Friday, September 15, 2017

Don’t Take the Bait: Act Quickly after a Data Incident

If you experience a data breach or theft of client data, it is in your interest and the interest of your clients to contact the IRS immediately. Fast action is critical because criminals can quickly convert the stolen data into fraudulent tax returns to claim refunds. 

Tuesday, September 12, 2017

Don’t Take the Bait, Step 10: Steps for Tax Pros with Data Incidents; Tips to Help Protect Clients, Taxpayers

The IRS, state tax agencies and the tax industry today reminded tax professionals that if they experience a breach or theft of taxpayer data they should immediately contact the IRS to help protect clients.

The IRS can take some steps to lessen the impact of tax-related identity theft on clients, but a quick response by tax practitioners discovering a problem can help avert problems. Generally, criminals work quickly to convert the stolen data into fraudulent tax returns to claim refunds.

Encouraging tax practitioners to report data thefts is the final news release in a 10-week, “Don’t Take the Bait” campaign, an effort focused on informing tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to immediately report data losses to the IRS and state tax agencies. This is part of the ongoing  Protect Your Clients; Protect Yourself effort.

“The IRS, the states and the nation’s tax community continue to make progress in the battle against tax-related identity theft,” said IRS Commissioner John Koskinen. “But we need the help of tax professionals across the country to help strengthen this effort. In addition to working to ensure the safety of their systems, practitioners should promptly report identity theft or data breaches to help protect their clients.”

The IRS has created a reporting process for tax professionals. Those experiencing a data loss should contact their local IRS stakeholder liaison. The IRS representative will relay information to other parts of the IRS that need to know, including the Return Integrity and Compliance Services and Criminal Investigation divisions.

Also, be aware that some states require notification of data losses, and tax professionals should notify each state for which they prepare returns.

IRS stakeholder liaisons will need a list of the affected taxpayers, including names and Social Security numbers. Send the file to liaisons in a CSV (Comma Separated Values) format. If using Microsoft Excel, simply “save as” and scroll the list of options to CSV. Save and encrypt the file before emailing it to IRS staff.

Protecting Clients and Businesses by Reporting Data Thefts

Tax professionals should review IRS Data Theft Information for Tax Professionals for details on reporting losses.  Preliminary steps include:

Contacting the IRS and law enforcement:
Contacting states in which the tax professional prepares state returns:
  • Any breach of personal information could impact the victim’s tax accounts with the states as well as the IRS. Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
  • State Attorneys General  for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches. This notification process may involve multiple offices.
Contacting experts:
  • Contact a security expert to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring.
  • Contact insurance companies to report the breach and to check if the insurance policy covers data breach mitigation expenses.
Contacting clients and other services:
  • Federal Trade Commission
  • Credit / identity theft protection -- certain states require offering credit monitoring / identity theft protection to victims.
  • Credit bureaus – to notify them if there is a compromise and clients may seek their services.
  • Clients – Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing.
IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Again, preparers should use their local IRS Stakeholder Liaison.

Tuesday, September 5, 2017

Don’t Take the Bait, Step 9: Make Data Security an Everyday Priority; Key Steps Can Help

The IRS, state tax agencies and the tax industry today urged tax professionals to make data security an everyday priority, noting a few simple steps can go far in protecting taxpayer information from cybercriminals.

Cybersecurity experts often refer to the 90/10 rule. This rule states that 10% of cybersecurity is reliant upon technology; 90 percent is up to users. The IRS currently is receiving reports of tax professional data breaches at the rate of three to five a week, a level that requires immediate attention.

Making daily security a priority is part of the “Don’t Take the Bait” campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to work to protect their clients and themselves from cybersecurity threats. This is part of the ongoing Protect Your Clients; Protect Yourself effort.

“Tax professionals should not overlook the importance of protecting their systems and their data,” said IRS Commissioner John Koskinen. “Cybercriminals are increasingly targeting the tax community, and tax practitioners play a critical role in helping safeguard their client data as well as their own. Taking a few critical steps can help tax professionals avoid a devastating situation for their business and the taxpayers they serve.”

Data security within a tax professional’s office is only as strong as the least-informed employee. And, security awareness must extend beyond the office into homes. The IRS is aware of situations where a data breach of a tax preparer’s office began at the home of an employee working remotely.

Tax professionals – as well as the Security Summit partners – are matching wits and skills with highly-sophisticated, well-funded, technologically-adept criminal syndicates from the United States and around the world. Anyone who handles taxpayer information has an obligation under federal law to protect that information from unauthorized disclosure, improper disposal and outright theft.

Tax professionals should conduct ongoing education of office employees to combat daily threats, including spear phishing emails, business identity theft, account takeovers, ransomware attacks, remote takeovers, business email compromises and Electronic Filing Identification Number (EFIN) thefts.

Protecting Clients and Businesses by Making Data Security a Daily Priority

Practitioners also should review the NIST small business guide to learn not only what technological steps should be taken but also what everyday steps all employees should take. NIST, or the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, has been helping small businesses with information security since 2001. NIST also has recommendations on everyday activities tax professionals and employees can do to help keep businesses safe and secure. Some of these include:

  • Be careful of email attachments and web links
    • Do not click on a link or open an attachment that you were not expecting. If it appears important, call the sender to verify they sent the email and ask them to describe what the attachment or link is. Before you click a link (in an email or on social media, instant messages, other webpages), hover over that link to see the actual web address it will take you to. Train employees to recognize phishing attempts and who to notify when one occurs.
  • Use separate personal and business computers, mobile devices and accounts
    • As much as possible, have separate devices and email accounts for personal and business use. This is especially important if other people, such as children, use personal devices. Do not conduct business or any sensitive activities (like online business banking) on a personal computer or device and do not engage in activities such as web surfing, gaming, downloading videos, etc., on business computers or devices. Do not send sensitive business information to personal email addresses.
  • Do not connect personal or untrusted storage devices or hardware into computers, mobile devices or networks.
    • Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown / untrusted hardware into the system or network, and do not insert any unknown CD, DVD or USB drive. Disable the “AutoRun” feature for the USB ports and optical drives like CD and DVD drives on business computers to help prevent such malicious programs from installing on the systems.
  • Be careful downloading software
    • Do not download software from an unknown web page. Be very careful with downloading and using freeware or shareware.
  • Watch out when providing personal or business information
    • Social engineering is an attempt to obtain physical or electronic access to business information by manipulating people. A very common type of attack involves a person, website or email that pretends to be something it’s not. A social engineer will research a business to learn names, titles, responsibilities and any personal information they can find. Afterwards, the social engineer usually calls or sends an email with a believable, but made-up, story designed to convince the person to give them certain information.
    • Never respond to an unsolicited phone call from a company you do not recognize that asks for sensitive personal or business information. Employees should notify their management whenever there is an attempt or request for sensitive business information.
    • Never give out usernames or passwords. No company should ask for this information for any reason. Also, beware of people asking what kind of operating system, brand of firewall, internet browser, or what applications are installed. This is information that can make it easier for a hacker to break into the system.
  • Watch for harmful pop-ups
    • When connected to and using the Internet, do not respond to popup windows requesting that users click “OK.” Use a popup blocker and only allow popups on trusted websites.
  • Use strong passwords
    • Good passwords consist of a random sequence of letters (upper case and lower case), numbers, and special characters. The NIST recommends passwords be at least 12 characters long. For systems or applications that have important information, use multiple forms of identification (called “multi-factor” or “dual factor” authentication).
    • Many devices come with default administration passwords – these should be changed immediately when installing and regularly thereafter. Default passwords are easily found or known by hackers and can be used to access the device. The manual or those who install the system should be able to show you how to change them.
    • Passwords should be changed at least every three months.
    • Passwords to devices and applications that deal with business information should not be re-used.
    • You may want to consider using a password management application to store your passwords for you.
  • Conduct online business more securely
    • Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner or upper left of the web browser window.
    • Erase the web browser cache, temporary internet files, cookies and history regularly. Make sure to erase this data after using any public computer and after any online commerce or banking session. This prevents important information from being stolen if the system is compromised. This will also help the system run faster. Typically, this is done in the web browser’s “privacy” or “security” menu. Review the web browser’s help manual for guidance.

