There may be errors in spelling, grammar, and accuracy in this machine-generated transcript

Roger Harris: Hello again everyone. This is Roger Harris. Today is another federal tax update podcast. And as always I am joined by my co-host Annie Schwab. Annie, how are things in Dallas besides hot?

Annie Schwab: Well, hot. But we've had that terrible flooding.

Roger Harris: Oh yeah.

Annie Schwab: Everybody's probably seen on the news, but, um, but other than that, we're just kicking through July. [00:00:30] That's what we're doing.

Roger Harris: Yeah. Did you get any of the flooding? And no.

Annie Schwab: We didn't. I mean, we got some rain. Um, but nothing like what I've watched on the news.

Roger Harris: No, that's that's really shocking. And you can only hope for the best for some of them. I'm surprised how many are still missing.

Annie Schwab: Yeah, I know.

Roger Harris: Um, well, as we sit here today, the big, beautiful bill has passed, and I'm assuming everybody thinks that's what we're going to talk about. [00:01:00] But that's not what we're going to talk about today.

Annie Schwab: Not this time.

Roger Harris: Not this time. That's, uh, that's the podcast we'll be recording right after this. And for those of you that have, uh, heard him before. Thad Inge from Van Scoyoc associates, who represents Padgett, our employer and sponsor of this podcast. As long as the National Association of Enrolled Agents in Washington. Uh, he's going to join us. Uh, and we're going to dive deeply into the bill. Based on what we know, there's still guidance that will have [00:01:30] to come out and other things, but that'll be for the next podcast. Uh, but today we are very fortunate, and we're going to talk about a topic that doesn't really have political parties or care about political parties. Uh, but is something that all of us in our industry need to think about and, and take seriously. Uh, and that is scams, data breaches, malwares, whatever you want to call it. And and as it impacts us you [00:02:00] if you think back we had a practitioner on a few months ago talking about it from their perspective. But um, now we're going to talk about it from the perspective of the US Internal Revenue Service. And I'm going to start off with some interesting stats before I introduce our guest today, because I think it makes the point. A lot of people hear about this and they think about it and they go, well, I'm too small. It won't happen to me. It's not a big deal. It's always going to happen to somebody else. I want to read you some stats that, [00:02:30] uh, the service has and this is just for 2025. So this is.

Annie Schwab: To date.

Roger Harris: To date. So this is about half a year. Um, and this is reported incidents. I'm sure there are incidents that didn't get reported. And, uh, Glenn can talk about that. And there's probably incidents out there that people haven't recognized. They're a victim yet. Uh, so I don't think this is the total number. It's probably a little bit under. But so far in 2025, the IRS has had 327 incidents reported [00:03:00] to them. That has impacted 830 tax professionals. And this is kind of a shocking number, 342,317 taxpayers that are impacted by these types of activities. And and we are, as we've said, prime targets. And we are so fortunate today to have Glenn Giesy with us, who is one of the you know, we've [00:03:30] all been concerned about the. Brain drain at the IRS. And we are fortunate to have one of the I don't know if they're the last man standing, but Glenn, I believe this is your 36th year with the IRS. You have done all kinds of things with the IRS. You're now focusing, I believe, through stakeholder liaison in terms of presenting this type of topic. You're instructing, you've done training, you've been a revenue agent, you've done it all. But today [00:04:00] you're here to share your knowledge about scams, breaches and things like that. So thank you, first of all, for agreeing to to join us today on our podcast.

Glenn Gizzi: Thank you very much, Roger. And thank you, Andy, for having me here on this podcast. I'm very happy to do this. And as you said, I'm here almost 36 years. So I started off doing customer service, then examination and then education. And I've been doing education now for almost the last 20 years and now recently [00:04:30] being involved with data breach and tax scams. I have found so much information out there, so many different things that I want to share with the practitioners that I have been talking to, but only locally in new Jersey. So I'm very happy to be able to do this, uh, you know, nationwide.

Roger Harris: Yeah. And we're and I think it's a message that we need to get out to everyone because as I said earlier, a lot of people just don't think it could happen to them. You know, they're too small or why would anybody want to [00:05:00] hack me? But sadly, we're all valuable to those people out there.

Glenn Gizzi: And that that is correct, unfortunately.

Roger Harris: Yeah.

Annie Schwab: And it's just so it's so easy to it seems so ridiculous, but it's so easy to get hacked. I feel like the hackers get smarter, and I don't get any smarter on figuring out ways to prevent it. Um, but, you know, sometimes I think technology just, you know, it's the downside of having advancements and technology. You know, I was just in the airport traveling, and [00:05:30] I was sitting in the airport making my grocery list, made some Amazon purchases, you know, like surfing all these different. I'm thinking I'm on an unsecured network sitting in the sitting in the airport. But you know that people shop from nearly wherever they are at any time of day and probably don't think twice about hackers, you know, tapping into their passwords or, you know, their credit cards or their client list. I mean, I have all my work email on my phone. It could easily [00:06:00] happen. Um, it's just crazy.

Glenn Gizzi: And, you know, and in reality, any. Well, a lot of people don't realize is that tax scams and data breach is really an industry. It's almost like if you want to use the NAICs code for schedule C to make one for scamming, but this is a multibillion dollar a year industry. I mean, identity theft happens every two [00:06:30] seconds.

Annie Schwab: Oh my.

Glenn Gizzi: Goodness. Every minute 30 people are, uh, you know, have their identity stolen. Tax fraud scheme scams, everything. This is an industry and they they don't care. They just do it. And you know, one thing to say about this, just so I think so the audience can have an idea for this podcast today is that this isn't somebody just sitting in their basement, you know, in a hoodie, sitting in front of a laptop. This is organized. People go into office buildings. [00:07:00] They have they rent out space and they spend all day scamming. So if you happen to watch movies and see the movie The Beekeeper, and you see that that beginning scene on how that woman with all that educational money gets ripped off. That's exactly how a lot of these are. And and people have to realize it's organized. That's why it's such a big industry.

