Tax Tips and News

Phishing Scams Can Still Hook the Prepared

Phishing Scams Can Still Hook the Prepared

The humble phishing scam is one of the oldest grifts in the Digital Age. Despite their age, these scams remain remarkably effective. Part of that success is derived from constant evolution, and the Security Summit is dedicating the fourth installment of its “Working Virtually: Protect Tax Data at Home and at Work” educational outreach to warning tax professionals about a raft of new scams that could soon fill inboxes.  

Since COVID-19 forced many businesses to adopt some form of telework, the annual Security Summit event is focusing on remote-work data security tips for tax professionals. While previous weeks have emphasized the need for adopting newer data security tools like multi-factor authentication and Virtual Private Networks, this week goes back to the basics.

What is a phishing scam?

Phishing scams pose as a trusted sender to trick victims into providing personally identifiable information. While chain letters and phone calls are some of the oldest forms of phishing, email scams are probably the most prolific due to how easy they are to create and send. Here are two basic things to remember about phishing emails:

  • Phishing emails often impersonate major retailers and people you know personally, and the IRS warns that they tend to have “urgent” subject lines, like “your account has expired.” For tax professionals, IRS Commissioner Chuck Rettig says that list often includes “a client, your software provider, or even the IRS.”
  • Phishing emails often contain attached files or embedded links that install malware designed to steal your information or directly take over your accounts—whether by using stolen usernames and passwords or installing a type of remote-access malware.

One key takeaway is that you should never click on anything in these emails, and you should never send a response to the sender (regardless of how funny and satisfying that TED Talk is). Remember, these criminals are very skilled at tricking people into providing information via back-and-forth conversations. Instead, you should alert the proper authorities. In this case, that means starting by forwarding the email to the IRS scam-reporting email address: [email protected].

What are the NEW phishing scams targeting tax professionals?

New phishing scams are impersonating legitimate coronavirus resources, often “by presenting themselves as providers of face masks or personally protective equipment in short supply.” The IRS says that scams more focused on tax professionals have posed as current or potential clients asking for more information about Economic Impact Payments. And if another round of EIPs is signed into law this year, expect phishing scams tailored to that legislation.

How do I learn more about phishing scams?

The “Identity Theft Central” aggregates information related to all forms of identity theft, breaking down topics according to individuals, tax professionals, and businesses. Visitors will find links to the “Taxpayer Guide to Identity Theft” and the Security Summit’s “Taxes. Security. Together.” campaign, and it serves as an excellent starting point for learning more about identity theft. The Working Virtually press release also includes links to relevant documents:

Check back with us next week for the final installment of the Security Summit’s Working Virtually campaign.

Source: IR-2020-178

Story provided by

“Physical Presence” CPE Rule Temporarily Waived for Enrolled Actuaries

“Physical Presence” CPE Rule Temporarily Waived for Enrolled Actuaries

The Joint Board for the Enrollment of Actuaries is providing enrolled actuaries with some relief when it comes to picking up their continuing professional education (CPE) credits.

The COVID-19 pandemic has caused the Joint Board to rethink the requirement that actuaries have to attend a certain amount of CPE courses in person.

The board is waiving the physical presence requirement for any formal programs held between Jan.1, 2020 and Dec. 31, 2022. It reflects the problems the coronavirus has caused, especially those involving traveling to and participating in gatherings that require close contact with other people.

This temporary waiver applies to all enrolled actuaries, in active or inactive status. Joint Board rules normally require no less than 1/3 of the total hours of continuing professional education credit required for an enrollment cycle must be obtained by participating in a formal program or programs.

Without the waiver, an enrolled actuary earning credit hours for a formal program would have to physically participate in the program in the same physical location with at least two other participants engaged in substantive pension service.

The relief measure doesn’t reduce the amount of CPE required—enrolled actuaries still have to earn the same number of credits that would be required otherwise. Other requirements for CPE credits still apply, including what amounts to a qualified program under Joint Board regulations, and attendance by at least three participants engaged in “substantive” pension service. Courses must still allow an opportunity for participants to interact with the instructor during the course of the program.

In addition, the certificate of completion issued by the program’s sponsor must indicate that the program is a formal program.

“The Joint Board is committed to protecting the health and welfare of enrolled actuaries and understands the challenges that this health pandemic creates,” the IRS states. “By waiving the physical location requirement while retaining all other steps to earn credit hours in formal programs, the Joint Board feels these measures serve to protect the well-being of enrolled actuaries by encouraging social distancing and reducing person-to-person contact without compromising the integrity of the CPE requirements.”

An enrolled actuary—whether active or inactive—who did not receive a notice of the waiver by email should contact the Join Board at [email protected].


Story provided by

IRS Gives Extra Line to Sport Fishing, Archery Equipment Companies

IRS Gives Extra Line to Sport Fishing, Archery Equipment Companies

A new notice from the Internal Revenue Service gives companies that make and sell sport fishing or archery equipment more time to pay their quarterly excise taxes.

