There may be errors in spelling, grammar, and accuracy in this machine-generated transcript.

Roger Harris: Hello again everyone. It's time for another federal tax update podcast. And Annie and I are here and we're recording this, uh, I guess a week before I want to say the tax deadline, but I think I should say the first tax deadline because everybody talks about tax season not ending on April the 15th. But anyhow, are you doing today?

Annie Schwab: I'm doing [00:00:30] pretty good. I am looking forward to that. April 15th. Even though it just it feels like it's just the first hurdle. And once we get past it, everything else seems to just go a little bit smoother. So, um, but I'm doing pretty good.

Roger Harris: Yeah, the other ones don't seem as bad. Uh, unfortunately, whether it's April 15th, October 15th, September 15th, June 15th, whatever date you want to pick, there's still issues. And with regarding to scams and schemes that are attacking practitioners like our listeners. [00:01:00] And, you know, it's kind of like certain topics. We just, we seem like we beat them to death. We did it with IRC and now we're back to doing it with, with this, but it's important. And, and, um, we're fortunate to have a guest here today and she's a repeat guest. He's not a first timer. Uh, Glenn Gizzy from the stakeholder liaison department. The IRS is here to join us today and update us on what's going on in terms of practitioners and the issues they're facing. And particularly as we depending on when you listen to this, hopefully, maybe [00:01:30] it's after the 15th and you. But we get maybe a little more careless because we're tired. And this time of year, we're a little more we make ourselves more susceptible. But Glenn, welcome back.

Glenn Gizzi: Thank you very much, Roger. It's a pleasure to be back.

Roger Harris: Yeah. I wish we could talk about more pleasant things, but, uh, you know, it's that's not where we are. So, uh, again, thank you for for doing this. And, um. Annie, let's get started.

Annie Schwab: Yeah, sure. I it's really just a, a nice reminder of simple things that we [00:02:00] can do to make. To prevent ourselves from being subject to scams or target for for identity theft. But you're right. You know, this time of year, let's be honest, we have a lot of personal information, confidential information pushing through our office, through our tax return software, through portals, through all kinds of different ways. And we're tired and we're stressed and we're trying to get things done fast. And so sometimes little, little mistakes, things that you, you know, you click here on an email, [00:02:30] something you normally wouldn't do, but you know, you're expecting something or you're, you know, you're just going through the motions. So this is sort of a reminder that we are unfortunately easy targets. Um, we do contain and move a lot of confidential information. And so we're going to get some stats. We're going to get some just healthy reminders about ways to keep yourself safe. Um, and I'll turn it over to Glenn. Thank you so much for joining us. It's always nice to have you, but I don't know that it's nice to hear these [00:03:00] stats that we're about to get.

Glenn Gizzi: Thank you very much, Annie. And I perfectly understand that. Nobody wants to hear, you know, what's going on. So excuse me just to jump right into it. So this year alone, as of last, uh, as of April 3rd, we've had 240 incidents reported to the IRS by tax firms, whether they're sole proprietors or multi-person firms, that [00:03:30] they've had a data breach. That means it's affected 476 tax practitioners in that 240. I'm going to tell you right now we're up to nearly 498. Because I just before we started this podcast, I was just, uh, clearing out some of the ones that were entered today by my team. And we're up to 498, but the really big number is. How many taxpayers could this potentially affect? [00:04:00] Meaning how many clients of these practitioners could see a problem? And right now we have about 206,000 taxpayers potentially affected. Now, you know, Roger, some people might say, oh, that's not really that big of a number. Last year it was just shy of 410,000. But when you look at a graph, you see that for 2024 [00:04:30] it was 202,000. We're already 4000 ahead of 2024. And we're only one quarter in.

Roger Harris: Right. Well, and I think that's what's so frustrating is that, you know, there's so much more emphasis put on it. You know, there's podcasts like this. I know you guys put a lot of information out and yet the numbers keep growing. You know they're not shrinking. And I think that's a sign that the bad guys are getting better at what they do.

Annie Schwab: Mhm.

Glenn Gizzi: That [00:05:00] is partially correct. It's also, I think, as well as tax pros are getting better at reporting this because, you know, it's human nature. You don't want to report that you've had an incident or possibly have made a mistake. The FBI tells us that when they look at statistics of tax scams or any kind of scams that are out there. Only about one quarter is what's showing on the screen. There's three quarters that are never reported because [00:05:30] people are embarrassed to say they've been taken by a scam, whether they've lost a couple of thousand or a couple of hundred thousand. They don't like to report it. It's the same with tax pros. Sometimes they don't want to report it because they're embarrassed. Other times they feel that if they do report it, that they become somehow legally liable, which you are liable already. So it doesn't really matter, but you should report it. But there are.

