War Story: Tax Return Preparation, Hacker Attack

February 8, 2019


Early one Monday in late March, Joe Johnson, CPA, was unable to find the tax returns he had worked on two days earlier and was confused by the absence of the data. He looked for the previous year’s returns within the software and couldn’t find them either.


The tax returns for the client from all previous years were also missing. He checked his workpaper files for other client information and discovered that two other client files in the tax software appeared to be missing as well, including all their returns from previous years.


Joe checked with one of his colleagues to determine if she had any missing client tax return files. His colleague checked her workpapers and found missing client tax return files as well, including their prior years’ returns. They checked with other tax partners and staff members who were also missing client files.


The firm called its online tax service provider and requested information on the returns filed by the firm through the provider’s e-filing service. There were several discrepancies between the firm’s list of clients who had filed returns and the provider’s list.


The tax partners looked at the returns filed by the software provider and found that 45 of the returns had been falsified to produce large tax refunds, and all of the bank account and routing numbers for these 45 returns had been changed to direct refunds to new bank accounts.


The falsified returns had been e-filed with the firm’s EFIN (Electronic Filing Identification Number), and all the fraudulent activity had taken place over a 24-hour period from late Saturday night to Sunday night when most of the firm staff were out of the office.


The firm called CAMICO, which contacted its cyber legal and IT forensics experts in the state where the firm was located. The forensics investigation determined that a virus had been downloaded onto one of the firm’s laptop computers, enabling a hacker to penetrate the network, read email messages, and obtain information about clients. Due to a simple password configuration, the hacker also utilized the information to enter the firm’s tax software program, changed bank account information for 45 clients, and filed these fraudulent tax returns with large refunds. After filing the returns, the hacker deleted the all of the client files, including those of previous years, in an attempt to delay the detection of the changes to them.


The investigation also determined that the personal identity information of all the firm’s clients, more than 2,500 of them, had been compromised, and that state breach notifications were required. The affected clients were located in several states. Legal counsel helped determine each state’s requirements for notifying clients and local law enforcement agencies. Notification letters were prepared and sent to clients, a call center was set up to handle questions from clients receiving the letters, and credit monitoring services were offered to clients.


Once law enforcement had been notified, media reports began to surface, posing risk to the firm’s public image and reputation. The firm hired a public relations firm to help respond to the reports and to help protect the firm’s reputation.


How had the virus been downloaded onto the laptop in question?


Cybercriminals are constantly evolving their tactics for accessing computer systems and stealing data and client funds. For example:


  • If a laptop user is logged in to a public wi-fi network, a hacker can use keystroke logger malware that can see the UserID and password, allowing the hacker to authenticate his entry into the user’s system. The hacker can then further penetrate a firm’s computer system in order to gain access to client information.


  • Most thefts occur when someone at the firm opens a phishing email and clicks on a link or attachment that contains malware. For example, many computer users have received an email message from “IRS Refunds,” with the IRS logo on it, asking the users to update their e-services information by clicking a link. When the user clicks the link, the hacker is able to penetrate the computer system. Phishing email messages have come from hackers using a variety of ruses, such as tax software companies, potential clients, or the user’s computer “security” system, to name a few.


Loss Prevention Tips


Practitioners are urged to engage cybersecurity experts to better secure their data. Experts familiar with the firm’s systems can work with insurance and breach-response service providers to reduce damages from breaches, minimize the costs, and expedite the recovery process.


The IRS recommends the following:


  • Educate all employees about phishing in general and spear phishing in particular, which targets a specific recipient with social engineering techniques designed to deceive the recipient. Train all employees to go directly to a website for information rather than clicking on links provided in the message.
  • Create a password policy that requires the use of strong, unique passwords. Better yet, use a phrase instead of a word. Require different passwords for each account, and a mix of letters, numbers and special characters.
  • Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Visit the e-Services website (not via a link embedded within the message) for confirmation.
  • If an email contains a link, hover your cursor over the link to display the web address (URL) destination. If it’s not a URL you recognize, or if it’s an abbreviated URL, don’t open it.
  • Obtain a verbal confirmation by phone if you receive an email from a new client sending you tax information, or any client requesting last-minute changes to their refund destination.
  • Use security software to defend against malware, viruses and known phishing sites, and update the software automatically. Create and enforce a policy to update and patch all software regularly.
  • Use the security options that come with your tax preparation software.
  • Send suspicious tax-related phishing emails to phishing@irs.gov.


The IRS has a procedure for tax professionals to report data thefts to the IRS. They need only contact their state’s IRS Stakeholder Liaison, who will notify appropriate IRS officials and serve as a point of contact. All practitioners should review Data Theft Information for Tax Professionals for details about the process and the additional steps they should take.


CAMICO also recommend that practitioners:


Back up all important data and information frequently to reduce the likelihood that critical data is lost in the event of a cyberattack or physical incident such as a fire or flood. Protect the backups in a remote or external location where they are safe from ransomware that seeks out backup copies. Periodically, verify whether the backup is working.


Implement the “least privilege” concept of user permissions. Strictly defined user permissions and restrictions help ensure that people have only the level of user rights they need to do their jobs.


Require site administrators to log out of systems and programs immediately after they have completed their tasks. Excessive rights and activities enable malware to cause more harm and result in greater data losses. Also, not every piece of hardware needs to have administrative rights.


Have cyberinsurance that includes breach response services to help determine whether an incident is a breach as defined by current state and/or federal laws. Your cyberinsurance advisers, with the assistance of IT forensics, should be able to determine whether there has been a breach, assist with reporting and notification requirements, arrange credit monitoring, coordinate with call centers, provide public relations assistance, respond to ransomware demands, and provide services to decrypt and restore the firm’s files.


Install a secure client web portal that will archive and store your clients’ personal documents and data. A portal will lower your staff’s administrative burden, ease the burden of locating important electronic documents, and eliminate the need to hunt for those documents within extended email threads.


Add another layer of security with multi-factor authentication. Usernames and passwords alone are often insufficient for preventing account takeovers. Adding and combining factors provides greater protection.


Avoid public wi-fi or hotspots when inputting or working with personal identity information. Cyber-criminals can easily see individuals’ information on public wi-fi. Wait until you’re on a trusted network.


Establish an incident response plan. Without a plan in place, entities’ initial responses to incidents could make mountains out of molehills. An incident may not be a breach. In response to perceived breaches, personnel with good intentions often purge files that incident response professionals would have wished to analyze to determine whether there was an attack, its source, and those impacted. Purging of files could necessitate breach notifications when otherwise not required.


Robust breach response services and an effective risk management program are more important than ever to assist firms in preventing or recovering from an incident. Remember, adequate preparation will make all the difference in enabling your firm to get back to functioning as soon as possible.

← View All News