Check System
Send us your comment!

Your comment will be read by our web staff, but will not be published.

Please do not enter any personal information. Your comment is voluntary and will remain anonymous, therefore we do not collect any information which would enable us to respond to any inquiries.

However, provides a How to Contact the IRS page where you will find guidance on where to submit specific questions.

Share this presentation
Copy and paste the following URL to share this presentation
To email a link to this presentation, click the following:
This program writes a small 'cookie' locally on your computer when you set a bookmark.
If you want to utilize this feature, check the following checkbox. Otherwise, bookmarks will be disabled.
This is an IRS
audio presentation.

To view this page, ensure that Adobe Flash Player
version 10 or greater is installed.

Get Adobe Flash player

Slides PDF

DOUG BLADE: OK, I see it is the top of the hour. For those just joining us, welcome to today's webinar, Tax Security 2.0: A Tax Pro's Security Checklist. We're glad you're joining us today.

My name is Doug Blade and I am a stakeholder liaison with the Internal Revenue Service, and I will be your moderator for today's webinar which is slated for 120 minutes. Before we begin, if there is anyone in the audience that is with the media, please send an email message to the address on this slide. Be sure to include your contact information and the news publication you are with. Our media relations specialist staff will assist you and answer any questions you may have. As a reminder, this webinar will be recorded and posted to the IRS video portal in a few weeks. This portal is located at Please note, continuing education credit or certificates of completion are not offered if you view an archived version of our webinars on the IRS video portal. In case you experience a technology issue, this slide shows helpful tips and reminders. We've posted a technical help document you can download from the material section on the left side of your screen. It provides the minimum system requirements reviewing this webinar along with some best practices and quick solutions. If you have completed and passed your systems check and you are still having problems, try one of the following. The first option is to close the screen where you are viewing the webinar and relaunch it. The second option is to click on the settings on your browser viewing screen and select "H-L-S". You should have received today's PowerPoint in a reminder email, but if not, no worries. You can download it by clicking on the materials drop down arrow on the left slide of your screen as shown on this slide. Closed captioning is available for today's presentation.

If you are having trouble hearing the audio through your computer speakers, please click on the closed captioning dropdown arrow located on the left-side of your screen. This feature will be available throughout the webinar. During the presentation, we'll take a few breaks to share knowledge-based questions with you. At those times, a polling style feature will pop up on your screen with a question and multiple-choice answers. Select the response you believe is correct by clicking on the radio button next to your selection and then clicking submit. Some people may not get the polling question. This may be because you have your popup blocker on, so please take a moment to disable your popup blocker now so you can answer the questions.

If you have a topic-specific question, please submit it by clicking the ask question dropdown arrow to reveal the text box. Type your question in the text box and then click, "Send" Very important, please do not enter any sensitive or taxpayer-specific information. Again, welcome and thank you for joining us. Today we will be sharing updated information on Tax Security 2.0: A Tax Pro's Security Checklist. We are joined today by two stakeholder liaisons, who are a part of a team of stakeholder liaisons that work to help tax pros who have been affected by either a data breach or a ransomware attack. Anna Falkenstein is a stakeholder liaison in Virginia, and Veronica Tubman is a stakeholder liaison in Maryland. Anna and Veronica will be joined later in the webcast by two tax professionals who will share their experiences with data breaches and the group will be answering questions that may help you in the future. And with that, let's begin our discussion on Tax Security 2.0: A Tax Pro's Security Checklist. Anna, it's all yours. VERONICA TUBMAN: Anna, if you're speaking, you might want to check your microphone. ANNA FALKENSTEIN: Thank you so much. I apologize. I thought I had muted - unmuted enough. I will start again. Doug, we're happy to be here and we want to share some important information with all of you today that we hope that you'll find useful. Just as you work to get prepared for the filing season, so do cyber criminals. Identity thieves are out there right now probing defenses. They're seeking new ways into your system and are committed to stealing as much as your client data as they can. While this year's filing season has been extended, that just gives the crooks more time to invade your system. Last year, the IRS and its partners, the state tax agencies, and the tax software industry, released Taxes Security Together Checklist and they called on tax professionals to use this checklist to ensure that they have safeguards in place. I also want to stress that these are actually basic actions.

We strongly urge you to do as much as you can. For those of you who can't afford to hire your own cyber security expert, we offer this checklist. Number one, deploy the Security Six measures that we'll be talking more about later. Two, create a data security plan. Three, educate yourself on phishing email. Four, recognize the signs of client data theft. And five, create a data theft recovery plan. During this webinar, we will go in depth on each one of these items, so let's do the first one. The initial step on the checklist involves the Security Six Protections. The Security Six Protections are, one, antivirus software; two, firewall; three, two-factor authentication; four, backup software and services; five, drive encryption and six, virtual private network, the VPN. We'll now go into detail on each of these on the next slide. Veronica, how about starting with number one. TUBMAN: Sure, Anna. Number one, antivirus software. This is overlooked many times, but we want to stress the importance of having antivirus software. Although details may vary between commercial products, antivirus software scans, computer files, or memory for certain patterns that may indicate the presence of malicious software, also called malware. Antivirus software, sometimes more broadly referred to as anti-malware software, looks for patterns based on the signatures and definitions of known malware from cyber criminals. Antivirus senders find new issues and update malware daily, so it is extremely important that people have the latest update installed on their computer. Now, this is according to the U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security. Once users have installed an antivirus package, they should scan their entire computer periodically by doing the following Automatic Scan - most antivirus software can be configured to automatically scan specific files or directories in real time and prompt users can set intervals to perform complete scans. Keep security software set to automatically receive the latest update so that it is always current. Manual scan - if the antivirus software does not automatically scan new files, users should manually scan files and media received from an outside source before opening them. This manual process includes, saving and scanning email attachments or web downloads, rather than opening them directly from the source; scanning portable media, and that's including CDs and DVDs, for malware before opening files. Sometimes the software will produce a dialogue box with an alert that it has found malware and asks whether users want it to clean the file to remove the malware. In other cases, the software may attempt to remove the malware without asking first. It is very important that when selecting an antivirus package, users should learn about its features, so you know what to except. Keep security software set to automatically receive the latest update so that it is always current. You know a strong security software should protect against spyware; a category of malware intended to steal sensitive data and passwords without the user's knowledge. A strong security package always should contain anti-phishing capability.

Never open an email from a suspicious source, click on a link in a suspicious email, or open an attachment or else you could be a victim of a phishing attack and you and your clients' data could be compromised. But remember, never click links with popup windows. Never ever download free software from a popup. Never follow email links that offer anti-spyware software. The links and popups may be installing the spyware they claim to be eliminating. So, it is important to do research to find the best antivirus for your needs. One recommendation is to use your internet browser to search for major reputable publications that compare antivirus software and provide user ratings for various products. Number two, firewall. Firewalls provide protection against outside attackers by shielding your computer or netware - excuse me, network, for malicious or unnecessary web traffic and preventing malicious software from accessing your system. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data through. Firewalls may be broadly categorized as hardware or software. While both have their advantages and disadvantages, the decision to use a firewall is far more important than deciding which type you use. Let's talk about hardware. Typically called network firewall, these external devices are positioned between a computer and the internet or another network connection.

Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them. Software - most operating systems include a built-in firewall feature that should be enabled for added protection even if using an external firewall. Firewall software can also be obtained as separate software from a local computer store, software vendor, or internet service provider. If downloading firewall software from the internet, make sure it is from a reputable source such as an established software vendor or a service provider and offered via a secure website. While properly configured firewalls may be effective at blocking some cyber attacks, don't be lured into a false sense of security. Firewalls do not guarantee that a computer will not be attacked.

Firewalls primarily help protect against malicious traffic, not against malicious programs, and we talked about that; that's malware. It may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures, such as antivirus software and safe computing practices will strengthen resistance to attack. Number three, two-factor authentication. Many email providers now offer customers two-factor authentication protection to access email accounts. Everyone should always use this option to prevent their accounts from being taken over by cyber criminals and putting their clients and themselves at risk. Two-factor authentication helps by adding an extra layer of protection beyond a password. Often, two-factor authentication means the returning user must enter credentials - generally a username and password - plus another step such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal the username and password, but it's highly unlikely that they also would have a user's mobile phone to receive a security code and complete the process. The use of two-factor authentication, and even three-factor authentication, is on the rise. And we always should opt for a multi-factor authentication protection when it is offered, whether on an email account or a tax software account or any password-protected product. IRS Secure Access, which protects pools, including e-Services, Get Transcript and many others, is an example of two-factor authentication. And now, I think it's time for our first polling questions. Doug? BLADE: Yes. It is time for our first polling question. So, what factors - excuse me - what product uses multi-factor or two-factor authentication? Is it, A, tax software; B, Get Transcript; C, e-Services; or, D, all of the above? Take a moment, consider your answer, click on the radio button that best answers the question. I'll give you a few more seconds to make your selection.

OK. We will stop the polling now and let's share the correct answer on the next slide. OK.

And the correct response is D, all of the above. Let's see how well you all did with this question. I see that 91 percent of you responded correctly. That's a great response rate.

Now, let's move on back with the Security Six list. Anna, what is next? FALKENSTEIN: All right. We've got number four, backup software and services. Critical files on computers should routinely be backed up by external sources. This means that a copy of the file is made and stored either online as a part of a cloud storage service or a similar product or a copy of the file is made to an external disk such as an external hard drive that can - that can now come with multiple terabytes of storage capacity. Critical client data files that are backed up should also be encrypted for the safety of the information. And while we are on that, number five, drive encryption. Given the sensitive client data maintained on your computers, users should consider drive encryption software for full-disk encryption. Drive encryption or disk encryption transforms data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a standalone security software product. It may also include encryption for removable media such as a thumb drive and its data. Now, number six, virtual private network or VPN. Due to the high level of practitioners currently working remotely, this next subject is crucial. Many times, cyber criminals are able to access your computer network through an unsecured Wi-Fi connection. For example, an employee connects to your network from home or public Wi-Fi using remote access and the cyber criminal is able to get in and steal your data. If employees must occasionally connect to an unknown network or work from home, it's strongly recommended that the employer establishes an encrypted virtual private network - VPN. And that allows for a more secure connection. Depending on the number of employees accessing the network, you may need more than one. A VPN provides a secure encrypted tunnel that allows them to transmit data between a remote user via the Internet and the company network. You can search for best VPNs on the Internet or check with your local IT specialist to find a legitimate vendor. Major technology sites often provide lists of top services. Now that we have reviewed the Security Six, how do you get started, Veronica? TUBMAN: That's a good question. Here we go. How to get started wit the Security Six. All tax professionals and businesses should review their professional insurance policy to ensure the business is protected should a data theft occur. Some insurance companies will provide cyber security experts for their client. These experts can help with technology safeguards and offer more advanced recommendation. Having the proper insurance coverage is a common recommendation from tax professionals and businesses who have experienced data theft. An insurance policy provider will provide assistance to prevent a data breach.

And if the worst happens, it helps the business recover. There is help with security recommendation in the recently revised IRS Publication 4557, Safeguarding Taxpayer Data and Small Business Information Security - The Fundamentals. And that's by the National Institute of Standards and Technology or NIST. And that can be accessed at Doug, I think it's time for our next polling question. BLADE: Yes, it is, Veronica. OK, audience. Here is our next polling question. The Taxes-Security-Together Checklist highlights the following key Security Six measures. Is it A, antivirus, firewall, two-factor authentication, recovery plan, drive encryption, VPN; or, B, antivirus, firewall, two-factor authentication, backup software, drive encryption, VPN; or is it D, antivirus, firewall, two-factor authentication, phishing, drive encryption, VPN; or, D, none of the above? So, take a minute, review the question again and the possible answers and, then, click on the radio button you believe that would most closely answer this question. So, hopefully, you've had a chance to review these and make your selection. We will give you a few more seconds to make your selection. OK. We will stop the polling now, and we will share the correct answer on the next slide. And the correct answer is B, antivirus, firewall, two-factor authentication, backup software, drive encryption, VPN. I see that 70 percent of you responded correctly. So, Veronica, can you maybe clarify this to help our audience to get this concept? TUBMAN: Sure, Doug. Always remember that the antivirus, the firewall - so, we are going to take a look at the responses - the two-factor authentication. But, most of all, the backup software really helps, the drive encryption and the VPN. The recovery plan is after the breach has occurred or there has been an interruption.

And the phishing is always before. So, just keep in mind, as it relates to the Security Six measures: Antivirus, firewall, two-factor authentication, backup software, drive encryption and VPN. There you have it. BLADE: Great. Do you want to continue on, then, Veronica, with the step two, create a data security plan? TUBMAN: I'd like that Doug. Thanks so much. Step two, create a data security plan under federal law. Various business entities including tax professionals do not realize they are required under federal law to have a data security plan.

According to the FTC Safeguards Rule, tax professionals and other businesses must create an enact a security plan to protect client data. Failure to do so may result in an FTC investigation. So, please see Publication 4557 and Publication 5293, Data Security Resource Guide for Tax Professionals. And that will help you with more information on how to set up your plan. Step three, educate yourself on phishing email. So, more than 90 percent of all data thefts start with a phishing email. The employee may open a link that takes them to a fake site and open an attachment that is embedded with malware that secretly downloads onto their computer. The IRS often sees tax professionals victimized after being targeted with a tactic called spear phishing. The objective of a spear phishing is to pose as a trusted source and bait the recipient into opening an embedded link or an attachment. The email may make an urgent plea to the tax pro to update an account immediately. A link may seem to go to another trusted website - so, for example, a cloud storage or tax software provider logon page. But, it's actually, a website controlled by the thief. Then the thief takes control of your account. An attachment may contain malicious software called keylogging, which secretly infects computers and provides the thief with the ability to see every keystroke. These can steal passwords to various accounts or even take control of computers, enabling them to steal taxpayer data. So, keep that in mind. Common spear phishing themes or scams, seen by the IRS thieves posing as prospective client and sending unsolicited emails to tax professionals. After an exchange of emails, the thief sends an email with an attachment claiming to contain the tax information needed to prepare a return. Instead, it contains spyware that allows thieves to track each keystroke. The IRS also sees these posing as tax software providers or data storage providers with emails containing links that go to webpages that mirror real sites. So, look out. The thieves' goal is to trick tax professionals into entering their usernames and passwords into these fake sites, which the crooks then steal. Another trick used by thieves is rather than stealing the data, they encrypt it. Now, that's a practice known as ransomware. Once they encrypt the data, thieves demand a ransom in return for the code to unencrypt the data. The Federal Bureau of Investigation warns users, not to pay the ransom because thieves often do not provide the code. The FBI has also called ransomware attacks a growing threat to businesses and others. So, be on the lookout. Anna is going to take us through the next step. Anna?