Roger Harris: Yeah. Well, and think about the information that we have is extremely valuable. And [00:07:30] that's how it's such a big business because there's there's so much that we have that is unique to us in terms of Social Security numbers, income, sources of income, bank records, date.

Glenn Gizzi: Of birth, everything you can use to create a someone's identity or get another credit card for them. And you know, and scam them out of money. You have all of that driver's licenses now for verification purposes for filing the tax return. [00:08:00]

Roger Harris: Right.

Annie Schwab: That's true.

Roger Harris: So being large or being small isn't a good measurement, because even small firms have enough information to be worth a lot of money in the wrong hands.

Glenn Gizzi: Correct. And unfortunately, a lot of the smaller firms are the ones that don't use a lot of technology to protect themselves. Just in the last two days since we spoke, Roger on Monday, the number, you know, we've had four more data breaches from the numbers [00:08:30] I gave you of individual preparers, adding another 2000 taxpayers being put at risk.

Roger Harris: And again, these are just the ones we know about.

Glenn Gizzi: That's right. That's a lot of people don't report them because you're embarrassed.

Roger Harris: Yeah. And sadly, that's not the right. And we'll get to that. Talk about some of the common I mean we're going to talk about scams and all the what what are the ones like some of them we probably know about, but where are we in terms of the [00:09:00] common things that we need to be particularly aware of?

Glenn Gizzi: Sure. Roger, as practitioners, a lot of times, especially during the filing season, you're you're inundated with phone calls and emails from your regular clients. And then now and then you get these emails that say, hey, I've been referred to you. I've been told that, you know, Annie is the best accountant in the area, and you even have a mug on your desk, probably to prove that that you're the world's best accountant. But you have to be very careful because those are the phishing [00:09:30] emails, the phishing with the pH, and they're looking for you to click on that link in the email. And when you do, it's downloading a virus into your computer, which could either be immediate. They could suddenly lock down your computer, and then you're into ransomware where you know they're going to ask you for Bitcoin currency to, you know, to pay before they'll release your information, or they're slowly just going to use a keylogging program. And every time you put in a username [00:10:00] and password, they now have that. And of course, if you think about it, as you said before, Annie, when you're on your phone or on your device, like in the airport or wherever you're accessing multiple platforms, your banking information, your personal and your professional information. And now they have all of that.

Annie Schwab: And they're so fast. It's like they they get it and they, they they're already hacking your, your bank account or your information or whatever. And then it's, you know, even if you found out in a day or [00:10:30] two which some people it goes weeks before they even know, but a day or two, there's so much damage that can be done that quickly. Yes.

Roger Harris: And the other thing that we have to make sure of, I of. I mean, we can be conscious of this issue, but if we have employees, you know, we have to make sure they're because they can be the vehicle into our system as easily as we can. And sometimes we don't spend enough time working with our employees to to recognize these types of problems.

Glenn Gizzi: Right. And you know, Roger, what [00:11:00] we've what I've even seen this year is several large, larger firms that have had 16 or 20 tax practitioners involved in a data breach. And when it comes down to is that one employee who used the company computer to access personal, uh, things, you know, email or went to a site they shouldn't have. And that's where that virus infection came from. And that's how the scammer got in. And when they find out later, [00:11:30] you know, it's it's unfortunate, but it does happen. Um, you know, when you're a sole practitioner it's on you. But when you have more than one person in the office with you. You have to talk safety. Do not co-mingle. We tell our you know, the taxpayers don't co-mingle business and personal. It's the same thing for tax practitioners.

Roger Harris: Right? Because you don't know where the the crooks looking are coming from. And and again employees and then they're trying to do the right thing. I mean, gosh you get an email that says, hey, I want to be your client. [00:12:00] That sounds like something you should jump right on.

Annie Schwab: But yeah.

Glenn Gizzi: And you got you got to read that email, because a lot of times there's a lot of misspelling or you're realizing that the the grammar doesn't sound right. You know, that's that's usually a good key indicator. It's badly written.

Annie Schwab: Sometimes the website or like the email address looks off. Like it, I don't know, like it's spelling is weird or you, you think you recognize the website and you're like, but something's not right there. Um.

Glenn Gizzi: That's [00:12:30] called Typosquatting.

Annie Schwab: Typosquatting. Okay.

Glenn Gizzi: That's a, that's a term for it.

Annie Schwab: And I did not know that.

Glenn Gizzi: Yes. I went to a presentation on that, and you can change the letter L to a one in somebody's, you know, website or email address, and then you're sending a completely just, you know, somewhere else. We had that here in Jersey with, uh, a scammer who got in touch with a payroll person and said, hey, we're having an audit. We need all these payroll records sent to us. You know, the W-2s. And [00:13:00] it was missing one double letter in the company's name, and the person didn't realize it and said, 9500 w-2s to a scammer. Of course, that, you know, there was a lot of issues with that afterwards. So it does happen. And, you know, if you think about it, it's wrong, but you don't necessarily do anything about it because you're usually there's some sense of urgency to get it done.

Annie Schwab: Mhm. Yeah.

Roger Harris: Yeah yeah yeah. They're just they're just getting too good I mean you know. Yeah [00:13:30] I mean thinking that what little they change I mean sometimes it's obvious because, I mean, I would sit there and go, there is no way we need to send w-2s to anybody. So this has got to be a scam. But if it came down to me having to go examine every address in an email or something and you change one small letter, uh, I'd just be doomed. I just got got no shot if I got if I if I get into that kind of thing. Um, what other things? [00:14:00] I mean, when we looked at you, you got something about fake charities. What's that about?