Notice 2020-55 says the relief was issued because of the COVID-19 pandemic.

The notice basically pushes some of the federal excise tax filing and payment deadlines back to Oct. 31, 2020. Taxpayers who owe federal excise tax on sales of archery or sport fishing equipment for the first quarter of the year will also see penalties and interest and additions to tax postponed as well.

What are the instructions for filing?

The IRS notice lays out specific instructions for affected taxpayers to take advantage of the relief measures:

  • Any Affected Taxpayer that has not already filed a first quarter Form 720 that wants to take advantage of the postponement must file a paper Form 720, rather than an electronic Form 720, to file its return for excise taxes on sport fishing and archery equipment. An Affected Taxpayer should file only one Form 720 for the sport fishing and archery equipment numbers for the first quarter of 2020 by the postponed deadline of Oct. 31, 2020. In addition, an Affected Taxpayer must write “Notice 2020-55” on the top-center of the Form 720 on which its first quarter 2020 excise taxes on sport fishing and archery equipment are reported after Aug. 7, 2020.
  • If any Affected Taxpayer that wants to take advantage of this postponement in filing is required to file a Form 720 for excise taxes other than for sport fishing and archery equipment on April 30, 2020, and has not done so, such an Affected Taxpayer should file a Form 720 reporting such excise taxes as soon as possible with the sport fishing and archery lines blank, to stop the further accrual of late filing penalties.
  • Any Affected Taxpayer that wants to take advantage of the postponement must not combine first quarter (the calendar quarter containing January, February, and March 2020) with second or third quarter (the calendar quarters containing April, May, and June, and July, August, and September 2020, respectively) excise taxes onto one Form 720. Affected Taxpayers who are seeking the second quarter relief provided by Notice 2020-48 should follow the filing procedures described in that notice. Affected Taxpayers must file separate Forms 720 for the first, second, and third quarters by Oct. 31, 2020. Moreover, first, second, and third quarter Form 720 excise tax payments must be made separately, and Affected Taxpayers should clearly designate payments with respect to the type of tax and tax period for which the payment is made.

The IRS had previously put off some tax filing and payment deadlines associated with excise taxes for the second quarter of 2020.

Federal sporting goods excise taxes apply to fishing rods and poles, electric outboard motors, tackle boxes, quivers, bows, points and broadheads, and shafts. A portion of the money collected from these excise taxes is often used to finance conservation efforts in state and federal wildlife management areas.

The excise tax is reported on Form 720. First-quarter excise taxes are normally expected to be filed and paid by April 30 of the year. With the relief measures, however, the quarterly deadline has been delayed to Oct. 31, 2020

For more information on Notice 2020-55, call the IRS COVID-19 Disaster Relief Hotline at 202.317.5436.

Story provided by

TIGTA Says Most IRS Apps Unable to Track Unauthorized Users

TIGTA Says Most IRS Apps Unable to Track Unauthorized Users

The Internal Revenue Service in recent years has made many advancements in the online service sector, installing helpful applications to aid individual taxpayers. But a new audit shows that if an unauthorized user manages to get into the system, many times the applications are unable to show investigators where those intruders went.

The audit results come from the Treasury Inspector General for Tax Administration, or TIGTA. This latest audit was a follow-up on a previous study of the audit trail capabilities of online IRS applications.

While TIGTA gives the IRS credit for implementing solutions to address weakness in its audit trail policies, procedures and guidance, this latest study shows more work remains to be done.

“Implemented audit trail solutions are not effective, and the IRS continues to have challenges with ensuring that all applications are providing complete and accurate audit trails for monitoring and identifying unauthorized access and for other investigative purposes,” the Inspector General writes.

What did the TIGTA audit request?

TIGTA’s 27-page report says the IRS couldn’t provide its auditors with an accurate inventory of all the applications that store or process taxpayer data as well as Personally Identifiable Information (PII). Auditors believe such an inventory is critical as a baseline for all applications that need to be monitored for potential unauthorized access.

The report adds that the applications are required to provide audit trail records to an electronic repository that is set up for investigative purposes.

What were the TIGTA audit findings?

The TIGTA audit showed that a total of 67 IRS online applications should be monitored for unauthorized access.

“Of these 67 applications, TIGTA determined that six (9 percent) applications were providing accurate and complete audit trails, 30 (45 percent) applications were providing incomplete and inaccurate audit trails, and 31 (46 percent) applications were not providing any audit trails to the repository,” the report states.

In addition, not all applications with audit trail deficiencies were being tracked and monitored as required. This could allow unresolved deficiencies to persist indefinitely.

What are TIGTA’s recommendations?

TIGTA’s audit reports recommends that the Chief Information Officer of the IRS should:

  • ensure that a methodology is developed and implemented to identify and annually update the inventory of all applications that store or process taxpayer and Personally Identifiable Information for the purpose of detecting improper cyber activities and to reconstruct events for potential criminal investigations;
  • ensure that audit trail deficiencies are properly tracked and monitored as required;
  • ensure the internal policy and the Audit Trail Deficiency Memorandum template document clearly and consistently communicate each stakeholder’s responsibilities to ensure that the appropriate actions are taken when security weaknesses have been identified.

