Cyber Monday was November 28, 2022. On that date, the Internal Revenue Service and the Security Summit partners launched the National Tax Security Awareness Week.
During this busy holiday season, creative identity thieves will develop new strategies to steal personal financial information. Your risks increase when you are shopping online and using public Wi-Fi. Identity thieves also are successful with text scams that are called "smishing."
IRS Acting Commissioner Doug O'Donnell stated, "With holiday shopping starting and the 2023 tax season quickly approaching, many people will be using laptops and personal devices to share sensitive financial information. In the months ahead, these same devices will be used to complete millions of tax returns by both taxpayers and tax professionals, making the holiday season the perfect time to take steps to protect your valuable information and watch out for scams."
The Security Summit offers multiple tips to protect yourself while shopping online or viewing emails.
- Secure Web Sites — Always ensure that the site has "https" on the top left address along with the padlock icon in your browser window. These indicate that you are on a website with a secure certificate.
- Public Wi-Fi — Do not shop on unsecured public Wi-Fi. Many restaurants, stores and other public places offer public Wi-Fi. These sites often do not use appropriate security and identity thieves can easily monitor the public Wi-Fi to steal your information.
- Security Software — Use appropriate security software on laptop computers, tablets and mobile phones. The software should be updated daily.
- Family Members — The computers and phones of young children and older adults should receive special attention. These family members may be more vulnerable to email and text scams.
- Anti-Virus Software — Good anti-virus software will stop software specifically designed to steal personal data, known as malware, and has a firewall to protect from intrusions by identity thieves.
- Passwords — Use strong passwords for online accounts. It is good to have a password with a capital letter, lower case letters, a number and a unique character.
- Two-Factor Authentication — If possible, use two-factor authentication. A common two-factor method is a password and a multi-digit code sent to your cellphone. This reduces the risk of a thief attacking your account.
Other tips include a recommendation from the Federal Trade Commission to not buy things from sellers who request payment through a gift card, a money transfer through a vendor or through cryptocurrency. These types of payments are difficult to trace and reverse. Scammers use these payment methods because they can quickly depart with your money.
The latest mobile phone scam involve messages that claim to come from the IRS. Other scams offer COVID relief or provide help in setting up an IRS account. You should be careful with these texts because if the identity thief steals your data during the holiday season, they plan to promptly file a fraudulent tax return in January.
If you are working from home, you will benefit from additional protections. You should have a personal computer separate from your business computer. Do not send your business information to your personal email devices. If you use online business banking, only use your business computer for that purpose. Additionally, do not use your business computer for higher-risk activities including web surfing, gaming or video downloads. Lastly, consider changing your passwords regularly and use an encrypted password program to track your passwords.
Clinic Qualifies as Educational Organization
Mayo Clinic obtained an $11.5 million refund of unrelated business income tax (UBIT) in
Mayo Clinic et al. v. United States; No. 0:16-cv-03113. The determination of the District Court was that Mayo was "an educational organization which normally maintains a regular faculty and curriculum and normally has a regularly enrolled body of pupils or students in attendance at the place where its educational activities are regularly carried on."
Mayo paid approximately $11.5 million in UBIT on certain investment income it manages for its subsidiaries for the tax years: 2003, 2005 to 2007 and 2010 to 2012. Under Section 170(b)(1)(A)(ii), an exempt organization must be "organized and operated exclusively for educational, rather than other purposes." However, the term "exclusively" has a non-literal meaning for the nonprofit world.
The Mayo founders determined that Mayo Clinic would have a primary focus on education and research. The clinic operates five different educational institutions. The Mayo Articles of Incorporation stated that it is operated exclusively for "charitable, educational and scientific purposes." The bylaws state the commitment to "medical education, research, investigation" and similar purposes. The mission statement prior to 2010 was "Mayo will provide the best care to every patient every day through integrated clinical practice, education and research."
The five schools are the Mayo Clinic School of Graduate Medical Education, the Mayo Clinic School of Medicine, the Mayo Clinic School of Health Sciences, the Mayo Clinic School of Continuing Professional Development and the Mayo Clinic Graduate School of Biomedical Sciences. The faculty for these five schools is drawn primarily from Mayo physicians and scientists. The Mayo student population has steadily grown from 2,584 in 2003 to 3,589 in 2012.
A primary focus of Mayo Graduate School of Biomedical Sciences is preparing students for careers in research. Medical residents are trained through patient care. Mayo has a vision statement that it "will be the premier patient-centered academic medical organization."