FALKENSTEIN: OK. Well, before I take you through the next step, we wanted to show you a real example of a phishing email. And this was actually received by one of our partners. While this has a real IRS person's name, it is not an IRS email. Remember, always take a look at the spelling and grammar. Also, the IRS typically does not ask you to click on links or attachments when dealing with a specific case or taxpayer account. If you ever suspect that a notice or an email is a scam, you can always talk to your local stakeholder liaison for clarification. And, also, we ask that you forward a copy to And that's Educated employees are the key to avoiding phishing scams. And office systems are only as safe as the least-informed employee. These simple steps can also help protect against stolen data. So, use separate personal and business email accounts. Protect your email accounts with strong passwords and two-factor authentication if you have it. Update your security software frequently to help protect systems from malware. And scan emails for viruses. Never open or download attachments from unknown senders, including those potential clients. You may want to make contact first by phone, for example. Send only password-protected and encrypted documents if files must be shared with clients via email. Do not respond to suspicious to unknown emails. If IRS-related, we ask that you forward a copy to But, before we move on to step four of the checklists, Doug, I do think it's time for another polling question. BLADE: I agree. And here it is. Based on the information that we have shared, the IRS publication that has a section on how to comply with the FTC Safeguards Rule and the checklist of items to include in a data security plan is - is the answer A, Publication 17? Is the answer B, Publication 4557? Is the answer C, Publication One? Or is it D, Publication 505? Take a moment and click on the radio button you believe most closely answers this question. We will give you just a few more seconds to make your selection. OK.

We are going to stop the polling now, and we will share the correct answer on the next slide.

OK. The correct answer is B, Publication 4557, Safeguarding Taxpayer Data - A Guide To Your Business. I see that 86 percent of you responded correctly. That's a great response rate. So, next, Veronica will discuss recognizing the signs of data theft. It's the fourth item on the list. TUBMAN: Thanks, Doug. Step four, recognize the signs of data - client data theft.

Sorry. Tax professionals and everyone should learn the signs that their office may have experienced a data theft resulting in fraudulent tax returns being filed in their client's name.

Criminals are tax-savvy in their attempts to gain sensitive tax data. Now, thieves use stolen data from tax practitioners to create fraudulent returns that are harder for IRS to detect.

Now, here is an example of how destructive data theft can be. This is - before we go there - I just want to review one thing before we talk about a data theft or a data thief, should I say.

Please keep in mind the following. OK. Here we go. Just keep in mind as a resource for yourself Publication 4557, Safeguarding Taxpayer Data, and Small Business Security Publication, from the National Institute of Standards and Technology. But, we'll get into that a little bit more later. All right. Let's review. Now, here is an example of how destructive data theft can be. This is Vanyo Minkov from Bulgaria. He and his co-conspirators hacked into at least four accounting firms in New Jersey, Connecticut and Pennsylvania, stealing personal information from over 1,000 clients, filing fraudulent returns costing over $6 million. This cost the firms untold hours and money to recover from this hacking. Minkov was sentenced to 46 months in prison, two years supervised, released and ordered to pay restitution of just over $2.7 million. Now, this is just one example of a real data breach and the consequences are still being felt by practitioners until today. Signs of client data theft. Client e-file returns begin to be rejected by the IRS or state tax agencies because returns with their social security numbers were already filed. Because the IRS and state tax agencies will only accept one unique Social Security number, taxpayers often discover that they are victims when they attempt to e-file and their tax return is rejected because a return with their Social Security number is already in the system. Or, more commonly, the IRS identifies a return that could be an identity theft return and sends a letter to the taxpayer asking them to contact the agency to let the IRS know if they filed the return. Clients who haven't filed tax returns begin to receive taxpayer authentication letter, a 5071C, 5883C or 5747C, from the IRS. And the point of that is to confirm their identify for a submitted tax return. Now, some clients who haven't filed tax returns have received refunds in one scheme and the clients are then asked by the crook to send the refund to another account, believe it or not. Anna, I'll turn it over to you to cover some additional signs. FALKENSTEIN: Thanks, Veronica. There are quite a few additional signs that we need to relay to you. Clients may receive tax transcript that they did not request. Clients who create an IRS Online Service account may receive an IRS notice that their account was accessed or IRS emails stating that their account has been disabled or another variation of that - the client unexpectedly receive an IRS notice that an IRS online account was created in their name when they didn't create it. Here are some additional signs.

The number of returns filed with the tax professional's electronic filing identification number, the EFIN, exceeds the number of clients. During tax filing season, tax professionals should do a weekly review of their returns filed with their office's electronic filing identification number or EFIN. A report is updated weekly. Tax preparers can access their e-file application and select "Check EFIN status" to see account. If the numbers are inflated, practitioners should contact the IRS e-helpdesk immediately. Tax professionals may also notice IRS acknowledgments for returns that they did not e-file. Acknowledgments are sent soon after a return is transmitted. Tax professionals or clients may be responding to emails that the firm did not send. And tax professionals who fall victim to spear phishing email scams, a common way cyber criminals access office computers, may suddenly see responses to emails that they never sent. If a practitioner mistakenly provides username and password information to the thief, the thief often harvests the practitioners contact list. They can steal names and email addresses of colleagues or clients and enable the crook to use the tax firm to expand their spear phishing scam. Doug, I think it's time for another polling question. BLADE: Sounds good to me, Anna.

OK, audience. You know how this works. Here is the fourth polling question. Which of the following is a warning sign of a potential data theft? A, clients who haven't filed tax returns receive refunds; B, client's e-filed returns are accepted by the IRS; C, computer cursors moving without touching the keyboard; or, D, both A and C.? So, I'll read those responses - possible options again. A, clients who haven't filed returns receive refunds; B, client's e-filed returns are accepted by the IRS. Or is it C, computer cursors moving without touching the keyboard? Or is it D, both A and C? Please take a minute and click on the radio button that you believe most closely answers this question. We will give you a few more seconds to make your selection. OK. We are going to stop the polling now, and we will share the correct answer on the next slide. The correct response is D, both A and C. I see that 97 percent of you responded correctly. Outstanding. That's just a super response. Anna, we are ready for the final step, create a data theft recovery plan. FALKENSTEIN: That was an awesome response.