Annie Schwab: Clients. I've heard that before. I didn't, I didn't I didn't think it was really going to be that bad. I didn't [00:06:00] think this person was really affected. And that's what, like you're saying, you don't really know who's affected. And then you're afraid that you might, you know, lose your your clientele.

Glenn Gizzi: Correct. And generally.

Annie Schwab: Or.

Glenn Gizzi: Right. And generally you are going to lose some clientele. This is going to happen. People are just upset, especially when they find out that because there was a fraudulently filed return and now they're going to, you're going to have to file a paper return for them, which means it's going to take over [00:06:30] 500 days to process.

Annie Schwab: Wow.

Glenn Gizzi: Yes. So basically, anybody filing on paper right now with an identity theft problem due to a data breach is looking at a paper return refund coming out at the end of next year, 27 in late 2027. And that's unfortunate, but that's how many fraudulent returns are out there. And part of it is we cannot process an electronic filed return [00:07:00] once we've already started one, even if we pull it out of the system. It our computer software does not allow us to put another one in electronically. We would need an entirely new computer system built from the ground up to be able to overcome things like that, and that's hopefully down the line. But it's these things that make tax pros afraid to report it. They're embarrassed. They don't want to tell their clients. Like you said, Annie, they're afraid they're going to lose those [00:07:30] clients. But it basically it is what it is. And you really do need to report it because IRS has some great programs to help the tax practitioners with the rest of the year filing. Because you're right, filing season one ends April 15th. Then we've got June, then you have September, October. And then, you know, the platform shuts down sometime between Thanksgiving and Christmas. So, you know, this is an this is an ongoing [00:08:00] all year round process as well as data breach. In fact, data breach is a multi-billion dollar a year industry. It should have its own NAICs code on schedule C.

Roger Harris: You know you think they're filing their tax return.

Glenn Gizzi: Well, you know, it's interesting. I, I know from my past experiences in examination, uh, problem resolution, which is now taxpayer, um, advocacy that [00:08:30] some criminals will report on the schedule C um, can't take any expenses for it, but they'll report the income. So. Well, the IRS doesn't come after them like we did for Al Capone.

Roger Harris: So yeah, I guess that makes sense. A quick question on something you said it takes 500 days. I'm assuming if you knew you were going to have to file on paper, applying the refund to next year wouldn't help, would it? I mean.

Glenn Gizzi: Well, it's my understanding and I and the way things work is that the 2026 [00:09:00] tax return, the one filed next year because the 2025 return is in suspense. I think they're going to suspend the 26 return automatically when it's received. Because you might have a carry forward. You could have a credit elect. You have the you know, all of that. So we may.

Annie Schwab: Have to really two year impact if you have to do it on paper.

Glenn Gizzi: Yes. And this is on paper because of a data breach.

Annie Schwab: Right?

Glenn Gizzi: Right. Yeah. [00:09:30]

Annie Schwab: Wow. And then they have to get the IP pin. So like once you've been compromised, the taxpayer now needs to get the IP pin, which is a great idea to do. Anyway, I'm just saying.

Glenn Gizzi: I was going to say 100% they should all of your clients. So all of the practitioners out there listening, There is no reason that all of your clients shouldn't have an identity protection pin. 90% of them or better. I'm going to guess that will qualify for an IP pin. The [00:10:00] thing that stops most people is they hear from other people that ID dot me, which is our approved vendor. That all it takes too long. It's a problem. You only hear about the handful of people that have a problem. All the people who do it every day and get an IP pin. You never hear from them because the process went very smoothly. It should take about 15 to 20 minutes for the average taxpayer to verify themselves. It takes [00:10:30] longer depending on whether or not the person is using new technology, or are they using older flip phones. It's the camera. That is a lot of the problem, because you have to take a picture of the driver's license. And the problem with that driver's license is most states have holograms on them. So you have to catch it the right way. So this way ID can process it.

Annie Schwab: Yeah, yeah yeah. I didn't think about that. Yeah. I walked through the process and I [00:11:00] didn't have a, I didn't have a problem with it. Um, but I, you know, I've heard people say, well, that's a pain in the butt to do. And I'm thinking, okay, 20 minutes, 30 minutes of your time now to do something that is free and relatively, you know, not a big time commitment could save you a lot of headache.

