The holidays are the prime season for criminals shopping for credit card numbers, financial account information, Social Security numbers and other sensitive data that could help them file a fraudulent tax return.
The Internal Revenue Service recommended this week that anyone who has an online presence should take seven simple steps that could go a long way to protect their identity and personal information.
Cybercriminals seek to turn stolen data into quick cash, either by draining financial accounts, charging credit cards, creating new credit accounts or using stolen identities to file a fraudulent tax return for a refund.
During the current online holiday shopping season, the IRS, along with state tax agencies and the tax community, partners in the Security Summit, are marking “National Tax Security Awareness Week,” Nov. 27 to Dec.1, with reminders to taxpayers and tax professionals.
In addition to its specific recommendations for online security, the IRS says people can take a couple of additional steps several times a year to make sure they have not become an identity theft victim.
One is to receive a yearly free credit report from each of the three major credit bureaus, and check it for any unfamiliar credit changes.
Another is to create a “My Social Security” account online with the Social Security Administration on which users can see how much income is attributed to their SSN. This can help determine whether someone else is using the SSN for employment purposes.
The IRS suggests that people visit the “Taxes. Security. Together.” awareness campaign or review IRS Publication 4524, Security Awareness for Taxpayers to see what can be done to protect themselves online.
Following are the IRS’s seven steps to help with online safety and protect tax returns and refunds in 2018.
1. Shop at Familiar Online Retailers
The IRS notes that sites using the “s” designation in “https” at the start of the URL are generally secure. Users should look for the “lock” icon in the browser’s URL bar. But the agency also cautions users to be wary: bad actors can obtain a security certificate, so the “s” may not vouch for the site’s legitimacy.
2. Avoid Unprotected Wi-Fi
Unprotected public Wi-Fi hotspots may allow thieves to view transactions. The IRS advises users not to engage in online financial transactions if they are using unprotected public Wi-Fi. They should also beware purchases at unfamiliar sites or clicks on links from pop-up ads.
3. Learn to Recognize and Avoid Phishing Emails
These emails pose as a trusted source, such as financial institutions or the IRS, and may suggest that a password is expiring or an account update is needed. The criminal’s goal is to entice users to open a link or attachment.
- The link may take users to a fake website that will steal usernames and passwords
- An attachment may download malware that tracks keystrokes
4. Keep Computers, Phones and Tablets Clean
The IRS recommends the use of security software to protect against malware that may steal data and viruses that could damage files. The software should be set to update automatically so that it always has the latest security defenses. As well, firewalls and browser defenses should always be active. “Free” security scans or pop-up advertisements for security software are to be avoided.
5. Use Strong, Long and Unique Passwords
According to the IRS, experts suggest a minimum of 10-character passwords, but says “longer is better.” It says longer phrases are better than a specific word, and recommends the use of a combination of letters, numbers and special characters. Each account should have its own password. A password manager can help keep track of multiples ones.
It should be noted that the National Institute of Standards and Technology released guidance in June that updated its recommendation for passwords.
Rather than recommend that users create long, complicated passwords with upper- and lowercase letters, numbers and special characters, NIST recommended simple — but still long — passwords that are easy to remember. “Many attacks associated with the use of passwords are not affected by password complexity and length,” NIST said. “Keystroke logging, phishing and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.”
The point is that it doesn’t matter how complex a password is if a user unwittingly hands it over to hackers. See, in particular, nos. 2 and 3 above.
6. Use Multi-Factor Authentication
Some financial institutions, email providers and social media sites allow users to set accounts for multi-factor authentication. This means users may need a security code, which is usually sent as a text to a mobile phone, in addition to usernames and passwords. Some financial institutions will also bolster protection by sending email or text alerts when a withdrawal or change to the account takes place.
According to the IRS, users generally can check account profiles at these locations to see what added protections may be available.
7. Encrypt and Password-Protect Sensitive Data
The IRS says anyone keeping financial records, tax returns or any personally identifiable information on a computer should encrypt and protect these data with a strong password. They should also back up important data to an external source, such as an external hard drive. And when it is time to dispose of a computer, a mobile phone or a tablet, it’s important to wipe the hard drive of all information before trashing.
— Related on ThinkAdvisor: