Philip Yamalis: Welcome and thank you for joining us for today's webinar, Quick Security Tips from the Internal Revenue Service, Protecting Personal and Financial Information Online. My name is Philip Yamalis. I'm here today with my colleague Brian Wozniak, a Stakeholder Liaison from the West Coast. We're both Senior Stakeholder Liaisons in Communications and Liaison division. I'm on the East Coast. He's on the West Coast. So we've got the entire country covered. Ladies and gentlemen, we work with tax professionals, small business owners, and Internal Revenue Service partners to provide outreach and education, and to identify ways that the agency can be more responsive to customers' needs. We'll cover a few things about this webinar system, and then, we'll move on to today's topic. Ladies and gentlemen, in case you experience a technology issue, this slide shows some helpful tips and reminders. We've posted - in case you experience a technology issue, we posted a technical help document that you can download from the Materials section on the left side of your screen. It provides the minimum system requirement for viewing this webinar, along with some best practices and quick solutions. Now, if you've completed and passed the system check, yet, you're still having problems with us today, try one of the following options. First option is to simply close the screen, the browser, where you're viewing the webinar from and re-launch it. That'll usually fix things for you. The second option is to click on the settings on your browser viewing screen and select HLS. Now, closed captioning is available for today's presentation. If you're having difficulty hearing the audio through your computer speakers, please click the Closed Captioning drop-down arrow located on the left side of your screen. This feature will be available throughout today's webinar. If you have a question for us today during the webinar, please submit it by clicking the Ask Question drop-down arrow to reveal the textbox. Type your question in the textbox and then click Send. Now, this is very important. Please, please, please do not enter any sensitive or taxpayer-specific information when asking your questions. Okay, let's go ahead and get started with today's topic. We're excited to be here today. Today's topic, "Quick Security Tips from the Internal Revenue Service, Protecting Personal and Financial Information Online." Today's webinar is the first of 5 webinars that we've scheduled for this week for you. These are part of the Internal Revenue Service's outreach effort during our annual National Tax Security Awareness Week. This is our 5th year, sponsoring National Tax Security Awareness Week, which is a collaborative of the Internal Revenue Service, state tax agencies as well as the tax industry to encourage the public to take the strongest security measures possible. So at this time, let me go ahead and turn the microphone over to my colleague, Brian Wozniak. Brian, take it away. Brain Wozniak: Okay, Philip.

Today is Cyber Monday, which means millions of people are shopping online for the holiday season, and maybe even more so this year, because of the COVID pandemic. It is also the first day of a week-long effort by the IRS, state tax agencies and the tax community to offer some security tips for protecting your data. So you may be asking yourselves, "Why does the IRS care about Cyber Monday?" And the answer is this, while people are shopping for online bargains, identity thieves are shopping for victims. And one of the main things that identity thieves do with stolen names, addresses and stolen social security numbers is to try to file fake tax returns and claim fraudulent refunds. So our purpose is twofold: we want to protect taxpayers from identity theft; and we want to protect taxpayer dollars from fraud and theft. And as Philip just mentioned, we launched today, it's our annual National Tax Security Awareness Week. And if you want to read more, just go to IRS.gov. And we are going to be doing a webinar each day that focuses on the Security Message of the Day. So we hope that you'll join us all week. The IRS is working in partnership - Philip, I'll turn this over to you. I apologize. Yamalis: Thank you, Brian, appreciate it. As you started to say, the IRS is working in partnership with state tax agencies and the tax industry. We call ourselves the Security Summit. We've been working very diligently on these issues as a group for 5 years and we've made tremendous progress. Now, we've seen a dramatic decline in the number of confirmed identity theft returns and the amount of stolen refunds, and finally in the number of people who are self-reporting as identity-theft victims.

But, ladies and gentlemen, we can't continue this progress without your help. We need everyone, individuals, businesses, tax professionals, to take the necessary security steps to protect their information and data. Now, we don't have to tell you that 2020 has been a challenging year for everyone. This pandemic combined with people working remotely means that online security measures are more important than ever. Thieves have really tried to exploit the COVID-19 concerns, as well as the Economic Impact Payment to deceive taxpayers into disclosing sensitive information. There've been thousands of variations of COVID-related scams this year. Brian?

