Tax professionals handling their clients’ personal information can’t rely on vigilance alone to thwart hackers trying to gain access to their mobile devices.
Phishing scams, ransomware attacks, and other “social engineering” strategies that trick or persuade users to give thieves access to their data get much of the press attention nowadays. Yet old-fashioned “brute force” attacks — usually targeting computer hardware or software vulnerabilities, and not reliant on user interaction — still constitute a serious threat, especially to mobile tax professionals, IT and government analysts told Tax Notes.
“CPA firms and anybody who’s doing any kind of tax work with personal, identifiable information needed to file a tax return, they’re big targets,” said Jacob Lehmann, managing director of the CyZen cyberconsulting subsidiary of the Friedman LLP accounting firm. Lehmann said he’s helped tax professionals victimized by credential theft and data breaches at public Wi-Fi networks.
Jessica Lucas-Judy, director of strategic issues at the Government Accountability Office, recalled attending a recent tax-related conference where a cybersecurity presenter introduced himself by reading off the names of attendees whose phones he could hack. “This is an area where there is always more that can be done to help keep people vigilant,” Lucas-Judy said.
Lucas-Judy recalled a conference where a cybersecurity presenter introduced himself by reading off the names of attendees whose phones he could hack.
Avani Desai, president of the security compliance assessment firm Schellman & Co. Inc., said public events are “a perfect environment for data thieves” because there’s a steady stream of fresh targets who are often too busy to notice the theft or to trace its origin.
Malicious characters may use “sniffers” — computer software or hardware that intercepts digital network traffic — to eavesdrop on your computer’s internet activity, Desai explained.
“I would recommend” that the IRS study the risk of brute-force attacks, John Sapp, chair of the IRS’s Electronic Tax Administration Advisory Committee (ETAAC), said after a July 26 Senate subcommittee hearing on IRS operations. The IRS suffers as many as 2.5 million cyberattacks a day, acting IRS Commissioner David Kautter testified to a House Appropriations subcommittee April 11, although the agency later refused to detail how many were brute-force, as opposed to scam and deception, attacks.
The IRS and its security summit public-private partnership announced a 10-week security awareness campaign, “Tax Security 101,” on July 11 to warn tax professionals of cyber-risks and recommend security precautions. But the agency was chided for lax high-risk hardware security in a July 18 audit report from the Treasury Inspector General for Tax Administration. The IRS declined to discuss its own security protocols and internal monitoring efforts with Tax Notes.
Read full article at Tax Notes
About the Author
Avani Desai the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.More Content by Avani Desai