Glenn Gizzi: Yeah. So, you know, anytime there's a disaster, fake charities pop up immediately, and these people will come door to door. They'll be dressed in nice white shirt, pants, you know, with a clipboard saying that, you know, would you like to donate and everything and people, you know, gladly give money to any kind of donation. And the problem with these fake charities is they're not registered with Internal Revenue Service. They haven't filled out the paperwork to become [00:14:30] a tax exempt organization. And, you know, people don't realize that they can go to irs.gov put in tax exempt organization. It's I remember the old pub 78 used to be the size of a telephone book. And there were several of them. And we would have to look it up. Now you can just go online, put the name of the organization, and we'll immediately tell you if they are qualified to receive donations. But you know, when they're only asking for 5 or $10, people don't realize that that's [00:15:00] a problem. And we just tell people anytime there's a disaster you should give to the known or, you know, charity organizations or through your own religious organization, you know, because you know, that is something you're familiar with. But the fake ones, they pop up with phishing emails, they send them on now as phone calls, social media. They send them text messages, they send you Instagram notifications, you know, anything, you know. And again, if they're only asking for a couple of dollars, [00:15:30] you don't think anything of it. But when you put your banking information in there, you might be exposing your information to be, you know, taken and sold or hacked into.

Annie Schwab: You know, I wondered one time, you know, when you go to the grocery store, you go somewhere and they say, do you want to round up for feed our Hungry children? Or, you know, like something like that? And I always say, yes, and now you're making me nervous.

Glenn Gizzi: Oh, no. So if you're dealing with a with a supermarket organization like that, or even at the casinos now, they don't give you the the coins anymore. [00:16:00] When you get your ticket, they ask you if you want to round up to a charity, and you can look and you realize that, you know, if they're doing it, it's fine. But if there's somebody just, you know, asking for money, you have to make your own conscious decision.

Annie Schwab: Yeah, yeah well.

Annie Schwab: One of the other.

Annie Schwab: I'll think twice. Yeah.

Roger Harris: Yeah. Well, if it's just a few cents and I don't have to give them my bank account, it's makes it.

Roger Harris: Easier.

Annie Schwab: If I pay with a credit card. And then I round up, I'm like, oh, no, they could have taken my credit card information.

Roger Harris: Yeah. There's something about me that I want everything to be. Even so, [00:16:30] you know, I try to get the gas to stop at a certain thing. And so I just round up for to make the math simple. Right? I still have a hard time figuring what's nine from seven, you know, so I'll have to do that. I just it's always zero. Um, refund thefts, you know, I've heard, you know, and some of your compadres at. And when I go to Washington talk about some amazing things that we just don't think about in terms of refund theft. So what are you seeing in that? And what do we need to be careful of? [00:17:00]

Glenn Gizzi: So a lot of times in the refund theft that we see in the data breach department is hackers have already gotten into your system. And then they changed the bank account information that is, uh, on there already. So it's not going to go to the client's bank account. And they also and or I should say go in and they change the refund amount, they add additional schedules. They'll throw in a negative schedule C to, uh, you know, lower the, you know, [00:17:30] AGI and therefore increase the refund. Um, and a lot of times they're extremely bold. They I saw one recently where they basically just moved the decimal point by one and went from a $9,400 refund to try to get $94,000, which, you know, didn't go through. Um, because the software companies are getting better at reviewing the tax returns that are coming in from the tax professionals to see if they're in line. And so is the IRS, because if your [00:18:00] refund is remarkably different than it has been, excuse me, has been for the last couple of years, we are we are going to stop, take a take a second and say is this right? You know, and maybe it is. Maybe, maybe you had something big happen during the year. But it's possible. Possible. But unusually on the lower side. Roger. Where it's, it's it's more likely something is wrong with the return. We're not saying necessarily it's data thievery, but something is wrong with the return. So we may take a, you know, send a letter out, [00:18:30] but refund fraud. It's just basically trying to steal money from the taxpayers refund check, either by splitting it off or taking the whole thing.

Roger Harris: I heard an interesting. So I'm just this is an example of how creative these guys and girls have become. Where we all do this. We finish the return, we create the file, we send the documents out, we wait for the signature. As soon as we get them back, we just go hit send. And what we don't know is somebody sitting in [00:19:00] our system and they know as soon as we create the file, we're never going to look at it again. So they log in. That's when they change the bank account. That's when they do all that. And so we think we've done everything perfectly. And the next thing we hear is, hey, I never got my refund. And that.

Glenn Gizzi: Is so that's.

Roger Harris: Smart.

Glenn Gizzi: It is. And it is so true because they understand the human nature and especially during the filing season and your rush.

Annie Schwab: To get it out.

Glenn Gizzi: Exactly. And, you know, [00:19:30] one practitioner said to me, you know, he's changed the way he does things. So he creates the file, but he doesn't put in pertinent information like the banking information. And of course, he doesn't put in an IP pin, which we'll get to later until he's ready to file. But once he gets that 8879 form back signed, then he puts that information in and then he immediately sends the return. Because then this way he knows they're not going to be able to change it.

Roger Harris: And that's that's the kind of advice that's important because [00:20:00] that's just changing a habit that we've created all these years, and it's made us susceptible to this when what you just described, you know, at least going and looking before you hit send to make sure what was there when you created the file is still there. It's just us being willing to change our processes and how we do things because of the world we live in now. And we don't like to change things. But sometimes, you know, it's [00:20:30] it's a good idea to think about that because once they, as you said, they figure out behavior out and then they take advantage of it.

Glenn Gizzi: Correct.

Annie Schwab: Yep. Um, wow. Well, yeah. So so I do have this question. I mean, I know the IRS is not going to call you or text you, um, but there it does sound like there's. So I know that as a tax practitioner, but some of these are really sometimes the, the poster, you know, [00:21:00] pretending to be an IRS agent, you know, saying that they need additional information to process your return via email, via text, via all these things. How how is it that I feel like there's got to be a better way to inform taxpayers to not fall for that? Like the IRS is not going to come to your door. The IRS is not going to call you on your cell. Um, everything is done by mail, and it's been that way for years. But yet taxpayers continually fall for these scams. And [00:21:30] I wonder if there's just a better way to, um, reach the taxpayers so that they they're better aware. I mean, I we hold these types of things like podcasts, but, you know, I, I don't know what have you, have you seen that this has been an increase with people falling for thinking the IRS is calling them or. Well, emailing.