In its response, the IRS agreed to properly track audit trail deficiencies, clearly and consistently communicate stakeholders’ responsibilities, and to document process improvements.

However, the agency also said it does not plan to clearly identify which applications use Personally Identifiable Information for purposes of detecting improper activities and to reconstruct events for potential criminal investigations.

Story provided by

IRS Announces New Identity Theft Affidavit

IRS Announces New Identity Theft Affidavit

Businesses are a favorite target of identity thieves. Reports often cover the theft of customer financial information, like credit cards, debit cards, and bank accounts. Perhaps less well known are scams that routinely use stolen business information—whether the business owner’s personal information or their Employer Identification Number—to file tax returns and Forms W-2. The Internal Revenue Service this week announced a new affidavit for reporting tax-related identity theft incidents that target business entities.

“The Form 14039-B, an identity theft affidavit for businesses and other entities, will make it easier for businesses, estates, trusts and tax-exempt organizations to report identity theft to the IRS,” the IRS says. “Submitting this form will enable the IRS to more quickly assist entities who are victims of identity theft. The form is publicly available on Identity Theft Central at under the ‘Business’ tab.”

Tax professionals are often the first to see the signs that one of their business or entity clients have been the victim of tax-related identity theft. If you see a duplicate filing rejection code the first time you submit your client’s return, that’s a massive red flag. Other reasons taxpayers should consider filing out the new affidavit include receiving notices about unfiled tax returns and W-2s, as well as surprise balance due notices.   

That said, the IRS outlines two situations that do not call for filing the new Form 14039-B:

  1. The taxpayer never applied for an EIN but has begun receiving notices for a business in their name. INSTEAD, they should file Form 14039, Identity Theft Affidavit, under their Social Security Number (SSN), Individual Taxpayer Identification Number (ITIN) or Adoption Taxpayer Identification Number (ATIN).
  2. The business, estate, trust or exempt organization experienced a data breach with no tax-related impact to the business entity. For example, a business reports a breach of their computer system and after thorough research of the account, there is no evidence of a fraudulent tax return or W-2s being filed.

Finally, the IRS emphasizes that the new affidavit should not be used to report individual tax-related identity theft incidents. If one of your individual clients is a victim of identity theft, use Form 14039 instead. 

Story provided by

Work Virtually for Real Security

Work Virtually for Real Security

More and more, tax professionals are relying on working remotely, also known as teleworking, in order to stay connected with clients and remain productive.

In order to protect the vital information so critical to the income tax process, the Internal Revenue Service and its Security Summit partners are urging tax pros to secure their remote locations by using Virtual Private Networks (VPNs) to protect against cyber threats.

A VPN provides a secure, encrypted “tunnel” to transmit data between a remote user through the internet and the company’s network. With teleworking or working from home increasing during the pandemic, VPNs are critical for protecting and securing internet connections.

Part Three in a Series

The Security Summit has issued a five-part series of guidance articles entitled “Working Virtually: Protecting Tax Data at Home and at Work.” This is the third in that series.

The security awareness initiative by the IRS, state tax agencies and the private-sector tax industry – working together as the Security Summit – spotlights basic security steps for all practitioners, but especially those working remotely or social distancing in response to COVID-19.

“For firms expanding telework options during this time, a virtual private network is a must have,” said IRS Commissioner Chuck Rettig. “We continue to see tax pros fall victim to attacks every week. These networks are something you can’t afford to go without. The risk is real. Taking steps now can protect your clients and protect your businesses.”

Costly Sins of Omission

Teleworking practitioners who fail to use VPNs risk remote takeovers by cyber-thieves, giving criminals access to the tax pro’s entire office network merely by accessing an employee’s remote internet connection.

Tax professionals should seek out cybersecurity experts if they can afford it. If not, tax pros can search online for “Best VPNs” to find a legitimate vendor. Major technology websites also provide lists of top services.

However, never click on a “pop-up” ad hawking a security product. Usually, it’s a scam.

Telework Tips

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also encourages companies and organizations to use VPNs.

CISA offers this advice:

  • Update VPNs, network infrastructure devices and devices being used to remote into work environments with the latest software patches and security configurations.
  • Alert employees to an expected increase in phishing attempts.
  • Ensure information technology security personnel are prepared to ramp up these remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.
  • Implement multi-factor authentication on all VPN connections to increase security. If multi-factor is not implemented, require teleworkers to use strong passwords
  • Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.

For more information on VPNs and other security measures, check out the newly revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology.

In addition, Publication 5293, Data Security Resource Guide for Tax Professionals, can provide a compilation of data theft information available on

To stay connected to the IRS for the latest in security alerts and recommendations, subscribe to e-News for Tax Professionals and Social Media; or visit Identity Theft Central at

Story provided by