All right. Let's get on to step five, creating a data theft recovery plan. Rather than wait for an emergency, tax professionals should consider creating a data theft recovery plan, in advance. And make calling the IRS an immediate action item. Having an action plan can save valuable time and protect your clients and yourself. Refer to the resource publication such as Publication 5293, Data Security Resource Guide for Tax Professionals, as well as our IRS Web resources for information on how to set this up. Should a tax professional experience a data compromise, whether it's by cyber criminals, a physical theft or just an accident, there are certain basic steps that they should take. And these include contacting the IRS and law enforcement. You should report client data theft to your local IRS stakeholder liaison. They will notify IRS Criminal Investigations and others within the agency on the tax professional's behalf. Speed is critical here. If reported quickly, the IRS can take steps to block fraudulent returns in your clients' names, helping your firm and your clients. Be prepared to submit a complete client list with our Campus Return Integrity team. And that will begin the process to protect your client. We have been updating and fine tuning our process in order to quickly get you back to filing returns and assisting your clients. Now, some of you may also be directed to call either, the Federal Bureau of Investigation - their local office - or Secret Service - again, their local office - or your local law enforcement. And it all depends on the nature of the breach. Veronica, what's next? TUBMAN: Next up is contacting the state, in which the tax professional prepares state tax returns, Anna. Any breach of personal information could have an effect on the victim's tax account with the state revenue agency as well as the IRS. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has completed a special email address as the contact point. And that's . State attorneys general for each state in which the tax professional prepares returns - most states require that the attorney general be notified of the data breaches. So, this notification process may involve multiple offices in some states. Also, if you file returns in multiple states, you will want to contact each of those states' point of contact, Contacting experts - victims of data breaches or ransomware should contact and consult with the security expert. They can help determine the cause and scope of the breach as well as stop the breach and prevent further breaches from occurring.

Practitioners will also need to contact their business insurance company, not only to report the breach but to check if the insurance policy covers data breach mitigation expenses. Now, contacting clients and other services. Review the Federal Trade Commission website for guidance for businesses. For more individualized guidance, contact the FTC at the email address shown on the screen. Credit bureaus or identify theft protection agencies as well. Certain states require offering credit monitoring and identity theft protection to victims of identify theft.

Please check with your state on this requirement. Please notify credit bureaus when there is a compromise. And your client may seek their services. Now, at a minimum, send an individual letter to all victims to inform them of the breach but work with law enforcement on timing.

That's key. Clients should only complete IRS Form 1439, Identify Theft Affidavit, if their - if their e-filed return is rejected because of a duplicate Social Security number or if they are instructed to do so. The FTC website has sample letters that can be used as a guide that will help on what should be included. Remember, IRS toll-free assistors cannot accept third-party notifications of tax-related identity theft. Again, preparers should use - should use and reach out to their local IRS stakeholder liaison to report the data loss immediately.

Remember, now, the objective of the Taxes-Security-Together Checklist is to ensure not only tax professionals but all businesses, whether a one-person shop or a major firm, that they understand the risk posed by national and international criminal syndication. They also need to take the appropriate steps to protect their clients and businesses. Additionally, they need to understand the laws around their obligation to secure that data. OK. Doug, it looks like we have time for one more polling question. BLADE: You are right, Veronica. Our last polling question is here. An action item to include in a data theft recovery plan is, A, contact state agencies. Is it B, contact security experts and insurance companies; or, C, contact the IRS and law enforcement; or, D, all of the above? So, those choices, again, are, A, contact state agencies; B, contact security experts and insurance companies; C, contact the IRS and law enforcement; or, D, all of the above? Please take a minute and review the question and possible answers, then click on the radio button you believe most closely answers this question.

We will give you just a few more seconds to make your selection. OK. We are going to stop the polling now and share the correct answer on the next slide. The correct response is D, all of the above. And, wow, we topped the last response. Ninety-nine percent of you responded correctly. So, I don't know what I would say here. I said "outstanding" for 97 percent.

Anyway, let's continue on. I'd like to just take a few moments now and introduce our guest speaker. Chris Cooke is a tax professional in Florida. Chris' firm was subject to a ransomware attack and, subsequently, several of her clients' information was used to file fraudulent returns. But, now, I'm getting ahead of myself. We are going to ask Chris if she would tell us her story in her own word, letting us know how she realized that she was attacked and the many steps she had to take to recovery. Chris, can you take it from here? CHRIS COOKE: Yes, Doug.

Thank you very much. Hi. My name is Chris Cooke. I am the owner of Cooke & Associates in Jupiter, Florida. We are a one-stop shop for all of your accounting needs and tax needs as well.

It was Friday, before tax day, April 7, 2018. I received a Dropbox link in my email. I have a client in Spain who uses Dropbox, so I didn't think anything of it except to open it and see what he had sent. There wasn't anything there. So, I quickly closed it down and went back to finishing my extensions for the April 15th tax deadline. I had 38 returns set up to go out just needing Forms 8879 or one last piece of info from my client. I was exhausted; I had been working 12-hour days; it was a Friday afternoonand I thought, "Alleluia, I've got the weekend off." Monday morning, I came into the office and my machine was completely locked up tighter than a drum. I couldn't get in. I couldn't find my IT guy's phone number. I couldn't do a thing. Finally, I found his number in my cell phone and called. He said we would come up to Jupiter and it would be an hour or so before he could get there. When he got there, he worked for some time on getting the machine open only to find a small three by five note card from the ransomers. I was to email six email addresses. And when I did, they requested $7,300 in ransom in bitcoin and I was to get it to them ASAP. I called the owner of the IT company and put him on notice that he hadn't put the proper backup system in place after our meeting of the previous year and, now, here we are, locked out of my data of 30 years' accumulation - tax returns and everything I needed to continue my work. He told me he was in this with me and would do everything he could to help me out. Well, of course, he did because he knew he was on the line. Bitcoin exchange took two weeks. Constant emails to and from the ransomers, abuse, talking impolitely - the whole nine yards. I mean they were really rude people. I figured that it was a Russian company because one of the tails on one of the emails was from which is a Russian computer. They then told that the $7,300, when I finally got the Bitcoin exchange completed - that that wasn't enough money and I was to send another $3,000. Well, that was the end of that. I had the money but, I realized what their game was going to be. They were just going to keep milking it until I finally realized. I heard from them for about a month afterwards trying to lure me into sending them more money. Panic set in. Now, what do I do first? Right after all of this, I realized that the machine was locked up. I called the IRS. I ended up in a circular error and got nowhere trying to inform them of the attack because I couldn't get to my security plan, which was locked up in the computer, to find the correct phone number. I then called the FBI and couldn't talk to anyone but finally found on their website that I was to fill out a report online. No response. No acknowledgment. No help. Just a dead end. I called my insurance guy only to find out my computer network and cyber security insurance only covers me if someone ?me but not for my losses. Unfortunately, it also didn't cover my interruption of business even though I carried that kind of insurance. Know your insurance. Go over every bit of the computer coverages and know what you have. The kind of insurance that I would have needed for cyber security would have put me out of business trying to make the premium payment. I didn't realize that at that time. But, you know what? I think paying those premiums now would have really helped in the long run. You must have good backups kept outside your company. If you have those, they can bring you right back up and you hardly miss a bit. Keep paper copies of tax returns. Even though we are all trying to go digital, I lost everything in my computer - 30 years' worth of data in working in the civilian industry in the Washington, D.C. I also lost all the years of tax returns from my business down here in Florida. I can't tell you how horrible I felt. It was like somebody had gut punched me. I was hysterical. I was in a panic. I was having to deal with nasty clients. After one nasty client, I ended up over at the doctor's office. I thought I was getting ready for a nervous breakdown. I never totally relaxed until my husband took me away for about two weeks - far enough away that I couldn't not use my cell phone to find out what was going on at work. When I got back, I had decided nobody was getting the best of me. I spent the rest of the year putting my office back together. My admin scanned returns back into the computer, going back as far as she could. This was a major undertaking. We had to re-setup our network and all of our clients and files. Like I said, we are full-service bookkeeping, accounting, payroll and tax company. So, there are all kinds of documents in my computer that they locked up tighter than a drum. Two tax years later, at the end of 2019, Anna Falkenstein, a stakeholder liaison with the IRS, contacted me telling me that someone was using my PTIN in Northern Florida. Of course, that wasn't me. I live in Southern Florida. And you can imagine my surprise. That year, 2018, I didn't have any fraud occurrences and I didn't the next year either. But, this year, the first five or six customers that I worked on, all had to file a paper return because they had been involved in fraud. Somebody had taken their information, changed the bank information and, of course, upped the ante and got themselves quite a refund. You can imagine my embarrassment when telling my customers. I now have Anna's direct telephone number and called her to report each instance. I haven't finished my 2019 tax returns yet and I'm wondering how many more am I going to find. I informed them to fill out the forms and to get an IP PIN. The most important thing to take away from this story is to always read the tail of the email address from which you receive your emails. Phishing emails are the root of all ransomware attack. Always have backups done nightly by an outside IT company. Don't rely on yourself to do the backup when you have already worked a 10- or 12-hour day doing taxes and can't see past the end of your nose; you are too tired and only want to go home and collapse.

