Cybersecurity continues to be on the mind of the nation after the Equifax breach, the latest in a string of high-profile data breaches that put Americans’ personal information at risk. The U.S. Internal Revenue Service (IRS) is no different in that regard.
Mark Henderson, a security specialist with the IRS’s Online Fraud Detection and Prevention department, gave an update on some tax-themed online scams at the VSCPA’s IRS & Tax Solutions Conference, formerly known as IRS Liaison Day, on Nov. 3. The one-day conference drew 30 attendees to the CPA Center in Glen Allen, with another 12 joining the simulcast.
Whether the attack is on a huge corporation or a single person, fraudsters are after one of two things — information (in the IRS’s case, personally identifiable information or federal taxpayer information) and access (IRS and non-IRS portals, usernames and passwords). And they won’t stop at much in attempting to get what they want.
“Criminals monetize the information they have access to,” Henderson said. “They will do anything they can, once they have a system that is compromised with malicious code, to pull all the meat off the bone, sell it and make money.”
The majority of online scams come in the form of email, notably phishing, a form of social engineering conducted over email. Scammers entice potential victims with email content embedded with a “hook,” an email-based exploit that could be embedded content, a malicious attachment or a “clickable” URL. Scammers take advantage of victims by making charges or using the information gained to access more lucrative accounts.
According to the 2017 Verizon Data Breach Investigations Report, social engineering is utilized in 43 percent of breaches. Phishing was the most common social tactic in the dataset, and almost all phishing attacks followed with some form of malware. One in four recipients opened the malicious email, and in past reports, one in 10 opened attachments, even from unknown senders.
If the attachment doesn’t introduce malware, the victim will often be directed to a website to log in. The website will appear to be legitimate, but the scammers will be waiting to collect the login information. Scammers set up these sites by compromising legitimate sites, registering fraudulent domains using free or freemium website providers, setting up fake accounts with legitimate providers or using URL shorteners to hide the destination from the victim.
Attachment-based scams will often use PDF files because of their ubiquity and ease of opening.
“The benefit of a PDF is that will open on multiple platforms,” Henderson said. “When that person opens up a PDF, it will say to download the document, please click here, with an embedded URL that takes them to a phishing site.”
Henderson highlighted several email scams that his office has been monitoring recently:
- Last-minute scam: Scammer poses as a taxpayer and requests that a preparer make a last-minute change to a refund destination, often to a prepaid debit card
- BEC/BES W-2 scam: Scammer poses as a C-suite executive and emails payroll or human resources employees requesting W-2 forms and other employee information
- New client scam: Scammer poses as a potential client looking for a tax preparer; when preparers respond, scammer sends email with embedded web address or PDF attachment with embedded web address
- Fake insurance scam: Scammer poses as a legitimate cloud-based storage provider to gain access to a victim’s email, then emails clients a fake IRS insurance form to be returned and completed
No matter the specific scam, it’s clear that the ease of email has sent phishing operations into overdrive. In the past, the IRS was notified of just about 300 telephone or fax scams each year. Taxpayers now report 300 to 500 email complaints each day.
Almost all of those complaints come in through email to [email protected], and that’s one step you should take if (let’s be honest, when) you get a suspicious email. But what can you do to identify a scam? Essentially, it boils down to due diligence.
Henderson recommends the “skeptic hover” with any clickable URLs in a suspicious email. Hover over links with your mouse without clicking and take a careful look at the destination URL. If it’s not clearly hosted on the website of the organization purported to have sent the email, chances are it’s a scam.
Misspellings and egregious grammatical errors are big tip-offs, since many of these scams originate from attackers who are, let’s say, not intimately familiar with English. A gigantic recipients list is another red flag. What legitimate client would send their financial documents to a huge list of CPAs without engaging any of them?
Those kinds of emails tend to be from scammers who are casting a wide net. The biggest takeaway, though, is just plain, old-fashioned skepticism – a tactic that’s beneficial to CPAs in many ways other than identifying dodgy emails.
