IR-2017-132, Aug. 22, 2017 Español
WASHINGTON – The IRS, state tax agencies and the tax industry today reminded tax professionals that they are responsible for protecting access to their IRS e-Services account and safeguarding their Electronic Filing Identification Number (EFIN) from thieves.
National and international criminal syndicates routinely attempt to steal tax professionals' usernames and passwords so they may access IRS e-Services to obtain the EFIN, which allows a criminal to steal clients' sensitive information.
Increasing awareness about protecting e-Services and EFINs is part of a “Don't Take the Bait" campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to protect themselves from password thefts. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
“For tax professionals working with the IRS, protecting these account numbers is critical," said IRS Commissioner John Koskinen. “Practitioners should maintain, monitor and protect their Electronic Filing Identification Number. Failing to do so can be disastrous for their business and their clients."
Protecting Clients and Their Businesses from e-Services/EFIN thieves
Cybercriminals routinely use spear phishing emails to target tax practitioners. The emails impersonate IRS e-Services, trying to trick practitioners into disclosing their username and password. Once the thieves have these credentials, they access e-Services accounts and steal EFINs to file fraudulent tax returns. Cybercriminals also are savvy enough to know to steal Centralized Authorization File (CAF) numbers, which are unique, nine-digit ID numbers assigned to those who represent others before the IRS. The con artists also know how to file fraudulent powers of attorney documents to access clients' accounts.
Password thefts are one reason the IRS has moved to Secure Access, a two-factor authentication process, to offer more protection for online tools. Secure Access requires not only a username and password but also a security code that is sent to a mobile phone previously registered with the IRS. The IRS is moving toward multi-factor protections for e-Services as well, and hopes to have this system in the near future.
In addition, the IRS is working with Security Summit partners in the states and the private-sector tax industry to help protect taxpayers and their tax filings against these threats.