Glenn Gizzi: It happens all the time, Andy. And what we have been doing in stakeholder liaison as the education department of the Internal Revenue Service, we have been going out [00:22:00] to community groups. We have been hosting live and virtual presentations with large community groups. We we look at our underserved and vulnerable groups such as senior citizens like through AARP. And we tell them these things. We we encourage it. And I what I find is sometimes there's little notification here and there. Just recently at a large chain store there, there was a sign by the gift card saying, if you're if [00:22:30] you're picking up a gift card to pay a government bill call, ask for a manager because it's, you know, it's not true because we don't interesting. Take money via, you know, on Apple's iTunes card or Green Dot visa. We don't do that. But you know, we we try to get the word out. We try to tell the practitioners, to tell their clients. We ask that their clients tell their family, uh, you know, anytime that, you know, you are right. We we we only call you if you've called us [00:23:00] and you've asked us to call you back. You know, if you filed an offer and compromise or something. Um, but we're not going to, you know, we're going to send you a letter and then tell you to call the general 1040 number so you can find out if it's real. But we're not going to say you have to pay us in 45 minutes or we're going to come and arrest you. You know, we don't do that, you know?

Annie Schwab: Yeah. The scare tactic is real. I mean, I under I mean, my even my grandmother, let's just say my grandmother [00:23:30] would have totally fallen for that. You know, somebody called and was like, you know, you you filed your tax return wrong. And we're going to, you know, put a hold on your bank account or the police will be coming to your home or, you know, something like that. And yeah, the scare tactic works.

Glenn Gizzi: It does. And, you know, and we you know, we have our own police department. We have the criminal Investigation Division. We're not going to send the sheriff's department now. Oddly enough, Annie, if you're smart enough to say, you know, I don't think this is right, and I'm going to call my accountant and you hang up the phone. About two minutes [00:24:00] later, your phone rings again. And on the caller ID, it now says Sheriff's department. No, because you can easily manipulate the caller IDs. And then you get somebody else who says, oh, you know, the IRS contacted us, and if you don't pay them now, all of a sudden you're thinking it's, you know, this must be legitimate. And, you know, and there's that just that general fear that that taxpayers have of the Internal Revenue Service. It's been a long standing thing for years. And, you know, we're trying to change it. We've been trying to change it for years. All [00:24:30] we can do is just we keep putting things out there on social media. You know, we have a social media department that sends things out about scams. You know, we have the dirty dozen scams every year that are not just for the tax professionals, but we market those towards the individuals to say, basically, if it's too good to be true, it's a scam. You know, and you would know if you owed money to us because you would have gotten, as you said, Annie, all those letters.

Annie Schwab: In the mail.

Glenn Gizzi: Over time and people, just as soon as they hear Internal Revenue Service, [00:25:00] they freeze. You know, just like if you get, you know, once those lights come on behind you from a police cruiser, all of a sudden you freeze up, you're you're immediately nervous. It's the same thing here. And they also target a lot of the immigrants that are coming, you know, into the country. They don't understand our tax system because their tax system, where they come from is man shows up and says, give us this X amount of money and we'll leave you alone.

Annie Schwab: What could be a language barrier to. I can see.

Glenn Gizzi: That too as well. Yes.

Roger Harris: Well sadly this this [00:25:30] has to work or they wouldn't be doing it. Correct. So we know it's effective. It's crazy as it may sound to us who you know are somewhat knowledgeable of what's going on. Imagine the poor taxpayer that or immigrant as you said, or someone just gets a phone call. I mean, I would laugh if somebody told me I had to go to Walmart and get a gift card to pay my taxes, but that would seem perfectly logical to someone.

Glenn Gizzi: To somebody else. Yeah, sure. Especially if you're an unbanked person [00:26:00] who doesn't use anything like that. You're using gift cards all the time, right? And and you throw the net out there enough. You'll. All you got to do is catch one person.

Annie Schwab: Yeah, well, it's really great to hear that you're going out in public and to these areas and, you know, reaching out to the community groups to get the word out. So thank you for doing that. I wish we had more of those, you know, all around in Jersey. I know you're very busy there, but, you know.

Roger Harris: Are you going to be able to continue to do [00:26:30] that with with the cutbacks? And maybe I'm not trying to be political, but I mean, this takes resources to do that.

Glenn Gizzi: Is this it is on our, you know, tax professionals, our our stakeholder liaisons. Number one client. Right. Uh, you know, we are working as best as we can with the, you know, to get the word out there. Obviously, virtual presentations are always a lot easier to do. Sure. And, you know, as we see whatever money we get going forward in the budget [00:27:00] and we see how many people we have left, then, you know, we can determine from there how best to try to get the word out to everybody. You know, just like anything else, it's always buyer beware. So just, you know, we're glad that I that I've seen the retail pharmacy chains and the superstore chains putting up these signs telling people to ask questions.

Roger Harris: Yeah. Yeah. Because, I mean, you can only do so much. And, you know, if the if the bad guys realize you can do less, they'll do more.

Glenn Gizzi: Exactly. [00:27:30]

Roger Harris: And that's that's the thing. Let's go back to the practitioner group again. We talked about some people who don't know they're been breached. What kind of signals or signs should a practitioner look for that might tip them off? That something's going on that they're not aware of?

Glenn Gizzi: Okay. So Roger, if you have a regular client you've had for years and you go to file the return and it gets rejected because the Social Security number [00:28:00] has already been used. This isn't a new client who maybe thinking they can get two refunds or something from us. Right. This. This tells you. Wait. How is your Social Security number used now? Way. In the past, when we used to just have paper returns, that could just be a typographical error. Somebody transposed two numbers. But now it's. It's that the Social Security number has been used. Now, whether the practitioner has a breach, they're not going to be sure of. So what they're going to need to do is go into their e-services account and see [00:28:30] how many tax returns that they have filed under their effin number, versus how many the IRS has recorded. And if they see more with the IRS than they filed, they have a data breach. A lot of times the software company will come to them and say, hey, you filed six returns, you know, Saturday into Sunday overnight, you know, are these correct? And of course, you say, yeah, the following season's busy, but you're not working at 2 a.m. Sunday morning. So you realize I've been breached. [00:29:00] And that's where you got to ask yourself, are you using your multifactor authentication when you log in? Or did I go to a website and clicked on a link? You know, because you know, your information is somehow out there. So there has to be something like that. Additionally, sometimes the clients will call you and saying, hey, I got this transcript I didn't request, or I got a letter from IRS saying they wanted me to verify my identity. The letter 5071 C is the most popular one saying, [00:29:30] you know, they want to make sure this is my tax return. You didn't tell me you filed yet. And then you're like, no, I didn't. And that's another great indication you have been breached.