Wozniak: Okay. With that in mind, let's review a few basic steps everyone should take. First, Secure Shopping. This is for those of you, who are doing your shopping online. We recommend that you shop at sites where the web address begins with the letters HTTPS, so that when you're making online purchases, the website should begin with those letters, HTTPS, because the S at the end, that stands for secure communications over the computer network. And your browser, your web-browser, should also display a padlock icon in the browser window to indicate that you have a secure connection on the web server. And, of course, don't shop online using an unsecured public Wi-Fi, such as at places like a mall or a coffee shop. And remember, when you're using unsecured public Wi-Fi, thieves can eavesdrop on you. Now, with secure online shopping in mind, and for secure Internet surfing, here are just a couple of basic, a few basic steps everyone should take. First, use security software for computers and mobile devices. A fundamental step to data security is the installation and use of security software on your computers. If you're connected to the Internet, which obviously you are, you must install security software. And this slide lists the various types of security software you need and their purpose. The first one there, Anti-virus Software, this prevents bad software such as malware, from causing damage to a computer. Then there's Anti-Spyware. This prevents unauthorized software from stealing information that's on a computer or perhaps process through your system. And the third one there listed is a Firewall. This simply blocks unwanted connections. And both Windows and Mac operating systems come with factory-installed security software and with encryption technology. And both operating systems also come with built-in firewall protection, which you should enable unless your anti-virus software includes the firewall feature already. And, of course, you may separately purchase security software that offers a suite of protections that will usually cover both your laptop, computers and your mobile phone. And here's an important tip. Of course, we recommend that you set your security software to update automatically. And that just simply helps keep it up to date and guard against the latest threats. And please, do not forget to secure your mobile phone as well. This is important, because this is an area that people sometimes overlook.

The thieves have become more adept at compromising mobile phones and phone users are also more prone to open a scam e-mail from their phone, than from their computer. And taxpayers can check out security recommendations for their specific mobile phone by reviewing the Federal Communication Commission's Smartphone Security Checker, and that's listed on the last item in this slide, and you can find the Smartphone Security Checker at FCC.gov. Now, finally, a question that commonly comes up is how do you find good security software? We would suggest that you review a few websites, such as PC Magazine, CNET, or Wirecutter, and Wirecutter is part of the New York Times, these - as well as other news outlets, they conduct periodic reviews and rankings of security software. So that's a great place to start. So that's our discussion on security software. What's our next recommendation, Philip? Yamalis: Well, Brian, thanks for that valuable information on protecting our data online. Why don't we turn it now to phishing scams? More than 90% of all data thefts begin with a simple e-mail phishing scam. These also are exploiting as I mentioned earlier the coronavirus pandemic as well as the economic impact payments passed by congress to assist people, right. As I mentioned earlier, there are thousands of variations of a COVID-19 scam these days in one of the latest scams, these pose as state agencies, e-mailing taxpayers to tell them that their economic impact payment was available, but they need to provide their bank account information to receive it. Boy - ladies and gentlemen, this is a classic scam.

