At our annual Cloud Conference this year, we had a member of the IRS Cyber Crimes unit present on security trends within the accounting profession. His talk started with an announcement that hackers were running help-wanted ads on the “Dark Web” for UltraTax, ProSystems fx, Lacerte experience. The “Dark Web” is a subsection of the internet where all kinds of illicit activity runs rampant. Do yourself a favor and don’t search for the “Dark Web” unless you want to show up on all of the lists the government uses to track the bad guys. Once you click, you’re on the list. 

He continued to explain how there is a rapidly increasing trend of firms being targeted by hackers for the purpose of falsifying tax returns. The hackers leverage the fact that many CPA firms struggle with keeping up the security patches and antivirus systems on their laptops and desktops. The scheme goes like this: once they infect a computer that an accountant uses, be it the firm’s PC or a home computer, they’re in. They have the credentials they need to do whatever that infected user can do. In this case, they’re looking for users who have access to the tax system.

Once they gain access to the tax system, they simply roll forward the prior year tax’s returns, change the deposit account to their own, and e-file away. The first indication of compromise that the firm sees is the rejection notice they receive from the IRS stating that they can’t submit the return a second time. That notice could come days or weeks later, and at that point, it’s too late. Now the firm has to let their clients know that they’ve been hacked, and it begins an overwhelmingly expensive firestorm of activity and communication. Much of this is detailed in the IRS’ article on “Identity Theft Information for Tax Professionals.”

Security is overwhelming, but like eating an elephant, you can do it if you eat one bite at a time. Start with these practical steps.

Start using dual-factor authentication today

Xcentric uses DUO to protect our cloud environment. Review our free guide to Securing Remote Access. Dual-factor authentication is the closest thing we have to the holy grail for security. Long and complicated passwords aren’t enough. If the laptop or desktop is compromised with a key-logger, or if your network is being monitored by hackers, then the bad guys have your credentials. And whatever you can do, they can do…i.e. access client data, tax returns, banking, email, online shopping, credit, etc. That’s scary.

Protect your local network

…from viruses and malware that are intended to steal the credentials for your bank, your email, your apps and client data. Most of our clients use Managed Security Services to protect their laptops, desktops, and devices used to access their clients’ data. We accomplish this by centrally managing operating system updates, antivirus, and policies that reduce the risk of data breach.

Use a password manager

…like LastPass. There are several others (Dashlane, OnePassword, etc.), but Xcentric standardized on LastPass because of its features for corporate customers. The key for us was the ability to centrally manage credentials for shared systems and sites that staff need to support client sites (like Quickbooks Online,, etc.). With LastPass, we control who and when team members can use shared credentials and whether they can see the password. It also gives us the ability to audit all of those passwords to ensure proper use, complexity, and conformance to our security policies.

Assess your security

Reduce your firm’s risk of becoming a cyber-breach victim by conducting a security policy and awareness review and assessment of your firm’s security.

I know this isn’t a light or jovial subject given the current holiday season, but it’s super necessary if you want to enjoy the benefits of serving clients, growing, and running your firm.

We want to wish you a very Merry Christmas and Happy Holidays (and a very safe tax season).

Good luck and best wishes!

The Xcentric Team

Ready to transform your business?

Join over 100,000 users that are cloud connected the Right Way.