Thursday, August 31, 2017

Learn about Tax Benefits for Education

The beginning of the school year is a good time for a reminder of the tax benefits for education. These benefits can help offset qualifying education costs.

Here is information about two tax credits available to those who pay higher education costs for themselves, a spouse or a dependent.

The American Opportunity Tax Credit (AOTC) is:
  • Worth a maximum benefit up to $2,500 per eligible student.
  • Only available for the first four years at an eligible educational or vocational school.
  • For students pursuing a degree or other recognized education credential.
  • Partially refundable. Eligible taxpayers can get up to $1,000 of the credit as a refund, even if they do not owe any tax.
The Lifetime Learning Credit (LLC) is:
  • Worth up to $2,000 per tax return, per year, no matter how many students qualify.
  • Available for all years of postsecondary education and for courses to acquire or improve job skills.
  • Available for an unlimited number of tax years
Taxpayers should use Form 8863, Education Credits, to claim these education credits.

Additionally:
  • A student is required to have Form 1098-T, Tuition Statement, to be eligible for an education benefit. They receive this form from the school attended.
  • Taxpayers may use only qualified expenses paid to figure a tax credit. These include tuition and fees and other related expenses for an eligible student.
  • Eligible educational schools are those that offer education beyond high school. This includes most colleges and universities.
  • Taxpayers may only claim qualified expenses in the year paid.
  • Taxpayers can’t claim either credit if someone else claims them as a dependent.
  • Income limits could reduce the amount of credits.
  • Taxpayers can’t claim either the AOTC or LLC for the same student or for the same expense in the same year.
  • The Interactive Tax Assistant tool on IRS.gov can help determine eligibility for certain educational credits including the American Opportunity Credit and the Lifetime Learning Credit.
See IRS Publication 970, Tax Benefits for Education, for details, rules, examples and a complete explanation of benefits.

Avoid scams. The IRS does not initiate contact using social media or text message. The first contact normally comes in the mail. Those wondering if they owe money to the IRS can view their tax account information on IRS.gov to find out.

Additional IRS Resources:

Wednesday, August 30, 2017

IRS Waives Diesel Fuel Penalty Due to Hurricane Harvey

The Internal Revenue Service (IRS), in response to shortages of undyed diesel fuel caused by Hurricane Harvey, will not impose a penalty when dyed diesel fuel is sold for use or used on the highway.

This relief applies beginning Aug. 25, 2017, in the areas and counties for which the Environmental Protection Agency (EPA) issued waivers for Texas Low Emission Diesel Fuel. Those areas and counties are as follows: The Houston-Galveston-Brazoria area (the counties of Brazoria, Chambers, Fort Bend, Galveston, Harris, Liberty, Montgomery, and Waller); the Beaumont-Port Arthur area (the counties of Hardin, Jefferson, and Orange); the Dallas-Fort Worth area (the counties of Collin, Dallas, Denton, Tarrant, Ellis, Johnson, Kaufman, Parker, and Rockwall); and the counties of Anderson, Angelina, Aransas, Atascosa, Austin, Bastrop, Bee, Bell, Bexar, Bosque, Bowie, Brazos, Burleson, Caldwell, Calhoun, Camp, Cass, Cherokee, Colorado, Comal, Cooke, Coryell, De Witt, Delta, Falls, Fannin, Fayette, Franklin, Freestone, Goliad, Gonzales, Grayson, Gregg, Grimes, Guadalupe, Harrison, Hays, Henderson, Hill, Hood, Hopkins, Houston, Hunt, Jackson, Jasper, Karnes, Lamar, Lavaca, Lee, Leon, Limestone, Live Oak, Madison, Marion, M atagorda, McLennan, Milam, Morris, Nacogdoches, Navarro, Newton, Nueces, Panola, Polk, Rains, Red River, Refugio, Robertson, Rusk, Sabine, San Jacinto, San Patricio, San Augustine, Shelby, Smith, Somervell, Titus, Travis, Trinity, Tyler, Upshur, Van Zandt, Victoria, Walker, Washington, Wharton, Williamson, Wilson, Wise, and Wood.

This penalty relief is available to any person that sells or uses dyed fuel for highway use. In the case of the operator of the vehicle in which the dyed fuel is used, the relief is available only if the operator or the person selling the fuel pays the tax of 24.4 cents per gallon that is normally applied to diesel fuel for highway use. The IRS will not impose penalties for failure to make semimonthly deposits of this tax. IRS Publication 510, Excise Taxes, has information on the proper method for reporting and paying the tax.

Ordinarily, dyed diesel fuel is not taxed, because it is sold for uses exempt from excise tax, such as to farmers for farming purposes, for home heating use and to local governments for buses.

Finally, consistent with the EPA waivers, this penalty waiver for dyed diesel is effective through Sept. 15, 2017.  Also, consistent with the EPA waiver, this waiver does not apply to the Internal Revenue Code penalty for using adulterated fuels that do not comply with applicable EPA regulations.  Consequently, diesel fuel with sulfur content higher than 15 parts-per-million may not be used in highway vehicles.


The IRS is closely monitoring the situation and will provide additional relief as needed.

Retirement Plans Can Make Loans, Hardship Distributions to Victims of Hurricane Harvey

The Internal Revenue Service today announced that 401(k)s and similar employer-sponsored retirement plans can make loans and hardship distributions to victims of Hurricane Harvey and members of their families. This is similar to relief provided last year to Louisiana flood victims and victims of Hurricane Matthew.

Participants in 401(k) plans, employees of public schools and tax-exempt organizations with 403(b) tax-sheltered annuities, as well as state and local government employees with 457(b) deferred-compensation plans may be eligible to take advantage of these streamlined loan procedures and liberalized hardship distribution rules. Though IRA participants are barred from taking out loans, they may be eligible to receive distributions under liberalized procedures.

Retirement plans can provide this relief to employees and certain members of their families who live or work in disaster area localities affected by Hurricane Harvey and designated for individual assistance by the Federal Emergency Management Agency (FEMA). Currently, parts of Texas qualify for individual assistance. For a complete list of eligible counties, visit https://www.fema.gov/disasters. To qualify for this relief, hardship withdrawals must be made by Jan. 31, 2018.

The IRS is also relaxing procedural and administrative rules that normally apply to retirement plan loans and hardship distributions. As a result, eligible retirement plan participants will be able to access their money more quickly with a minimum of red tape. In addition, the six-month ban on 401(k) and 403(b) contributions that normally affects employees who take hardship distributions will not apply.

This broad-based relief means that a retirement plan can allow a victim of Hurricane Harvey to take a hardship distribution or borrow up to the specified statutory limits from the victim’s retirement plan. It also means that a person who lives outside the disaster area can take out a retirement plan loan or hardship distribution and use it to assist a son, daughter, parent, grandparent or other dependent who lived or worked in the disaster area.

Plans will be allowed to make loans or hardship distributions before the plan is formally amended to provide for such features. In addition, the plan can ignore the reasons that normally apply to hardship distributions, thus allowing them, for example, to be used for food and shelter. If a plan requires certain documentation before a distribution is made, the plan can relax this requirement as described in Announcement 2017-11.

The IRS emphasized that the tax treatment of loans and distributions remains unchanged. Ordinarily, retirement plan loan proceeds are tax-free if they are repaid over a period of five years or less.  Under current law, hardship distributions are generally taxable and subject to a 10-percent early-withdrawal tax.