Roger Harris: Yeah. And again, the event that caused it could have been weeks or months ago. And you've completely forgotten about it. And so it's these other warning signals that come up and again. And the other thing is we see some of them naturally a lot with dependents that they've already filed. And so we don't we [00:30:00] just think it's something normal when it might be a warning sign of something bigger, more big that. Yeah, this is different. Yeah. The Social Security number has already been used. But this is a different don't don't just assume. It's like when the kids, you know, jumped out and got their when I got their $5 refund and messed up your tax return. True.

Annie Schwab: So what so what are like if there was like a five steps immediate steps that you should do if you think that you've [00:30:30] been breached or know that you've been breached, like what is the fastest way to make you know the pain, stop. Um, so to say.

Glenn Gizzi: So any in that case, the first thing you really should do is contact your local stakeholder liaison. And the easiest thing that practitioners can do is go to Irs.gov type in stakeholder liaison. There'll be a link to your local and local for us means we have five areas throughout the country. So you know each state falls under a particular [00:31:00] area. New Jersey is area two. Too. So they would look at area two and there'll be a phone number and an email for them to contact to report the data breach. And then a stakeholder liaison person will call them back, tell them, hey, you reported a breach. We need to get some information from you. You know, we're also going to direct the tax Pro to go to our Ihelp phone number and cancel their effin number and get a new one. Okay.

Annie Schwab: How long does that take? Because [00:31:30] if you're in the middle of filing season same day.

Glenn Gizzi: Same day, that's a same day service. Okay. They just they'll verify you because you went through the whole big procedure to get your Pin number. So pull out your effin application. They're going to ask you some questions. They're going to ensure that it's you. And then they are going to give you a new six digit number to use. Now your software company, depending on which company it is, some of them say, well, we want you want you to wait for that week or two till you get the actual letter with your number. [00:32:00] Others will say, well, you know what? Well, we don't want you to put the number in your computer yet. And we also recommend that until you make sure that you've had an IT person look in your system to make sure the hacker is still not in there. This is.

Annie Schwab: A.

Glenn Gizzi: Multi-step, overlapping process where you're contacting us and depending on your breach, you may have to contact the IC3, which is the internet complaint which will go out to multiple [00:32:30] federal agencies. You'll have to contact state agencies. You know, we had one firm that their data breach covered 34 states, because that's where they had clients. And one of the things that you have to do through your insurance company, who's another person you should be contacting?

Annie Schwab: Yeah.

Glenn Gizzi: Of course. Okay. Is that you have to give them credit monitoring service. And depending on the state that's anywhere from 1 to 2 years for every taxpayer identification number, meaning social Security number [00:33:00] or Ein that you have that may or may not be breached. You just have to, you know, provide it to everyone. And that's where your cyber insurance really comes in.

Annie Schwab: I'm about to say how that can get very expensive.

Glenn Gizzi: Oh, Annie. The poster child for for this. And we could say his name because David Lyons has worked with the IRS for 12 years now. He was basically not necessarily the first, but he was the one that really got our attention. He was out of Connecticut, and [00:33:30] it cost him 155,000 out of pocket, but he had 100,000 in cyber insurance, which he didn't even realize he had because they didn't call it cyber insurance at the time. Right. So that that was a $255,000 breach 12 years ago. I'm going to tell you now, if you're if you're holding less than 750 or 1 million, you're, you're, you're skirting with danger because, you know, depending on how many [00:34:00] clients and how long this was going on. Because again, like you said earlier, it could be a couple of days to a couple of weeks. Well, we've seen it where it's been eight months and they didn't realize and their entire client list was, you know, sold on on the dark web. So it cost that that company over $1 million, you know, because you have to hire extra help. There's so many things you have to do. You have all these additional costs. You. That's why you've got to have a good cyber insurance, you know, plan. And hey, cyber [00:34:30] insurance is what tax deductible for the for the tax pros. So yeah you know whatever it costs it's better than having the alternative.

Roger Harris: Yeah. And sometimes you know we all want to get the cheapest thing. This is a place. Don't be don't be cheap. Get good good cyber coverage I mean look I don't guess there's any insurance I want to use. You know, it's there if I need it. Not because I want it to be needed, but gosh, when you need it, you really [00:35:00] need it.

Glenn Gizzi: And yes.

Roger Harris: And this is a place that we need to maybe get out of our nature or if that's the right word and comfort zone. Comfort zone. And and this is a place to spend a little bit more and get. Don't just somebody says, well, I can do it for cheaper. Well that doesn't mean you can do it right?

Glenn Gizzi: Correct.

Roger Harris: And this is an area that you really need to do. Talk a little bit because I know I've heard this before that you guys I'm talking about stakeholder liaison will work where you can [00:35:30] make sure that returns can be filed and be validated. And practitioners are sometimes hesitant because they're you got to tell them you're filing this return for this. I'm not getting it exactly right. I think, you know, you know exactly what I'm talking about. But why is that so important and why? Why do people resist it and not stop it? Whatever. You describe it better than I do, but stop it. It's a it's something you need to work with the stakeholder liaison group to do.