Now, forward to today and the COVID-19 issues. These clients are now, not receiving their economic stimulus payments because someone has changed the banking information on their tax returns, and they are now doing without - they haven't received their refund because someone else did. These people are struggling and there isn't anything I can do now to help them. But, wait. We have filed in the EIP information on the IRS site, but the IRS doesn't completely process these returns, let alone returns and certified return receipt forms to see that they have been a victim of fraud. This one instance of ransom has affected them now in a time of pandemic and when they need the money the most. To sum it all up, I lost $50,000 that year in time, money and equipment. I lost a couple of clients, but they needed to move on anyway. It was a horrific experience, and I don't wish this on anybody. Back to you, Doug. BLADE: Wow.

Chris, you had to be just devastated. Thanks for your story. You have given us all some great insights, something I think everyone can take away from that. And now, let's hear from Poonam Walia. And Poonam is a tax - let's see here. She is an enrolled agent and an NTPI fellow and a certified financial planner practitioner. Poonam is going to now share her experiences with us. I'll turn it over to you now, Poonam. POONAM WALIA: Thank you, Doug.

In the midst of all the turmoil with COVID-19, there are threat actors who we have to protect ourselves from. Every attack starts with a motive and understanding that your attacker's motive can help you defend yourself. Some hackers hack for financial profit or for the information that is worth a lot of money. Any large-scale event from situations like COVID-19 to a tsunami, creates an increase in these attacks. So, that was kind of what happened to us. On March 23, Governor Charlie Baker announced the statewide lockdown for the state of Massachusetts. Preparing to work from home, we gathered as much work as we could and headed home. The breach, when it happened, was - it started on March 23 itself. The threat actor was in there from 6:00 p.m. until the morning of the 24th and then again 6:00 p.m. 24th until the morning of the 25th. I suppose he or she was expecting not be found out as soon as we did. On the morning of March 25, I came to the office as I had to fax some information to the service center. Once I got to the office, there was a constant barrage of phone calls coming through.

And one of them happened to be of a client whose tax return I was working on. I was waiting for him to send me his 1099 and he had also wanted to give me his bank information for direct deposit of his stimulus check. When I went to put in the bank account and the routing number, I was surprised to see that his tax return had been accepted by the IRS. Looking deeper, I noticed that the refund amount was much higher than he usually receives. I looked at the bank deposit screen and saw that there was already a routing number and an account number without the name of a bank. That, too, was very surprising because we - in our office, we always write the name of the bank. My first reaction was that this was a mistake but that was not so. On checking the latest acknowledgment, we found several other returns which where were filed.

Now, we - our software is hosted on the cloud. And what had really happened was the software was secure, everything was secure. However, the threat actor via some brute forced, attacked the server at the host, got into the admin account, which happened to be my sibling's and, then, created another account and proceeded to do really whatever he wanted to do, which was he basically had taken over my brother's computer and just kept doing that for the time it was available to him. What he had done was that he had made changes to the tax returns to increase the refund amount and direct it to different accounts - to be directly deposited into different accounts. And the weird thing was that he or she suppressed the Massachusetts returns before transmitting the federal returns. Now, like I said, we first thought it was a mistake. But, when we realized it wasn't a mistake, my first step was to call the cloud server - the host to ask for the logs of those days, which is how we came to know they were on for 12 hours of the 23rd and then another 12 of the 24th. My step was to call the software company, who verified what we had found. And the first thing he said was, "Hey, we got to turn off your EFIN number so that it cannot be used going forward-fine!. He said that I need to get in touch with the IRS. Wait, this is COVID time, we couldn't do that. It was, it was quite a feat to try to get in touch with an IRS personnel. However, we were very lucky and were able to reach Mr. Joe McCarthy. He is the senior stakeholder liaison for the IRS in our area. He was very, very, very helpful. I cannot say enough as to how much he made us feel better. So, once we got that done, we sent our client list to another division of the IRS where they wanted to monitor whatever we were going to transmit. We managed to get another EFIN number. And, then, on March 27th, after scanning all computers, everything was clean. We were ready to go back on. I called the software company. And we were - that was - believe it or not, it was quite an exciting time.

We was working again, and we were transmitting returns and we were getting acknowledgments.

But that was very, very short-lived because March 31st, it was a Tuesday. I was working from home and my brother called me and said, "We are done, I don't think we could get up again." I rushed to the office. And what I found was that he had just gotten up from his desk for maybe two minutes and, in that two minutes, between the hours of 20 after 1:00 and 10 minutes after 2:00 p.m., somebody got into this computer, his software and transmitted several returns in that time period. Everything was not done in one go. So, this is intermittently, whenever they felt that the computer was not active, they would go in and transmit the return. When we returned to his desk, that's what he discovered - that the roster or the sequence of the clients on the computer had changed and that's what made him look at the first or the topmost return. Yes, it was transmitted. And, no, we had not transmitted that return. The first time was bad. The second time, I cannot even explain how difficult it was to absorb that. It was so hard to even fathom the conversations with our clients. It was very difficult to even think of - think about the fact that, "Oh my god, we have let our clients down." And we just did not seem to be able to get ahead of that. You know, we take our work seriously - always have and now this. Not good. So, the clients whose returns had been filed now - we wanted to let them know we did.

We filed amended returns for them, put them in the mail and sent them out; contacted the IRS again; contacted the software company again; got the EFIN number turned off for the second time and really didn't know what we were going to do and how we were going to do. This was a huge, huge, huge blow to us. It felt terrible - the fact we had let them down. We have been in business since 1989. We never had anything like this happen. And now, twice in a matter of one week. It felt like somebody had punched us in the gut. It felt like we could never get up and were shaken to our core. We informed our insurance carrier. Even though we didn't have an explicitly stated data breach insurance, there were other provisions to cover our loss. So far, the loss is about $15,000 plus about three weeks of non-billable time where all we were doing was curing our system. We have moved away from the old cloud provider, and another IT company is hosting the software for us. What I would like to say to all the people who are listening - all my fellow professionals, tax preparers, enrolled agents, CPAs, everybody - we have all worked very, very hard to be where we are, to get to where we are. A data breach will cripple you. It is devastating. You feel like you are never going to be able to face your clients. But, as Joe had said to me, the first year is always challenging. And it was more so for us because of COVID-19. The IRS and Massachusetts Department of Revenue both have been asking tax professionals to come up with a security breach protection plan. If you don't have one, do something about it as soon as possible. Make this a priority. Make sure you have multiple-factor authentication for logging into your computers and software. The hacker may access your machine but they will not be able to do anything because they don't have your mobile device. Multiple-factor authentication - you just cannot do without it anymore. Please, I am very - I implore you to do this for yourselves. We are very easy targets for these hackers.