“Be aware,” Henderson said. “There are a lot of different techniques out there that can fool you, because they’re designed to fool you. That’s why you have to verify any email you receive, even if it comes from a friend or a colleague.”
Small Business/Self-Employed Update
Email scams aren’t the only abuses the IRS is watching. The agency’s Small Business/Self-Employed Examination unit (SBSE) aims to help apply tax law with integrity and fairness by preventing abuse and promoting useful credits. As presenter Edwin Smith Jr. of that department said, “The code is complicated enough that you can flip it and twist it and make it say just about anything you want it to say,” which also speaks to the ease with which items can be missed.
One area of focus for Smith and his team is abusive tax schemes – schemes that violate the U.S. Internal Revenue Code (IRC) and related statutes and are used to evade taxes. Unscrupulous providers take advantage of unaware, cash-strapped taxpayers in implementing these abuses.
“They’ll find an audience that’s willing to do anything to save a dollar,” Smith said. “They usually save that dollar at the time and pay eight or nine more later.”
Partnerships are another market-driven area of emphasis for the SBSE. Partnership filings grew 16 percent across industries between 2007 and 2013. Smith still needs more staff to fill his team’s partnership audit needs efficiently.
“Our dilemma is that while partnership filings are increasing by 16 percent, my staff is probably decreasing by 18 percent,” he said. “I don’t have the senior staff to go out and do effective audits on those returns. I don’t need people to be subject matter experts, but I need people to go in and do the partnership audit in a decent time, and I don’t have those people. So that increase hits me twice.”
Smith and his department work continually on striking the proper balance of getting their message to all the businesses they serve while using resources properly.
“The materiality factor is big for me. We really need to touch people who are out of compliance,” he said. “I’ve seen some $500 transactions be fraudulent. It happens. But in the grand scheme of things, we shouldn’t be out there auditing cases like that.”
The Fast Track Settlement program is one tool the IRS uses to bring people into compliance efficiently. That program is aimed at getting tax disputes through enforcement in an expedited fashion.
“I think it’s an underused tool that could bear results for taxpayers and the government,” Smith said. “It has to be the right case, but the government and the taxpayers have to come to the table understanding that neither party is going to get 100 percent of what they want.”
Independent Contractors vs. Employees and Health Care
VSCPA member Art Auerbach, CPA, gave two updates at the conference, one on recent updates on classifying workers as employees or independent contractors and another on health care updates. The subjects play a great deal into each other with employers looking to save on any number of employee benefits, including health-care costs.
That’s not the only factor in the employee/contractor debate, though. Standard-setters are still working out the details of dealing with the gig economy while also trying to sniff out bad actors like one Auerbach saw near his home in Atlanta. He followed signs to a combination hair salon/tax preparer where taxpayers could get their tax returns and hair done at the same time.
The cost? Five hundred dollars for the haircut and nothing for the tax return, the idea being that since the tax preparers weren’t being paid to prepare the returns, they wouldn’t be subject to IRS oversight.
Those issues – bad actors, Uber drivers and other members of the gig economy and an increasing number in employment tax corrections, as documented in U.S. Treasury Inspector General for Tax Administration (TIGTA) Report 2017-IE-R004 – have the IRS and the U.S. Department of Labor (DOL) taking a closer look at how employees are classified. The two agencies have joined forces on a memorandum of understanding allowing for increased information sharing, with 37 states having signed on.
Whether a worker is an employee or an independent contractor depends on several factors:
- Behavioral control: Whether the business has the right to direct and control what work is accomplished and how it is done
- Financial control: Direction and control of the financial and business aspects of the job and the worker
- Relationship of the parties to the transaction: Written contracts and the relationship the parties wanted to create, benefits provided or not provided, permanence or impermanence of the relationship
Behavioral control can be as granular as whether or not a firm changes the passwords to its software after workers leave. Financial control can boil down to any number of factors, including reimbursement of expenses, the worker’s investment in tools and facilities necessary to perform functions, the ability of the worker to make a profit or loss and even the worker’s availability to others in the marketplace.