Neither state agencies, the Internal Revenue Service nor nonprofits will ever e-mail you to request a bank account information. We will never - we will have more on these scams later in this week. So here's what you need to know to protect yourself from a phishing scam. First, the most common way thieves steal identities is simply asking for it. A favorite tactic is a phishing e-mail. Phishing e-mails will bait users into opening them poses a trusted company like a bank, a favorite retailer, or even your tax professional. Second, please learn to recognize and avoid these phishing e-mails. Scams tell an urgent story like there's a problem with your account or your order, or you've just won a big prize or like our example you have a tax rebate due. The message then instructs the receiver to open an embedded link or download an attachment. Third, don't take the bait. The e-mail link, they send users to a familiar website to log in. But your username and password goes to the thieves, where the scam suggests users to open an attachment which secretly downloads malicious software either method works for identity thieves. The scam e-mails can show up in personal inboxes or even to a work inbox, endangering the entire work organization. And as Brian indicated just a moment ago, mobile phone users are especially prone to responding more than those working on laptops or computers. So if you're at home, just simply delete the e-mail. If you're at work, follow your work organizations guidance on handling scam e-mail. Brian? Wozniak: Okay, Philip, don't take the bait on those phishing e-mails people. Let's move on and talk about passwords, because strong passwords are critical to protecting your online accounts. And you should use strong and unique passwords for each account and the latest guidance from experts suggest that you should use a phrase or a series of words that can easily be remembered and that it should be 10 characters or longer. And there's also guidance that you should consider using a password manager. A password manager is it's kind of like a digital vault that can house, secure and manage all of your online passwords. And some of these apps for password managers are free. Some of them that perhaps cover all your devices may have a fee. And again, you can search on those resources we previously mentioned. There's PC Magazine, CNET or Wirecutter just as a fast way to read the reviews and rankings of password managers, or even just to educate yourself about password managers in general. Now, when you log into an account, you use your credentials specifically, it's typically your username and your password. And these credentials are used to verify your identity. But identity theft is so rampant that you may have your credentials stolen, and then the thieves can gain access to your accounts. And there is a much better way to protect your accounts. And it's called multi-factor authentication or two-factor authentication. And what it means is that in addition to entering your username and password credentials when you access an account, you will also need one more item to verify your identity before accessing an account. And that second factor that you need is usually a security code that is sent as a text message to your cell phone or security code sent to your designated e-mail address that you provide it. I think most people are aware that multi-factor authentication is now offered in many places, especially at banking and financial products. But it's also available on tax software products, e-mails, social media and elsewhere. And we strongly urge you to use multi-factor authentication whenever it is offered. And we're hosting a webinar tomorrow that specifically covers multi-factor authentication in more detail. So we hope that you'll join us for that. So in summary on this slide, use strong passwords and use multi-factor authentication when available. Philip? Yamalis: Thanks, Brian. I'm certainly looking forward to that multi-factor authentication webinar tomorrow with our colleagues. But for those of us that are working from home more and more during this pandemic, there are a few extra security steps to consider to protect yourself while working from home. Indeed, you should backup files on computers and mobile phones as well. A cloud service or external hard drive can be used to copy information from computers or phones, providing an important place to recover financial or tax data. Now, if you're working from home, it's critical that you have a secure connection to your workplace. This is especially true for tax professionals or others that share sensitive information between your home device and your office work systems. You should consider creating a Virtual Private Network otherwise known as a VPN to securely connect to your workplace. The VPN is another product that you can search for reviews and rankings. You should also secure home Wi-Fis with a strong password as homes become more connected to the web, secured systems become more important, from wireless printers, wireless doorbells and door locks, wireless thermometers. These wireless items can be access points for identity thieves. Each one has a factor password that should be changed as soon as you have the opportunity to do so. So let's recap some of the points that Brian and I have made today. First, let me remind you that you should use anti-virus software and keep it updated, right; number 2, beware of those pesky phishing scams; number 3, use strong passwords, a password manager as well as multi-factor authentication; four, create a secure work environment at home by backing up files, creating a secure network and updating your passwords on wireless devices. Finally, practice secure shopping. So this will conclude today's presentation ladies and gentlemen. We're going to answer some of your questions next. So please don't leave us just yet. Before Brian and I answer some of your questions today. Let me just give you a glimpse of what we have on tap for the next 4 days of National Tax Security Awareness webinars this week. I know we're going a little long here, but just to give you the lineup for the rest of the week. Tuesday, we'll talk more about protecting your online account as Brian mentioned, especially with multi-factor or two-factor authentication. Multi-factor authentication will be offered in 2021 by many tax preparation software products. On Wednesday, we'll explain how you can create an account with the Internal Revenue Service and get an Identity Protection PIN that would help you secure your tax return from identity thieves. Thursday, while some tips for small businesses, who are frequent targets, cyber criminals and steps to protect yourself from those cyber criminals. Finally, Friday, we'll review some of the latest scams that we're seeing that are targeting taxpayers as well as tax preparers, especially during this pandemic. So, Brian, why don't you take it away and begin the question-and-answer period for us? Wozniak: Okay, Phil, you want to kick it off with the answer or shall I? I got - we've got quite a few questions teed up here. Yamalis: Well, let me go ahead and start by asking you a question. I see a question that came in here by a tax professional, says, "My wireless network already has a password. What else should I do to secure it, Brian?" Wozniak: And Philip, I know you just talked about securing Wi-Fi toward the end of the presentation there.