Glenn Gizzi: Yeah, it's human nature that, you know, they they don't necessarily [00:36:00] want to give us that information. So over the last few years we have refined our process. So when you when a tax pro reports a data breach to us, we're only taking certain regular information from them. No client information. But then we're going to have a department called the Refund Integrity Compliance Service or Rics as they're referred to. Contact the Tax Pro and depending on where they are in their filing and where we are in the filing season, they have two [00:36:30] different programs that they prefer to talk about, but in general, you got it pretty much correct. Roger will ask for certain information in through that program when you're ready to file. So let's say you're ready to file 25 returns that day. You're going to tell us these are the 25 returns coming in. And then we'll expect to see them that day. So this helps us determine if this is, of course, after you've reported the data breach, to make sure that we'll process those returns in a timely [00:37:00] fashion. As you know, we have 21 days to process a return before we consider it having any issues.

Glenn Gizzi: And we have 45 days to issue a refund by congressional statute before we have to pay interest. We don't want to take months to process, you know, returns. But some of those identity theft returns that have already been breached and have already been electronically filed, even if we stopped the refund, it takes many, many moons for that taxpayer to get their refund. So for all [00:37:30] the ones in your client list that haven't been touched yet, these two different programs that the department offer are extremely helpful. But again, it comes down to I don't want to give that information or, you know, I think I can do this myself. Why do you need it? Well, we're basically want to make sure that no more of your clients are affected. You know, I've seen it where it's been as low as 5 or 10% of your clients are affected. And I've seen others where [00:38:00] over half of their clients, you know, are affected, directly affected with a data breach. And that's a lot of people to be waiting around for a very long time to get their refund. That, even though we stopped it, you know, is a problem.

Roger Harris: Yeah. No, it's again, thank you for doing a much better job explaining it than I did. But, um, but yeah, I'm shocked when you're in this, you know, I guess you're just in the middle of all this, and you just don't know what to believe and what not to believe. But this is, I think, a great way to to [00:38:30] mitigate the damage. It's not going to eliminate it, but, you know, or fix everything. Talk about the value and importance of the IP pin. You've referenced it, but I think it's time that we remind people because I think I'm correct. Now it's available. I know for a while it was certain states. I mean, Georgia was one of them, but I think now it's across the board, right?

Glenn Gizzi: That is correct. Since, uh, 2021, it has been available for anybody to apply for an identity protection pin or IP pin, as we call it. [00:39:00] Um, in the beginning, it was several states like Georgia and a few others that had high incidence of data breaches. And basically what the IP pin does, it's a six digit number that the taxpayer gives to their tax professional, who puts it on the return in addition to their Social Security number. When a tax return is electronically filed before it actually gets into the system, it goes through a, you know, the porch of the IRS, basically the front door. And before it can get through that front door, it's in [00:39:30] the porch. And we want to make sure if we can, that it is the correct return from that taxpayer. So we'll look for an IP pin. If one has been issued, it has to match what's on that return.

Annie Schwab: And an IP a new one every year.

Glenn Gizzi: Every year. That is correct. So that that helps. Right there. We look at we have over probably now 300, but at least over 200 different filters to look for changes in your return or little things that are different. And then we might stop the return there. [00:40:00] And this is important because once the return goes through that front door electronically, if it's the wrong return, it's a fraudulent return. The regular taxpayer cannot file by electronically. They have to file by paper. And paper processing takes a long time. So the identity protection pin, which has absolutely no cost to the taxpayer, is a is a quick and easy way to go online. If you're an adult, you go through ID me, that's what we have set up through the Internal Revenue Service and many other [00:40:30] agencies. You do a verification and once you're approved, who you are, you will get this. You will be able to go into your IRS secure account, which you also do at the same time. And you download this six digit Pin, which as you said, Annie changes every year in January and it is the pin you use for the whole calendar year. So let's say you have somebody who hasn't filed their 22 return, and they have a pin that they got an IP pin for 2025. [00:41:00] They would put it on their 2022 return that they're filing. So we know that that's the taxpayer. So we will process the return. You know basically Roger, Annie, if every taxpayer had an IP pin, they would it would be nearly impossible for anybody to file a fraudulent return, because if that IP pin is not on the return being filed to us, whether electronic or on paper, we will not put it into the system. So if they accidentally forget [00:41:30] to give it to you, it will get rejected and you'll get a code that says taxpayer has an IP pin. Where is it? And then you go back.

Annie Schwab: That's what our software does. So if you if you try to e-file it and it doesn't match or it's not there. You'll. It won't even make it that far.

Glenn Gizzi: It'll just say that it rejects within the first 24 hours, which also means it didn't get through the front door. So you're still good to get the pin from them and put it on there. And with the I do it.

Annie Schwab: Can you get it for your kids?

Glenn Gizzi: So we had this recently [00:42:00] and there was a presentation where, yes, children, anybody who can verify themselves can get an IP pin. The problem is that ID me will only work with 18 years and up. Got it. But we highly, highly encourage all tax professionals to have all of their clients get an IP pin, especially their senior clients. And you know, and if they need help getting an [00:42:30] IP pin, tell them to turn to their kids or their grandkids to help them through. Um, I know there are there are accountants out there that are hiring summer help. You know, College students to come to their office, and then they're contacting all their clients and having the, let's say, the elderly clients come in and they're helping them get an IP pin, get their whole thing set up so it protects them. I mean, you yourself should show a good example by having an IP pin so [00:43:00] you know what it goes through. Now, I know a lot of people have said, oh, id.me is horrible and whatever.

Annie Schwab: It's not that bad.

Glenn Gizzi: It's not. It takes anywhere from 10 to 15 minutes. Listen, if you're a person who moves around a lot or you know there's a lot of problems, let's say, you know, IP, you know, the ID meet me might be difficult, but or as in the case of one IRS retiree, he had a flip phone. A very old flip phone.

Annie Schwab: Yeah. You got to take.

Glenn Gizzi: A picture of your driver's [00:43:30] license. Is it really going to work?

Annie Schwab: So, you know. Yeah, yeah, yeah.

Glenn Gizzi: We had to upgrade them to, you know, a smartphone. Uh, but almost everybody can almost everybody can get an IP pin. You know, we obviously are never going to see 100%, but the more that we see, the less fraudulent returns we will receive.

Roger Harris: We need to get the insurance companies to offer discounts to tax preparers who have a higher percentage of their clients with IP pins.