We are small people, little people who do the best we can. We don't have the state-of-the-art security systems, but we still try to do our best. Our hacker came from London. They come from all over the world. And that's what makes it even more difficult. We all have this invincible feeling. "Oh, this can't happen to me." And, then, it does. At that time, it's too late. These hackers - we think of them as the mean people who want to do damage to us, which they are, but they are way smarter than us. We cannot get ahead when it comes to these threat actors. This was a nightmare nobody wants to go through. We are still living it. We are getting tax returns every day. Fifty percent of them are duplicates already been accepted.

Every day is a challenge. But, I really do wish all of you would take the time and do the right thing for yourselves. Thank you. Over to you, Doug. BLADE: OK. Wow, Poonam. Thank you for sharing your experience with us. I know we - I can hear it. I know we all can hear just a personal and emotional impact that this has had on you. And, really, as accountants, we are - we are looking at the dollar sign, the bottom line. So, you are making it really clear there's a lot more than the financial cost to a data breach or a ransomware attack. So, audience, before we get to your questions, we are going to go to Veronica to get some more resources she wants to share with you. TUBMAN: Sure, Doug. Hi, everybody. Let me just go ahead and re-emphasize some really good resources that will help you get on point as far as data security is concerned. Publication 4557, Safeguarding Taxpayer Data, and Publication 5293, Data Security Resource Guide for Tax Professionals are really good. Another really good resource is Small Business Information Security. And that's The Fundamentals by the National Institute of Standards and Technology. And you can also research that at And just remember, for any publications that are put out by the Internal Revenue Service, simply go to and put your question in the search engine in the upper right-hand corner. It kind of looks like an hourglass. It's a great resource. And you will find the publications that I just stated just in case you may now remember them. OK, Doug. I'll hand it back to you. BLADE: OK. Thanks. And hello again. It's me, Doug Blade. I'll be moderating the Q&A session.

Before we start the Q&A session, I want to know what questions you may have for our presenters.

And thanks again for attending today's presentation, "Tax Security - A Tax Pro's Security Checklist." Earlier - if you haven't input your questions, there is still time. Go ahead and click on the dropdown arrow next to the Ask Question field and type your question and click Send. Veronica, Anna, Chris and Poonam are staying on with us, and they will be answering your questions. One thing before we start. We may not have time to answer all your questions submitted. However, let me assure that we will answer as many as time allows. And if you are participating to earn a certificate and related continuing education credit, you will qualify for one credit by participating for at least 50 minutes from the official start time of the webinar. And you will qualify for two credits by participating for at least 100 minutes from the official start time of the webinar, which means the first few minutes of the chatting before the top of the hour does not count towards the 50 or the 100 minutes. Let's get started so we can get to as many questions as possible. So, let me just kind of start out by asking our guest speaker tax professionals what - if you can try to give us an idea of how large your practice is and what kind of impact it had as far as - did your clients leave you or did you lose - what percentage maybe of clients did you lose through this? Do you want to go first, Chris? COOKE: Sure, Doug. I didn't lose as many as I thought I was going to. I lost a couple of clients, like I said, that had been impolite clients in the past. Just - that's their modus operandi. And I just had finally decided with all of that that I didn't need them as a client.

I'd rather they go elsewhere if they are going to be that way. I mean this was not something that I did on purpose and tried to explain as best I could. But, I didn't lose as many as I anticipated. Maybe 2 percent. But, I'm not as big as Poonam's. My practice is more concierge type of practice, and I basically work on just clients that I do the accounting for. I don't have that many outside clients. Back to you. BLADE: OK. Poonam, then, what about you as far as losing clients? Did you lose many clients in this process? WALIA: Yes. We are going through the tax season. And we don't know - we don't know what's going to come out of this. We do know it is not fun to send to the IRS every day what we are going to be transmitting the following day and then half of them are going to come back as a reject. Then, we are going to have to file paper returns, get the clients to sign them and put them in the mail, send them off to Kansas City, but nobody is over there. So, we don't - we don't know whether we are getting - whether they have even been received. So, we will find out whether we lose clients or we don't lose clients. So far, nobody has been obnoxious. Nobody has been troublesome.

Thank you. BLADE: That's good to hear, so - the part about no one being obnoxious or troublesome but not the part about the returns going to Kansas City. Hopefully, we will get that resolved soon. All right. Veronica, a question has come in. Let me ask you this one. Do you have a template for a security - data security plan, for example? TUBMAN: Sure. I will recommend that you go on under the Security Six tab. And there is a sample of a data security plan that will assist you with creating an effective plan to protect your clients and to protect yourself. So, don't forget that great resource that all of our professionals use. It is, and they are in the search engine box, the data security plan and there is a sample there that will assist you with creating an effective plan to protect your business. There, you have it. BLADE: OK. Great. OK. Anna, here is one that came in for you. When a client has a security breach and they complete the Form 14039, when does the IRS issue the IP PIN and when do they decide not to issue or when don't they issue the IP PIN? Are there certain rules or protocol they are following there? FALKENSTEIN: There are some basic rules. And for the most part, they have stuck with them. They do - we do fine tune as we see we need to or if something changes. Obviously, we try to change with the flow. But the basics are tax pro has had a breach, they report it, they send the information to the IRS - the client list and what not. Immediately, they have already realized through the rejected returns, which clients need to now do a paper filing and those are the clients that needed to attach that 14039. If a client's return actually goes through without any problem, those clients do not need to do a 14039. Now, what happens is those returns start going through the filter process.

And because they are paper returns, they are - it's going to take a little bit of time. But, let's talk normal scenario. Last year, paper processing would take several weeks because the process is going to be to undo what the fraudulent return did first - take that off of their account. Then, they are going to put on the real return onto their account. And, then, after that, once there is more or less a closure for that particular taxpayer, we input a code that identifies that that particular Social Security number should have an IP PIN. But, they do not receive that IP PIN until right before filing season the next year. They will actually get the letter typically in December indicating you are going to be receiving an IP PIN. Then they receive that IP PIN. And just remember, once you start receiving one, you are going to receive an IP PIN from that year forward. And I hope that answers the question. BLADE: OK. Thanks, Anna. I'm going to give you another one that has come in. Since the service - the IRS - and state departments of revenue usually have people assigned but they are not available to answer phones right now - excuse me - where do people call to report an ID theft? FALKENSTEIN: Well, believe it or not, actually, the customer service lines are available for identify theft. So, I do believe that if - what we call the IPSU unit - the Identify Protection Specialized Unit - their number, I believe, is open and there are assistors available. And I can give you that number if you'd like that. That's 800-908-4490. And that should take care of the people who need to report an identity theft. BLADE: Let's just give that one more time. FALKENSTEIN: Sure. It's 800-908-4490. And that is the - that's the special customer service line that are just for identity theft victims, to report if they believe they are a victim of identity theft - tax identify theft, I should actually clarify. And sometimes, they will be asked to send a 14039. Sometimes, they will just be asked to provide some authentication information on the phone and describe why they believe they are a victim of identity theft. Now, for those people who are clients of a tax pro, typically they do not have to make that phone call because we have received the client list from the tax pro. And the campus unit that helps put that information in - that's going to more or less put a marker on their account that is going to allow for additional filter. So, we will be watching and paying more attention to those returns as they come in. BLADE: So, I think what you are saying is - so, when a tax pro has a data breach and they reach out to a stakeholder liaison like your or myself or Veronica, we are going to ask them to give us a list of their clients and, then, we are going to forward that on within the IRS so that we can actually FALKENSTEIN: Actually, there has been a change. That's one of our little fine tunings that we did this year. We are now going to give them a specific email address. And I can't give that to you over the - over the webinar right now because, obviously, we don't want the crooks to have it. But, basically, when a tax pro does identify themselves to us and we pull up information to confirm who they are, we will then give them specific instructions on where to send that information, and they will send it directly to our campus team that is working to protect our client. BLADE: Great.