There's quite a bit here. Let's all consider that first of all, many of us are working at home and doing more transactions online. So securing a wireless network is very important. Some of the most basic steps are, first of all, you should change the default administrative password for your wireless connection. So when you get a wireless router, you should change the password and use a strong unique password. We talked about that already. But I bring this up, because many of the routers, when you're issued a router, sometimes the password is posted right on the router itself, on a sticker. So if someone's over at your house and your router is downstairs or in your dining room table, they could take a picture of it with their phone and have access to your wireless connection. So change the default password that comes with the router. Second, you can change the wireless power range, so that you're not broadcasting further than you need to. And, yeah, well, I think everyone on the call is familiar that when you log into your wireless, you can oftentimes see all the neighbors around you and who's online et cetera. Well, you can log into your wireless LAN settings. And there's an advanced setting in there, it's called transmit power. And then you can change the power, so that you're not broadcasting 300 feet from your house or your place of business. And you may need to call your service provider to help you if you can't find it in the settings. So change the power range. And you can also change the name of your router. So it doesn't have to be the default name that the wireless provider gives you. You can change it to anything you want. And that's used - you have to change something called the Service Set Identifier, it's commonly abbreviated SSID. So, for example, if you're in business, you could change it, so it doesn't show the name of the business or if you just don't want your neighbors to have it. And then the final thing I just want to bring up on this, and Philip, you already touched on it. But many of us now have more connections than ever to our wireless system.

So if you have a wireless printer connected, that printer oftentimes comes with a default password, you have to change that default password, if you have wireless door locks, if you have a wireless security system with default passwords. We've seen cases where there was a wireless thermometer, where the heating and system - heating and cooling system were connected to wireless. All those are potential gateways for the thieves to get into your wireless system, and then, further compromise it. So you just want to make sure that everything that's connected to the wireless is secured. I hope I… Yamalis: Brian, you bring up some fantastic points here. And that's awesome. I do want to remind our attendees today that we still have time to answer a few more questions. So please take the time. Open the Ask Question feature. Submit your questions to us. And we'll be glad to go through a few of them for you. We do have a few more in the horizon here that I see. Do submit your questions… Wozniak: Hey, Phil, I got one for you. Let's… Yamalis: Yeah. And remember not to submit any specific information when you're sending your questions to us. Go ahead, Brian. Wozniak: Yeah, Philip, so, right, please don't send any names or social security numbers, keep it on the topics. But, Philip, we have several questions. You talked about how 90% of all these scams are related to phishing e-mail. So you have several questions here for you. First one is what to do - what do you do if you receive a suspicious IRS related e-mail?

Yamalis: Yeah, Brian, that's an excellent question. And we've touched on it during today's webinar. If you receive an e-mail that claims to be from the Internal Revenue Service, especially if it claims to be from the IRS, and it contains a request for personal information, if it contains a request for taxes associated with a large investment, inheritance or lottery, we beg you and ask you, don't reply. Number 2, don't open any attachments to those suspicious e-mails.

That can contain malicious code as we indicated earlier. That could seriously infect your computer or mobile phone. Don't click on any links on any suspicious IRS related e-mail. Visit our Identity Protection page on IRS.gov. If you clicked on links in a suspicious e-mail or website and entered confidential information, that Identity Protection page tells you what resources that we have for you. Finally, forward those suspicious e-mails, preferably with the full e-mail header, e-mail as it is, just as it is to phishing@IRS.gov. That's phishing, P-H-I-S-H-I-N-G@IRS.gov. Don't forward scanned images, because this removes valuable information from the e-mail. And finally, delete the original e-mail if it's a suspicious IRS related e-mail.