Glenn Gizzi: That would be great.

Roger Harris: Yeah, that way that [00:44:00] would motivate people who are money conscious to have some way to attest that you have 75% of your clients with ID pins or something like that, because that's got to remove the risk for them to the insurance companies.

Glenn Gizzi: Absolutely. And Roger, the last thing I want to say on the IP pin, which is it sort of goes back to that human nature thing. Many practitioners have told me they don't have the time to help certain groups of their clients to get an IP pin, because they don't want to charge them the time it [00:44:30] takes to to pull that information out of that and walk them through it. So they don't want to, you know, do that. And that's where, hey, that's where your college interns come in to. You pay them a minimum wage, and they're doing all that work, and they can zip right through it, and it's not costing you as much. And that has been like the number one thing that stops practitioners from really pushing an IP pin because they know their clients are going to call them, but we push it all the time everywhere we go. Ip [00:45:00] pins, you know, for, you know, everybody should get one.

Annie Schwab: Well, and I'm sure you have clients that are like IP pin. Oh I wonder what that is this year. I'll get it to you. You know. And so the the tax practitioners having to wait on the client I need that I need the IP pin, you know, um, so it does maybe slow down the process. But in the long run that small amount of or no headache if, if, if that prevents somebody from being hacked, I think it's.

Glenn Gizzi: Absolutely.

Roger Harris: That's why everybody should have an online account because I don't get the [00:45:30] letter. You can go in there and get it because that was the excuse. Well, they lose the letter. They don't have the letter. Well okay.

Annie Schwab: I haven't gotten my letter yet and I want to file and get my refund right away. You know.

Roger Harris: Go look in your online account. All right. I'm going to read something. Okay. And I want to see who recognizes this. I'm not not the people. This is for the audience. I am aware that paid tax return preparers are required by law to create and maintain a written information security plan and provide [00:46:00] that provides data and system security protections for all taxpayer information. Now, I wonder how many people know what that is, because you've probably all agreed to it.

Glenn Gizzi: They did. They did when they renewed their tin in the last part of each of the years. So very interestingly enough, the wisp, as we call it, information security plan, actually [00:46:30] has been around since 2007 Seven, but became a legal requirement on June 9th of 2023. But before that, we used to talk about data security plans using publication 4557. Even before the pandemic, we were hot and heavy out there in stakeholder liaison, talking to practitioner groups and telling them there's this requirement through the Federal Trade Commission that you have to protect your client's information. This is specific to tax [00:47:00] practitioners. And, you know, I would very honestly, you know, even up to my last presentations and stakeholder liaison before getting this job, and I would say to the audience, okay, hold on, I'm going to hold on to the table or podium. I want everybody to raise their hand as quickly as possible. On how many people have a wisp that they can give me right now if I were to ask for it, I'm waiting to be knocked over by that, you know, rush of air, which never happens. Right? Okay. It just never.

Annie Schwab: Does go wisp.

Glenn Gizzi: What exactly. [00:47:30] And we have to explain it to them, you know. And that's why we have a sample Wisp in publication 5708. And we have 5709 to help them through this. I mean, if you're a single person tax preparer, everything falls on you. That's why we have a sample plan to help you. But if you're in a multi-person group, then this is something that you all should work on together. And everybody has their part, you know. And a lot of it is [00:48:00] just making sure you're following the rules that you should follow multifactor authentication. Number one thing, you should be using that all the time with your tax software. I actually have a data breach this year where the person said it was too much trouble to set up. And I really wanted to call them back and say, well, now what do you think about that? Because you, you just, you know, had 55 of your clients or 57 of your clients, you know, tax returns were hacked and got, you know, false refunds went out. And [00:48:30] of course it was after the fact. So, you know, now we're you know, we're playing catch up. Yeah. They're going to be waiting for months to get their.

Annie Schwab: I bet you he lost some of those clients.

Glenn Gizzi: Oh I'm sure so I mean, the wisp tries to look at the vulnerabilities of your company. You know, where where are the leaks potentially it tries to draw out the problem, you correct it, and then the wisp also tells you what you need to do in the case of a data breach, which is contact Internal Revenue [00:49:00] Service. They go liaison, contact your insurance company, make a police report. You know all these different things you have to do. And it helps keep everything in one place so you don't have to go to all these different places. It's all right there for you. And again, the Federal Trade Commission is the one they can come in and shut your business down.

Annie Schwab: Right.

Glenn Gizzi: You know.

Roger Harris: Yeah. And and I think and I know we've said this to our folks, you know, don't look at the wisp as is just getting it to [00:49:30] the minimum so you can check that box. You know, it is a serious plan. It's there for a reason. We're not just asking you to have something so you can check a box. We're asking you to have a real plan so that, God forbid, something happens. You know what to do. And hopefully you can. You have a plan that will help you prevent it. But, you know, I think it's just going to take a while, maybe more. You going out and telling stories and more podcasts or whatever, you know, to get people to understand this is a serious problem that, [00:50:00] you know, is in our industry right now. And the wisp is a big part of trying to mitigate that, that problem.

Glenn Gizzi: Exactly. And this is an evergreen document. This isn't something you just put on the shelf after you do it. Because what happens if in a multi person firm Annie leaves? Well what was her job in the wisp. Well somebody else needs to do that. Which means you need to update it. You know, it.

Annie Schwab: Needs to be a living document and it And.

Glenn Gizzi: Exactly.

Annie Schwab: Over time.

Glenn Gizzi: Absolutely.

Roger Harris: Yeah. [00:50:30] I mean, it's again, this has just gotten to be something. I mean, it used to be it was an irritant. And we heard occasionally that somebody got hacked. And now it's it's it's happening way too often. Um, before we run out of time, talk a little bit about stolen defense p10's calves. What's what's that looking like? What what do we need to think about there?