Further details are in Announcement 2017-11, posted today on IRS.gov. More information about other tax relief related to Hurricane Harvey can be found on the IRS disaster relief page. For information on government-wide relief efforts, visit www.USA.gov/hurricane-harvey.

Help SBA Reduce Unnecessary Regulations on Small Businesses

SBA Administrator Linda McMahon has appointed a task force to evaluate small business regulations and determine which should be repealed, replaced, or modified. Your feedback on SBA regulations will help the agency more effectively promote job creation and the economic growth of small businesses.
  1. Visit our page at FederalRegister.gov
  2. Read the questions there to guide your response.
  3. Click the Submit a Formal Comment button.
  4. Tell your story—identify the SBA regulation or policy that has adversely affected you. Explain how changing it will bring cost savings and benefits to small business owners and entrepreneurs.

Submit your feedback

Beware of Fake Charity Scams Relating to Hurricane Harvey

The Internal Revenue Service issued a warning about possible fake charity scams emerging due to Hurricane Harvey and encouraged taxpayers to seek out recognized charitable groups for their donations.

While there has been an enormous wave of support across the country for the victims of Hurricane Harvey, people should be aware of criminals who look to take advantage of this generosity by impersonating charities to get money or private information from well-meaning taxpayers. Such fraudulent schemes may involve contact by telephone, social media, e-mail or in-person solicitations.

Criminals often send emails that steer recipients to bogus websites that appear to be affiliated with legitimate charitable causes. These sites frequently mimic the sites of, or use names similar to, legitimate charities, or claim to be affiliated with legitimate charities in order to persuade people to send money or provide personal financial information that can be used to steal identities or financial resources.

IRS.gov has the tools people need to quickly and easily check the status of charitable organizations.

The IRS cautions people wishing to make disaster-related charitable donations to avoid scam artists by following these tips:
  • Be sure to donate to recognized charities.
  • Be wary of charities with names that are similar to familiar or nationally known organizations. Some phony charities use names or websites that sound or look like those of respected, legitimate organizations. The IRS website at IRS.gov has a search feature, Exempt Organizations Select Check, through which people may find qualified charities; donations to these charities may be tax-deductible.
  • Don’t give out personal financial information — such as Social Security numbers or credit card and bank account numbers and passwords — to anyone who solicits a contribution. Scam artists may use this information to steal a donor’s identity and money.
  • Never give or send cash. For security and tax record purposes, contribute by check or credit card or another way that provides documentation of the donation.
  • Consult IRS Publication 526, Charitable Contributions, available on IRS.gov. This free booklet describes the tax rules that apply to making legitimate tax-deductible donations. Among other things, it also provides complete details on what records to keep.
Taxpayers suspecting fraud by email should visit IRS.gov and search for the keywords “Report Phishing.”

More information about tax scams and schemes may be found at IRS.gov using the keywords “scams and schemes.” Details on available relief can be found on the disaster relief page on IRS.gov.

Tuesday, August 29, 2017

IRS Gives Tax Relief to Victims of Hurricane Harvey; Parts of Texas Now Eligible; Extension Filers Have Until Jan. 31 to File

Hurricane Harvey victims in parts of Texas have until Jan. 31, 2018, to file certain individual and business tax returns and make certain tax payments, the Internal Revenue Service announced today.
This includes an additional filing extension for taxpayers with valid extensions that run out on Oct. 16, and businesses with extensions that run out on Sept. 15.

"This has been a devastating storm, and the IRS will move quickly to provide tax relief to hurricane victims," said IRS Commissioner John Koskinen. "The IRS will continue to closely monitor the storm's aftermath, and we anticipate providing additional relief for other affected areas in the near future."

The IRS is now offering this expanded relief to any area designated by the Federal Emergency Management Agency (FEMA), as qualifying for individual assistance. Currently, 18 counties are eligible, but taxpayers in localities added later to the disaster area will automatically receive the same filing and payment relief.