Brian, let me go ahead and ask you a question that seems to be hot here. It asks here, do you recommend using cloud storage for backing up files, Brian? Wozniak: It depends. There's a lot of cloud storage companies out there, I think, the critical component is that you need to use - you should be using some type of backup software or backup services. So any files that you feel are critical, extremely important on your computers or computer systems, they should be backed up to an external source such as Cloud. And that means, it's either - you could use either cloud storage service or a similar product. Or you could back it up to an external disk, such as an external hard drive or some other thumb drive, et cetera. The point is that you need the backup.

And using both of those, it's not uncommon that you could back up to the cloud as well as an external hard drive. I think one key part that's missing, and we talked about using security software is that you want to have the security software in there, first of all, so you want to have the firewalls, the anti-virus, anti-malware, et cetera. And when you do a backup, one thing that we've found oftentimes is just kind of a best practice is, number 1, before you back up, run your security software, make sure you have all the latest versions, make sure everything's up to date, and run it and then make sure that everything's updated. And then number 2, encrypt the information. So using drive encryption, or disk encryption, that transforms the data on the computer into those unreadable files that are all garbled up when you open them, so that even if someone opens it, they still can't read it. And then number 3, then you back it up to the cloud and/or a removable hard disk. So it's kind of 3 parts, you check your software, your malware, firewalls, make sure they're up to date, you encrypt the data, and then you back it up to the cloud and or a removable device. So I hope that answered it. Philip, I'm going to tag on, because I'm going to just jump in here… Yamalis: Let me just clarify something. Wozniak: Yeah. Go ahead. Yamalis: Let me clarify before you do that. So when you're seeing that we back up on an external hard drive or on another drive like a cloud device, that doesn't mean that that we're recommending that you work only with that drive and not work your normal computer, you use your computer. The backup is simply for that. The backup if something does happen to your storage, right? Wozniak: You do. You backup obviously on your computer system, and then you have those secondary systems. And one thing on backups, that's very important, we're seeing more and more ransomware attacks where the thieves come in and lock down a computer system to where you can't access the information on your computer. So having a backup to go to is very important. It's one of the critical things we see with these malicious ransomware programs, as well as some trojans and other viruses that are out there. Yamalis: Right. Right, absolutely. Wozniak: Philip, I'm going to digress a little bit back to the phishing e-mails, because you had talked about what to do if someone receives some suspicious e-mail that looks like it's IRS related. And you talked about, don't take the bait and forward at the phishing@IRS.gov. What do people do if they receive a phishing e-mail? That is not IRS or tax related? Do you have any information on that? Yamalis: Sure, Brian, I mean, these phishing e-mails come from all over the place. I mean, my favorite one is the one that I got from Kenya saying that, "Those were the early days of the phishing schemes, where I hit the lottery from the estate of somebody. And, yeah, it was like, okay, great, I can't wait to receive that income." But, look if you receive a suspicious phishing e-mail that's not claimed to be from the IRS, we've got some sites that you can look at. One of the recommendations that I always suggest to folks is to forward the e-mail to reportphishing@antiphishing.org. That's reportphishing@antiphishing.org. They are consortium of anti-phishing, that's put out by the federal government that allows folks to go ahead and report these phishing schemes to this organization. Now, if you've received an e-mail that you suspect contains malicious code, or malicious attachment, you have clicked on that link, where you downloaded the attachment. If it's not IRS tax related, you can visit On Guard Online. That's all one-word OnGuardOnline.gov. To learn what to do, if you suspect to have malware on your computer, of course, if it is tax related, we would ask you to contact your local Stakeholder Liaison to get you started in the process to protect you so that your data isn't released any further. Now, if you received an e-mail that you suspect contains malicious code, or a malicious attachment, and you have not clicked on the link, or downloaded the attachment. We'd simply ask you to forward the e-mail to your Internet service providers abuse department, or/and go to spam@UCE.gov, spam@UCE.gov. These are some references that we have for you. Of course, you can always visit the IRS.gov page under Identity Protection. And we can give you further resources there, as well as the Federal Trade Commission's website, as you mentioned earlier, FTC.gov as well as FCC.gov, Two very, very important resources that that we advise our folks to use.

Wozniak: Yeah, they're all great resources, Philip. And I do want to emphasize something you just said, if you go to IRS.gov, Philip mentioned the link for identity theft protection that's at the bottom of the page every time you go to IRS.gov. You can always find identity theft information there. You'll see a link for identity theft protection. We also have links on Taxes Security Together and Tax Security 2.0. And it'll talk about various measures you can take. I think just one final thing I want to mention, Philip, before we depart if someone's asking about antivirus versus firewalls, versus malware, et cetera. I just want to clarify that firewalls control your network traffic. They're a shield. They control what's coming in, the incoming and outgoing traffic to the system. And they prevent files from coming in or out. Anti-virus protection detects malicious files that have already entered the system. But they don't network - they don't monitor the network or the traffic coming in. Anti-viruses are really designed to scan, detect and prevent suspicious files. And then, when they identify them, they isolate and usually delete those infected files. So a firewall monitors the traffic and prevents it from entering or coming in and out. The problem is, viruses also enter the system when a user downloads a file. If you click on one of those links, or you click - not only click on a link in the spam e-mail, but you click the download or you might even put in a corrupted CD or USB thumb-drive, so that's how viruses often get around the firewall, and then, that's where the antivirus comes into play, and has to identify, detect, isolate and delete those files. So there - you have to use both of them. They're not - they perform different functions. So once the virus bypasses a firewall, that's when the anti-virus comes in. One works at the file level. One works at the system level. And you can't choose between the two. You have to have anti-virus and firewall, because the roles are different. And then, you'll hear terms like anti-malware, anti-spyware. Anti-malware, these are a type almost of anti-virus software. They are tools that are designed to identify and remove specific malware threats. Some anti-malware specifically to identify ransomware, trojans, and anti-spyware identify those specific threats. So those things, you need a full suite of products to protect yourself. You can't pick and choose between one and the other. With that, Philip, I don't know how we're doing on time here. Let's take a look.

Yamalis: So, Brian, they - we're going to wrap it up, add a few extra minutes. And just one more thing that I wanted to say, and then I think we should wrap it up based on time. There was a question here that asks, "How do we verify that an e-mail or a phone call that I received is from the IRS to avoid getting entrapped by these thieves out there?" And that's an excellent question that I think if we haven't touched it, we should. Look, if you want to verify a contact that you receive from the IRS, you need to go to IRS.gov. Search on the letter, the notice, the form number that you receive. Please be aware that fraudsters often modify legitimate IRS letters and forms, right? You can also find information at Understanding Your Notice or Letter on IRS.gov or by searching the Forms & Instructions. So please see the article on IRS.gov, "How to know it's Really the IRS Calling or Knocking on Your Door." And that gives you the information. If it's legitimate, you'll find instructions on how to respond. If the completion of a form is required, if provided by a questionable contact, you should always verify the form is identical with the same form on IRS.gov. If you don't find information on our website, or the instructions are different from what you're told to do in the letter, the notice or the form, again, please use the appropriate online resources at IRS.gov. Once you've determined that it's not a legitimate contact, we ask that you report the incident to the Treasury Inspector General, or TIGTA, and to us at phishing, of course, @IRS.gov. TIGTA has their website, at TIGTA.gov. So, two excellent resources, many resources on IRS.gov to verify contact information from the IRS. Brian? Wozniak: Okay. So don't take the bait. I think Philip really emphasized at that point. So let's wrap it up. That's really all the time we have for questions. We would appreciate if you would take a few minutes to complete a short evaluation before you exit. If you'd like to have more sessions like this one, let us know. If you have thoughts on how we can make them better, please let us know that as well. If you have any requests for future webinar topics, or maybe you would like to see some information posted in an IRS Factsheet or a Tax Tip or Frequently Asked Question posted on IRS.gov, then just include your suggestions in the comments section of the survey. So you can click the survey button on your screen to begin. If it does not come up, you might need to check to make sure you disabled your pop-up blocker. It has been a pleasure to be here with you, and we would like to thank you for attending today's webinar. You may exit the webinar at this time.

Thank you. Good day.