The term "exclusively" is defined to mean the primary purpose must be educational and the noneducational activities must be incidental to the primary purpose. The question is whether Mayo has substantial, noneducational programs.
Mayo functions with a high level of integration between education, research, laboratory services and patient care. Because the word primary can mean substantial or of first importance, the integration of the services is important.
Mayo has a system-wide commitment to education. In addition to its schools, the educational purpose is reflected in day-to-day operations. The five schools meet the "faculty, curriculum, students, and place requirements of Section 170(b)(1)(A)(ii)." Therefore, the educational functions are "inextricably intertwined" with the other purposes. As a result, the educational focus of Mayo does meet the "exclusively" educational standard required under the Internal Revenue Code.
Finally, even the laboratory activities are educational. Mayo students are regularly involved in the laboratory testing. For all of these reasons, Mayo is deemed an exclusively educational organization and qualifies for a refund of the UBIT payments totaling $11.5 million.
Data Protection Tips for Tax Professionals
The Internal Revenue Service Security Summit partners used the National Tax Security Awareness week to highlight many data protection tips that are particularly important for tax professionals.
IRS Acting Commissioner Doug O'Donnell stated, "Taxpayer information can be a gold mine for identity thieves. As the Security Summit partners strengthened our internal defenses in recent years, we have seen identity thieves shift their focus onto the tax professional community and their client information. Specific taxpayer information can help a scammer prepare a more authentic looking tax return, so tax professionals maintaining strong security is a critical line of defense for themselves, their clients and the nation's tax system."
Each tax professional is required by law to have a Written Information Security Plan (WISP). This may be fairly brief for a sole practitioner or quite extensive for a 20-partner accounting firm. The Security Summit provides a sample WISP.
Jared Ballew, the chair of the Electronic Tax Administration Advisory Committee (ETAAC), noted, "There is no way around it for anyone running a tax business. Having a written security plan is a sound business practice — and it is required by law. The sample provides a starting point for developing your plan, addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data losses and theft."
The WISP should be saved in a PDF or Microsoft Word document that is easily accessible. It should be available to all staff as part of their security training. There also should be an off-site or cloud copy to protect the plan.
The Security Summit created a Taxes-Security-Together Checklist to help tax professionals. There are six primary steps for your cyber security measures.
- Anti-Virus Software — Make certain that your anti-virus software is on all computer and network systems and is up-to-date. There should be automatic software updates each day.
- Firewalls — Firewall is important to protect the computer from outside attacks. However, the firewall cannot protect from phishing emails that download malware. Implement an ongoing training program for staff to recognize phishing emails.
- Two-Factor Authentication — All of the important online accounts, particularly for tax software, should use two-factor authentication. Most two-factor authentication involves a password on an online account and a multi-digit code sent to a smartphone.
- Sensitive Files — Client data and other sensitive information should be backed up to an external source. This could be a hard drive stored in another location or the cloud if appropriately secured.
- Encrypted Data — There are drive encryption products that will enable protection on hard drives. The encrypted data will generally foil an identity thief.
- Virtual Private Network (VPN) — Because many tax professionals work remotely, VPN is a best practice to keep data is secure.
Tax professionals should be on the lookout for specific higher risk items. All offices should have periodic training on phishing emails. Staff must be careful not to click on any links unless they are confident about the identity of the sender.
Many tax professionals have been taken advantage of by identity thieves who pose as potential clients. The identity thief will engage in several email exchanges. After the guard of the tax professional is down, the identity thief includes a link that downloads malware on computer or network of the tax professional.
The malware may permit the identity thief to gather client data and file tax returns in late January or early February. An even more serious threat is that some identity thieves have engaged in ransomware.
Part of the WISP should be an emergency response plan. The IRS offers Publication 5293, Data Security Resource Guide for Tax Professionals and Publication 4557, Safeguarding Taxpayer Data.
Applicable Federal Rate of 5.2% for December -- Rev. Rul. 2022-22; 2022-49 IRB 1 (15 November 2022)
The IRS has announced the Applicable Federal Rate (AFR) for December of 2022. The AFR under Section 7520 for the month of December is 5.2%. The rates for November of 4.8% or October of 4.0% also may be used. The highest AFR is beneficial for charitable deductions of remainder interests. The lowest AFR is best for lead trusts and life estate reserved agreements. With a gift annuity, if the annuitant desires greater tax-free payments the lowest AFR is preferable. During 2022, pooled income funds in existence less than three tax years must use a 1.6% deemed rate of return.