Thanks, for clearing that up. I appreciate it. All right. I have got a question now that has come in for Veronica. It's kind of a two-parter. One, is - could you just restate the publication for creating a data security plan? And, then, there is kind of a question that dovetails with that one. Is there or do we have plans for a CPE class to help create a data security plan? TUBMAN: OK. Sure, Doug. For creating a data security plan, just remember Publication 4557, Safeguarding Taxpayer Data. The notes have been recently revised for Publication 5293, Data Security Resource Guide for Tax Professionals, for more information to set up your plan and, also, the Small Business Information Security. And that's The Fundamentals by the National Institute of Standards and Technology. And that email address is One more time. Get ready. Create a data security plan - the Publications are 4557, Safeguarding Taxpayer Data, and Publication 5293, Data Security Resource Guide for Tax Professionals. OK, Doug. And what was your other question so that I can restate that when I answer it? BLADE: It was will there be a class where CPE is offered on how to - on creating the plan itself? TUBMAN: Sure. Well, the question for that - if you are interested in holding a class to assist in securing a data security plan, that's a great suggestion for us to take forward for our virtual technology team. I recommend that you keep an eye online on

And if we do have an upcoming event, it will be published online. And moreover, our stakeholder liaisons will make sure that you receive that information as well. So, make sure you reach out to your stakeholder liaison to make sure that you are added to their distribution list for upcoming events. And that's a great suggestion. We will take that under advisement.

So,. FALKENSTEIN: And, also, it's included in the survey. TUBMAN: I was about to get to that. Thanks, Anna. I appreciate it so much. FALKENSTEIN: No problem. TUBMAN: And, so, that's the other thing. Any other classes or topics that you are interested in coming up or something that you would like for us to explore, make sure you add it on the survey, like Anna said. We are excited and we are so glad to get the information out. And knowledge is power.

So, those are your resources. And make sure you stick it on the survey, and we will make sure to take a look at it. So, thanks for those really good questions and suggestions. Doug?

BLADE: OK, Veronica. Thanks. Anna, this one came in for you. And it says, "Which security system IRS recommends?" FALKENSTEIN: Well, unfortunately, we can't actually recommend a specific system. And that's why we ask you to read that guidance under the publications because the publications are going to give you examples of what would be a strong system. And as Veronica stated in her part of the presentations, the best thing would be to go onto the Internet, do the research, read up some of the best 10 list and things like that. But, you may want to stick to one of the more publicly known names or one of the companies that's been around just long enough that you feel secure with their software products. But, you can also ask around. Ask what your other peers are using as well. You may want to ask your software - your tax software company what they recommend or your insurance company. There are - there are quite a few that can make recommendations. But, unfortunately, the IRS is - IRS employees are prohibited in actually recommending specific software providers other than when you are doing e-filing we say you have to use an approved software provider. Back to you, Doug. BLADE: OK. Great. All right. Hey, Chris, let me ask you this one. How about if you just kind of give the audience - if there is one thing you could - you would want them to take away from what's happened to you, what's one thing you hope that they hear from today? COOKE: Doug, I think the most important thing to always be on your guard. These phishing emails are getting more sophisticated. The crooks are more clever than we are. We are too busy working and trying to take care of our clients. And, unfortunately, I think they are way out ahead of most of us in their sneakiness and their ability to get into our systems. The sooner we can all get something that's in the cloud, that's protected even more so than the protections that we put in place, I think it's the best thing that's going to happen to the IRS and to all of us professionals who are trying to earn a living honestly. It's devastating. I just can't say enough about all of the protections that you need to put in place and to be as careful as you possibly can opening an email because all it takes is one little click. You don't even have to spend two second in there. But, if you click on the wrong thing, you are toast. Back to you, Doug. BLADE: Thanks, Chris. And Poonam, I would kind of ask you the same thing. What's one takeaway that you would hope our audience today would take away from your experience with this? You might still be on mute.

There you go. WALIA: I was. I was. I would suggest taking a good look at how you are protecting your data, making sure you have multiple-factor authentication. That I think in today's day and age seems to be the one thing the hacker will not have because the authentication comes on your phone. And what are the chances of them having your phone and your computer and your password? So, I personally feel that is the surer way of protecting yourself.

Back to you, Doug. BLADE: OK. All right. Thanks, Poonam. And, all right, Chris, again, for you. Can you kind of go into more in dept on the assistance once you got hold of a stakeholder with the IRS - the stakeholder liaison? Was that helpful? What about help flagging returns?

And how long was the process? COOKE: Well, unfortunately, Doug, in the year that it actually occurred, I was unable to contact a stakeholder. I didn't realize I needed to contact the ones here close by in Jupiter. And I kept - finally, I wrote letters to the IRS because I couldn't get around the 829-1040 phone line to get around the "Push this number to talk to this person" or "Push this number for that person." And, so, finally, I'm not sure if Anna responded because of some of the letter I had written trying to notify the IRS or if it was actually because she had discovered that somebody was using my PTIN and from out of Northern Florida.

They realized that I was down here in Southern Florida and this was coming from up there and they were fraudulent returns. So, I really think it was - it was a result of that original breach and it was - quite some time later, I actually was not successful in contacting the IRS at the time that it all happened, unfortunately, because I think some of the problems that I am having now might have been resolved I think. Anyway, I did my best at that time in my panic, in my hysteria because I really was. The whole office was a wreck. Back to you, Doug. BLADE: And, then, are your clients still having issues with the economic impact or stimulus payments?

COOKE: Yes, sir, they are. The ones that have had fraudulent returns this year - they are all sitting in limbo. They haven't received the EIP. They haven't received their refunds. They haven't received anything. And some of them desperately need the money. Of course, there are others that it's not impacting them as much. But, the fact is they haven't gotten their money.