Glenn Gizzi: So. So, you know, Roger, we always talk about, you know, people stealing Social Security numbers, but [00:51:00] these data thieves are stealing your effin number so they can file tax returns. And sometimes they're not even filing for clients at the information they've stolen from you. They're filing somebody else's stolen client information, but under your effin. That's why you should always make sure that you're taking a couple of minutes every week to match your effin to how many you filed versus how many the IRS received through your e-services account. Uh, same with your PTEN. Your PTEN is [00:51:30] like a social Security number, and, you know, you need to to keep that secure, because, again, if somebody has your PTEN number and their password, they can go into your PTEN account, calf numbers. Uh, you know, if you're doing any kind of power of attorney, it's the same exact thing. You want to keep that secure. Plus, don't forget, every now and then you got to look back at, you know, say during the off season, during the summer and say, you know, I've got a lot of, you know, clients on their calves and these clients are deceased or they've moved on somewhere else. And, you [00:52:00] know, you can you can contact the calf unit to get a list and, you know, cross out the ones or highlight the ones and send it back saying, please replicate. You know, all of these because these people have your calf number out there, you know, and while they the calf number is a lesser one like the PTEN, but the effort is extremely important. All identifying Numbers should be kept secure. That's what you have to tell the people in your office. And again, that goes right back to [00:52:30] do not do anything with your work computer except work. You want to check your email, pull out your smartphone and and go to your email. Don't check in on your work computer. We can't do that here. You know we can't access any email other than the government. Email will not allow us, you know, to go into Yahoo or Verizon or Gmail doesn't allow us to do that. You know, so.

Roger Harris: Separate separate.

Glenn Gizzi: Separate.

Roger Harris: Yeah. You got to do it. So [00:53:00] short of giving everybody your phone number, uh. Where, uh, what? I hope that people who listen to this will, will take this seriously and go back and evaluate your current situation. Look at your wisp. If you don't don't know what that is, figure that out quickly and move to get one. Um, but is there any. You know, I guess the first thing is, if they have a problem, call stakeholder liaison. Is that kind of the correct primary? Any any [00:53:30] first stakeholder liaison? Second insurance company third to police. Is that kind of the. Yeah.

Glenn Gizzi: Guidance basically. Yes.

Roger Harris: Okay.

Annie Schwab: And the IRS website has a lot of resources as well. If you just go to the IRS website and say, you know how to report a data theft or security breach or something, they have a manual and I don't know the name of it. It's like safeguarding taxpayer data kind of thing.

Glenn Gizzi: That's exactly what it's called.

Annie Schwab: Safeguarding.

Glenn Gizzi: Taxpayer data. Yeah. And in fact, Annie, right. On the IRS home page, [00:54:00] upper right hand corner, it says tax pros. You click on that and you look down halfway down the screen. And there it says, you know basically reporting identity theft or data breach. You click on that and it brings you through all of those, you know, different things. Uh, because, you know, a lot of, a lot of, uh, tax, uh, pros that are going to be listening to this have to understand is, you know, you, as you said before, Roger. Or they'll think that it's not going to happen to me. You know, uh oh. It's only, [00:54:30] you know, 342,000 or 344,000. Now, taxpayers, what's the big deal? Well, that's the entire city of Tampa, Florida or Anaheim, California. So when you start thinking that and we're only halfway through the year, right?

Roger Harris: Right.

Glenn Gizzi: You know, what's the next? You know, there's going to be LA, New York, Chicago. We're you know, we're going to hit a million. I don't think we'll hit a million this year. But it's going up every year. It's going up because thieves are becoming [00:55:00] more sophisticated and people are realizing they need to report this to us. You know, but there's still a large number of people who do not report, uh, data breaches to us because they're embarrassed. Um, some, you know, sometimes they're advised by whatever, by whoever to not report it to us because they'll be liable. Well, you are liable already. So the quicker, the quicker you get to us, the quicker we can help stop the rest of your clients from going through a problem. But the big thing is, as my boss, Maggie [00:55:30] always says, is you have to plug the leak. So you have to get an IT person, not your grandkid who knows computers, okay, an IT person to come in and find out is the hacker in your laptop. Are they in your server? You know, how did they get through your firewall? Yeah, right. I mean, firewall. And you look, some of the people just look at you with a blank face going, what's that? Yeah. So you know, then then, you know, you already have a bigger, bigger problem. So you know, yes, [00:56:00] it's becoming more and more difficult to do your job in your industry. So for those that might be thinking about retiring every year, I always hear people say, you know what, I'm done with this because of data breaches, okay, sell your client list off and often enjoy retirement. But for those that stay, you have to take care. Because as you said before, Andy, you got bank records. Okay. Driver's license information. You know, social security numbers, date of birth. You have all of that information. [00:56:30] So that's why there's a wisp. That's why we ask you, do you have a wisp? Imagine how many people, if we said to them, you renewed your P10 and you said you had a wisp, please send it to us within 24 hours.

Annie Schwab: Maybe you should have to attach it to the application.

Roger Harris: Yeah. That would, that would.

Glenn Gizzi: Wouldn't go over very well. Like a lead.

Roger Harris: Balloon. No, no it would not. Yes. Well, Glenn, this has been terrific. Uh, thank you so much. We got to get you back your wealth of knowledge. [00:57:00] Um, yes. This is something. And the one thing I'll remind people. If you only got 50 clients, if you get hacked, it's still going to be hell. Yeah. It might be less hell than the person with 5000. But you're still going to go through hell. You're going to wish you'd have listened to this and taken. Absolutely and.

Glenn Gizzi: Absolutely.

Roger Harris: There's no easy data breach. So again, thank you so much, Glenn. I'm glad, uh, glad to know you're still around and people like you and your expertise and sharing them with them. And you've [00:57:30] got an open invitation to come back anytime. And I appreciate that, Rob. To have you.

Glenn Gizzi: Absolutely, I enjoyed it. Thank you. Thank you. Annie.

Roger Harris: Just let us know. And, uh, thanks everyone for listening. Thanks, Annie. As always. Um, hope you enjoyed this. I don't know how you couldn't, uh, may not have liked some of the things you heard, but there were things you need to hear. Now. Sound like your parents, but that's. But. But thank you, everyone, for listening. Come back again for another federal updates podcast. Bye, everybody.