During the last income-tax season in the United States, many certified public accountants became the targets of a spear-phishing attack.
The email message used by the scammers bore the logo of the American Institute of CPAs, threatened the recipient with fraud and the loss of his license and provided a link that led to a malware-filled website.
The IRS has been warning taxpayers about tax-related scams, including phishing schemes, for years. But what happens when your tax preparer himself is the victim of a scam or an attack?
The weakest link
After all, employees in your accountant's office are human. They're not immune to clicking on malicious links or downloading documents that are malware in disguise.
"Luring accountants and employees into downloading keystroke-logging malware that can steal all of the information on the computers is a major problem," said Steven J.J. Weisman, a Boston-area lawyer and professor and author of "50 Ways to Protect Your Identity in a Digital Age: New Financial Threats You Need to Know and How to Avoid Them" (FT Press, 2012).
"Accountants are a good target for identity thieves because they have much personal information of their clients that, if stolen by identity thieves, can make the clients victims of identity theft," Weisman said.
Doesn't hurt to ask
If you use a tax professional, you have the right to know how your personal information is protected.
Don't hesitate to ask serious questions about your CPA's security procedure, advised Robert Fitzgerald, founder and president of The Lorenzi Group, a Topsfield, Mass., firm that handles digital and data security for clients in a variety of industries, including accounting.
According to Fitzgerald, questions that every client should be asking his or her CPA include:
— How large is the firm during tax season?
— Who has access to client records, both electronic and paper?
— Does the firm use contractors or temporary employees during tax season? Are these temporary employees or contract workers given access to client records?
— How does the firm scrub client data off its systems after taxes are filed?
— How does the firm dispose of paper files?
— What kind of notification procedures are in place if the CPA's computer network suffers a data breach?
Fitzgerald added that clients can take proactive steps to protect their own information.
"Clients can ask for a written copy of the company's security policy," Fitzgerald said. "Clients can also request that their records be identified in-house by a client number, rather than by name."
Fitzgerald also recommended that clients provide only one copy of each document when possible. The more copies of documents bearing Social Security numbers or bank numbers increases the chances of information getting into the wrong hands.
There's a lot of trust involved with hiring a tax professional, but as identity thieves become more sophisticated, trust is not enough, Fitzgerald said. Clients deserve to know how well their identities are protected.
Plus, as Fitzgerald pointed out, keeping clients abreast of security practices is beneficial to the CPA as well.
"Smart CPA firms will use their data-security policies as a marketing differentiator and use it to win more business," he said.
Follow us , Facebook or .