The tax relief postpones various tax filing and payment deadlines that occurred starting on Aug. 23, 2017. As a result, affected individuals and businesses will have until Jan. 31, 2018, to file returns and pay any taxes that were originally due during this period. This includes the Sept. 15, 2017 and Jan. 16, 2018 deadlines for making quarterly estimated tax payments. For individual tax filers, it also includes 2016 income tax returns that received a tax-filing extension until Oct. 16, 2017. The IRS noted, however, that because tax payments related to these 2016 returns were originally due on April 18, 2017, those payments are not eligible for this relief.

A variety of business tax deadlines are also affected including the Oct. 31 deadline for quarterly payroll and excise tax returns. In addition, the IRS is waiving late-deposit penalties for federal payroll and excise tax deposits normally due on or after Aug. 23 and before Sept. 7, if the deposits are made by Sept. 7, 2017. Details on available relief can be found on the disaster relief page on IRS.gov.

The IRS automatically provides filing and penalty relief to any taxpayer with an IRS address of record located in the disaster area. Thus, taxpayers need not contact the IRS to get this relief. However, if an affected taxpayer receives a late filing or late payment penalty notice from the IRS that has an original or extended filing, payment or deposit due date falling within the postponement period, the taxpayer should call the number on the notice to have the penalty abated.

In addition, the IRS will work with any taxpayer who lives outside the disaster area but whose records necessary to meet a deadline occurring during the postponement period are located in the affected area. Taxpayers qualifying for relief who live outside the disaster area need to contact the IRS at 866-562-5227. This also includes workers assisting the relief activities who are affiliated with a recognized government or philanthropic organization.

Individuals and businesses who suffered uninsured or unreimbursed disaster-related losses can choose to claim them on either the return for the year the loss occurred (in this instance, the 2017 return normally filed next year), or the return for the prior year (2016). See Publication 547 for details.

Currently, the following Texas counties are eligible for relief: Aransas, Bee, Brazoria, Calhoun, Chambers, Fort Bend, Galveston, Goliad, Harris, Jackson, Kleberg, Liberty, Matagorda, Nueces, Refugio, San Patricio, Victoria and Wharton.

The tax relief is part of a coordinated federal response to the damage caused by severe storms and flooding and is based on local damage assessments by FEMA. For information on disaster recovery, visit disasterassistance.gov.


For information on government-wide efforts related to Hurricane Harvey, please visit: https://www.usa.gov/hurricane-harvey

IRS Issues Urgent Warning to Beware IRS/FBI-Themed Ransomware Scam

The Internal Revenue Service today warned people to avoid a new phishing scheme that impersonates the IRS and the FBI as part of a ransomware scam to take computer data hostage.

The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation. It tries to entice users to select a “here” link to download a fake FBI questionnaire. Instead, the link downloads a certain type of malware called ransomware that prevents users from accessing data stored on their device unless they pay money to the scammers.

“This is a new twist on an old scheme,” said IRS Commissioner John Koskinen. “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call."

The IRS, state tax agencies and tax industries – working in partnership as the Security Summit – currently are conducting an awareness campaign called Don’t Take the Bait, that includes warning tax professionals about the various types of phishing scams, including ransomware. The IRS highlighted this issue in an Aug. 1 news release IR-2017-125 Don’t Take the Bait, Step 4: Defend against Ransomware.

Victims should not pay a ransom. Paying it further encourages the criminals, and frequently the scammers won’t provide the decryption key even after a ransom is paid.

Victims should immediately report any ransomware attempt or attack to the FBI at the Internet Crime Complaint Center, www.IC3.gov. Forward any IRS-themed scams to phishing@irs.gov.

The IRS does not use email, text messages or social media to discuss personal tax issues, such as those involving bills or refunds. For more information, visit the “Tax Scams and Consumer Alerts” page on IRS.gov. Additional information about tax scams is available on IRS social media sites, including YouTube videos.


If you are a tax professional and registered e-Services user who disclosed any credential information, contact the e-Services Help Desk to reset your e-Services password. If you disclosed information and taxpayer data was stolen, contact your local stakeholder liaison