“Are they holding themselves out to the public so that anyone who wants to hire them can hire them?” Auerbach asked.
Numerous factors can hint at an eventual ruling. If the employer does not reimburse expenses for travel or licensure, provide benefits or restrict the worker’s freedom to offer services to the marketplace, the worker is likely an independent contractor. If the employer provides training, mandates days and times in which services can be provided or has the authority to direct how tasks are carried out, the worker is likely an employee. Automatic renewal of contracts is another indicator of permanence.
The treatment of workers has cropped up and bitten companies as big as Microsoft, which got into trouble through an IRS payroll tax audit in 1989. The IRS determined that Microsoft was treating its workers as employees, rather than independent contractors, and was therefore required to be treated as employees for tax purposes. Microsoft agreed with the IRS and paid back payroll taxes and overtime for the workers, moving some of them to employee status.
That wasn’t the end of the issue, though. Eight of the formerly misclassified employees demanded full employee benefits from their time working as independent contractors, including 401(k) coverage and a discount stock purchase plan, and filed a lawsuit when Microsoft refused. That case, Vizcaino v. Microsoft Corp., was decided in favor of the employees.
The upshot of that ruling (other than Microsoft owing a small fortune in stock options to the misclassified workers) was that even a signed contract stating that a worker is an independent contractor doesn’t necessarily hold up legally. The worker must be treated as a contractor on the job. And the ultimate decision goes to the courts.
“If you say you relied on IRS Publication Whatever said, I say that’s not substantial authority,” Auerbach said. “We’ve got to find the court case the IRS got it from. That’s substantial authority.”
One of the benefits under discussion in the employee-contractor debate is health insurance, the subject of Auerbach’s other session. He led off the session with his wish to keep the discussion out of the realm of the political — a tall order, to be sure.
“I am apolitical on this. When people ask who I want to see elected, frankly, I don’t care,” he said. “And that’s because whenever someone is elected, the first thing they do is play with the Internal Revenue Code. To me, that’s billable hours, so enjoy yourself.”
Health-care reform is, of course, a moving target. The Affordable Care Act (ACA), or Obamacare, has been the law of the land for nearly eight years, with Premium Tax Credit regulations final as of July 2017, but President Donald Trump has made health care change a priority during his first year in office. Items that have been included in Republican health-care proposals include:
- Premium tax credits and cost-sharing subsidies
- Repeal and replacement of the individual mandates
- Repeal of the employer mandates
- Repeal of Medicaid expansion
- Repeal of additional taxes on medical devices and tanning
- Deferral of repeal of the 0.9 percent Medicare tax
- Deferral of repeal of the 3.8 percent net investment income tax
Coverage of pre-existing conditions was a major part of the ACA, and rising costs from such conditions are a factor with which any replacement bill will have to reckon.
“The biggest problem with pre-existing conditions and what stuck it in the Senate are the kids on the autism spectrum or have Down Syndrome or something like that,” Auerbach said. “What happens when they turn 27 and have to get insurance?”
The Republican proposals increase the effectiveness of Health Savings Accounts (HSA), in which contributions by individuals are deductible and employer contributions are excluded from gross income. These accounts require a high-deductible health insurance policy — defined as a minimum deductible of $1,300 for an individual or $2,600 for a family, increasing to $1,350 and $2,700, respectively, in 2018 — with no coverage allowed from anywhere else, including Medicare, Tricare and Veterans Administration benefits. The participant may not be a dependent on another’s tax return.
Another major practitioner issue is how health-care benefits can be provided to retirees. Long-term care policies will have to interface with Medicare, in addition to any issues brought about by the retirement of federal employees who are reaching Medicare age. Veterans benefits must also be a consideration.