And I'm sure that once the IRS realizes these people have been the victim of a fraud - of the fraud - because we filed the forms to inform the IRS - once they start processing all these paper returns, they will realize that the wrong person got their money and they will eventually get it or it will be resolved in the 2020 tax return somehow when we - I'm sure that the IRS will be changing those to include something about the EIP payment. So, that's what I've been assuring my clients. It's that you will get yours. It's just a matter of when. It's, unfortunately, not coming at the time that they need it the most. Back to you. BLADE: That is - that is unfortunate. . So, I will move on to another question to try to get to some more of these. And this one has come in for Veronica. So, was it backup software versus a recovery plan? That confused me. Can you kind of go on the difference between a backup software and a recovery plan? TUBMAN: OK. What is the difference between backup software and a recovery plan? The backup software updates your information as you go along. So, the information that was inputted from the day before or earlier today is backed up. The recovery plan comes into play after your information has been compromised. And the purpose of the recovery plan is to retrieve as much information as possible that, unfortunately, may have been lost as a result of the data breach. So, that's the difference between backup and recovery. BLADE: OK. TUBMAN: That was a really good question, Doug. BLADE: Thanks. Thank you. And Poonam, for you, I would ask do you think that you were hacked with software in the cloud? Or do you know how you were hacked?

WALIA: Yes. So, our cloud provider who was hosting the software did not do exactly what they were supposed to do. I'm learning all these things as I am going because I had no idea about how computers need to be secure. It seems like there has to be a gateway before - there has to be a gateway from in between the outside world and our server world. And in this particular case, there was no gateway. Because there was no gateway, there were brute force attacks on the server, the cloud server. I mean - and all this we found out later on. There were brute force attacks for more than 115,000 in one month. The threat actor went in. Once they were able to get in, they created a username which was very similar to ours. My brother had the admin control and he had the admin control of the cloud servers also. They found the right person with everything and managed to get into his computer via that route. And once they were in there, they did whatever they could. Does that answer your question? BLADE: Yes. Just one kind of a follow up is did this occur when you were home at night or - and did you shut your computers down or were they on all the time? I guess it's kind of the second part of that.

WALIA: So, I have the habit of shutting my computers - turning them completely off before I leave the office. However, everybody in our office does not do that or did not do that. And - but, I feel that that wasn't the reason why we - why our data was compromised. It was because of the host, the cloud provider who was hosting the software. They had the weak link over there, which is how the threat actor managed to get in and kind of get their tentacles over every place. BLADE: OK. WALIA: The current - the current cloud provider says to us that because I'm in a habit of shutting it down every night - he says, "No, no, no, no. Don't shut it down. You just do" - that's something I learned now also - "do a Windows and an L." That locks up the computer and they can still do updates and things on the computer. BLADE: And it sounds - it sounds like you went to a two-factor login, so like the next morning you would need the two-factor login to access any data? WALIA: Yes. Everything. Into our email - so, to get into our computer first, we have the multi-factor. Then, to get into our email, we have multi-factor. And to get into the software, we have multi-factor also. It's driving us crazy to get all those authentications. But, hey, all good. BLADE: Right. You shouldn't have to go through this again, hopefully. All right. I've got a question that has come in for Anna. And it's, "I use a MacOS - Mac. Do I need antivirus? I was told I don't need that. Is that true?" FALKENSTEIN: Before, I would just leave it just as is. I think it would be a smart decision to go talk to an IT specialist that maybe specializes in Mac. I am not familiar with Macs enough to give you advice on that. I know that they do - they do reportedly have a great deal of security on there. But, especially if you are running your business through that and all the client information, I certainly would want to ask another - somebody who is a specialist in the field to get their opinion on that. BLADE: OK. That sounds like really some good advice. So - all right. Unfortunately, we have reached the point where we ran out of time for any more questions. But, I would like to go ahead and let Anna remind us of some of the key points from today before we close out the Q&A. So, before we - before we close out this session, Anna, what key points do you and Veronica want the attendees to remember from today's webinar? FALKENSTEIN: There are so many very, very important key points that we can enlist.

But, we will - we will just give you some of the high points here. One - probably one of the most important things is to review and use the Security Six. Look in each one of those. Check the box. Make sure you are using them for measures that you can protect your firm, no matter how small or big that firm is. There may be an instance or two where you absolutely say, "Hey, I am never going to work remotely and so I don't need a VPN and I'm a one-person shop." Again, you might want to talk to an IT specialist just to make sure. But, in most cases, you are going to find that there are very basic steps for security. Have that security plan. You need to have a security plan that's for, prior to a breach as well as a recovery plan. And make sure that you have talked to your staff about those security measures often. Once a year may not be enough. You may need to have that discussion right before filing season and maybe that debrief after filing season. And, then, midway through the year, talk about - talk about phishing again. If you are going to work remotely, you really, really, really need to have a secure VPN. This is a way that they are getting in.) And then, last but not least, contact your stakeholder liaison if you do become a victim of data loss or ransomware - do it as quickly as you can; you can easily find us on In the search box, you're going to put "stakeholder liaison" - you'll actually get a map and you can click on your state and get the contact information of the person that you need to be talking to. And we try to get back to you as quickly as possible and try to get the ball rolling to start protecting your firm and your clients. And with that, it's back to you, Doug. BLADE: OK thank you. And I want to thank Veronica, Anna, Chris and Poonam for sharing their knowledge and expertise and their personal experiences and for answering your questions. So, audience, we are planning additional webinars throughout the year. To register for an upcoming webinar, please visit and keyword search "webinars" and select the webinars for tax practitioners or webinars for small businesses. When appropriate, we will be offering certificates and CE credits for upcoming webinars. We invite you to visit our video portal at There, you can view archived versions of our webinars. Continuing education credits and certificates of completion are not offered if you view an archived version of any of our webinar at the IRS video portal.

Again, a big thank you to Veronica and Anna for a great webinar and to Chris and Poonam for sharing their experiences with us and for staying on to answer your questions. I want to thank you, our attendees, for attending today's webinar, "Tax Security 2.0 - A Tax Pro's Security Checklist." If you attended today's webinar for at least 100 minutes after the official start time, you will receive a certificate of completion that you can use with your credentialing organization for two possible CPEs. If you stayed on for at least 50 minutes from the official start time of the webinar, you will qualify for one possible CPE credit. Again, the time we spent chatting before the webinar started does not count towards the 50 or the 100 minutes. If you are eligible for continuing education from the IRS and you are registered with your valid PTIN, your credit will be posted to your PTIN account. If you are eligible for continuing education from the California Tax Education Council, your credit will be posted to your PTEC account as well. Also, if you registered through the Florida Institute of CPAs, your participation information will be posted directly to them. If you qualify and have not received your certificate and/or credit by June 11th, please email us at CL.SL.Web.Conference.Team@irs.

gov The email address is shown on the slide. If you are interested in finding out who your local stakeholder liaison is, you may send an email using the address shown on this slide, and we will send that information to you. We would appreciate it if you would take a few minutes to complete a short evaluation before you exit. If you'd like to have more sessions like this one, let us know. If you have thoughts on how we can make them better, please let us know that as well. If you have any requests for a future webinar topic or pertinent information you would like to see in an IRS fact sheet, tax tip or an FAQ on, then please include your suggestions in the comments section of the survey. Click on the survey button on the right side of your screen to begin. If it does not come up, check to make sure you have disabled the popup blocker. It has been my pleasure to be with you here on behalf of the Internal Revenue Service, our presenters, our guest speakers. We would like to thank you for attending today's webinar. It is important for the IRS to stay connected with the tax professional community, individual taxpayers, industry associations, along with federal, state, and local government organizations. You make our job a lot easier by sharing information that allows for proper tax reporting. Thanks, again, for your time and attendance. We wish you much success in your business or practice. You may exit the webinar at this time.