their clients.”
So, how to do that? Knowledge goes a long way toward prevention.
Cybercriminals, for instance, routinely use spear phishing emails to target tax practitioners. The emails impersonate IRS e-Services, trying to trick practitioners into disclosing their username and password. Once the thieves have these credentials, they access e-Services accounts and steal EFINs to file fraudulent tax returns.
Cybercriminals also are savvy enough to steal Centralized Authorization File (CAF) numbers, which are unique, nine-digit ID numbers assigned to those who represent others before the IRS. The con artists also know how to file fraudulent powers of attorney documents to access clients’ accounts.
Password thefts are one reason the IRS has moved to Secure Access, a two-factor authentication process, to offer more protection for online tools. Secure Access requires not only a username and password but also a security code that is sent to a mobile phone previously registered with the IRS.
The IRS also is moving toward multi-factor protections for e-Services as well, though it’s not clear when that will be in place.
Once the EFIN application process is complete and an EFIN has been issued, it is important to keep accounts current. Here’s what that involves:
- Review the e-file application periodically. The e-file application must be updated within 30 days of any changes, such as individuals involved, addresses or telephone numbers. Failure to do so may result in the inactivation of the EFIN.
- Make sure that the right people are identified on the application and update that, if necessary. The principal on the application is the person authorized to act for the business in legal or tax matters.
- Review the account periodically and add new principals or others, if necessary.
- Update business address changes.
- If a business or practice is sold, the new principals have to get their own EFINs.
- Each office location requires its own EFIN application.
To protect EFINs, tax professionals can check on the status to make sure it’s not in use by someone else. The e-Services account will give the number of returns the IRS received, which can be matched to practitioner records. The statistics are updated weekly.
Contact the IRS e-help Desk at 866-255-0654 if there’s a higher volume shown than the number transmitted by the practitioner.
After logging on to the e-Services account, follow these steps to verify the number of returns electronically filed with the IRS:
- Select practitioner name.
- In the left banner, select “Application.”
- In the left banner, select “e-File Application.”
- Select “name” again.
- In the listing, select “EFIN Status” and on this screen, the number of returns filed based on return type is displayed.
Other measures that can be taken to protect EFINS include not opening any link or attachment from a suspicious e-mail, and frequently changing and setting strong passwords for e-Service accounts.
The IRS continuously reviews EFINs and takes the necessary steps to inactivate any that are found to be compromised. The firm using the invalid EFIN will encounter Business Rule 905 when it e-files returns. The firm must call the e-help Desk at 866-255-0654 to request a new EFIN.
This IRS is boosting awareness in protecting e-Services and EFINs as part of its 10-part “Don’t Take the Bait” campaign.
About Terry Sheridan
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.