Glenn Gizzi: You know, the, the best way I can tell you to put this, you know, Annie is that so? We have a tax practitioner from about 12 [00:11:30] years ago that was sort of the poster child for data breach. And David Lyons, because he's worked with us, he's gone on webinars with us. He because of his data breach, we started developing all these different procedures for it. He still has a couple of clients who still have credit problems to this year because of that. And that's and that's an issue. So you as the practitioner may be recovered by now within a year. [00:12:00] But your clients, they're looking at multiple years problems with their credit because their information is being sold over and over again on the dark web. So yeah, it doesn't stop with this one data breach and this one tax years return while federally they have an IP pin, it won't happen again. But that doesn't stop the data thieves from selling their information, selling their children, their dependents [00:12:30] information. Yeah.

Annie Schwab: Imagine that's a big thing.

Glenn Gizzi: Sure. You have a lot of dependents who are young teens who, after a few years are applying for financial aid in college and they're being told, well, you have this 10,000, $20,000 credit bill that's outstanding that you've never paid. And they're like, I don't even have a credit card. But it's from an identity theft, you know, from a data breach. And the data thieves took their name and social security number and date of birth and opened up a credit card and had it sent somewhere [00:13:00] else. And they opened low amounts, you know, thousand, 2000 limit, quickly spend it all, get more, get more. And and next thing you know, they owe all this money and they're not aware of it.

Roger Harris: Yeah. Well, and going through the ID, I mean, I've heard some particularly I can say this because I, I'm one of them older people who say the challenge of ID me. But you know, then you have an online account. So the issue of, you know, the big complaint used to be on the IP pins as well. If you [00:13:30] lose the letter, it's a pain to, you know, if you don't now you can go in your online account.

Annie Schwab: You get a new one every year.

Roger Harris: Yeah. You know, go in your online account and there's so many things you can do in the online accounts, and they're going to continue to get better and better and better. I know we're telling everybody, just get one. I mean, yeah, you got one for your bank. You got one for all these other places. Your airline. Just go get an account.

Glenn Gizzi: Oh, absolutely. Roger. And what a lot of people don't realize until they actually go into id.me. Social Security Administration uses it. So [00:14:00] when you when you go to set up an account, they want you to set it up through Id.me. Other state agencies use Id.me. Large corporations use them. So once you're in, all you're doing is just verifying, you know, you're already verified, you're just going in and multifactor.

Annie Schwab: It's like exactly. Again, it's me again.

Glenn Gizzi: It's me. Prove it. And now you can open IRS. Oh, and now you can open Social Security. So yeah, yeah.

Roger Harris: Yeah. So all of you folks that are my age, if you don't know how to do it, I'm sure you got a grandchild or [00:14:30] son or daughter who can help you and they'll get it done and go, this wasn't hard, dad. Just do it.

Annie Schwab: Yeah. I mean, we've kind of done little tips and tricks, and we've recorded a video and kind of done some screenshots to help some of our office owners to help their clients. Um, you know, kind of like a cheat sheet to how to do it or, you know, what's the best chrome or internet or, you know, those types of things. So, um, I would encourage, I don't, it seems like so easy to just do.

Roger Harris: You [00:15:00] just, you just made a point that they need to understand is that that IP pen is going to protect that taxpayer for the rest of their life, no matter who their prepare is or where they go or what they do. And it's not just getting your tax information so they can take that information and do a lot of other things with it and basically have their life almost ruined. When you find out how many things the thieves can do with the information that we have [00:15:30] on our clients, and getting an IP pin seems like a simple thing to do.

Annie Schwab: And for tax practitioners, another really simple thing to more protect them is you can log into your account and see. Approximately how many returns are filed under your effin. It's not going to be perfect, like if you actually filed 504. You know it's going to be close to 504. But if it's like 2000 or something, then clearly there's been some sort of breach. And that's just, [00:16:00] you know, we encourage our office owners to put a little reminder on your calendar once a week. Just log in there, take a look, see if it seems reasonable, and then and then move on. Because sometimes the breach happens long before you find out. Um, and that's just another way to, to kind of keep tabs on what's being filed under. Ethan.

Glenn Gizzi: You are correct. Annie. And I'll tell you, it's, it's very interesting because you have what we call an Ethan compromise versus a data breach. So the data [00:16:30] breach is where they actually take your client's information and file tax returns. And, Ethan, compromise. You may look at your. Ethan, your e-services account, and you say, okay, I file 500 returns, but it says 2000. Those 1500 other returns are other tax payers that are not your clients, but they stole that information from other practitioners. But instead of filing it under that practitioner's Ethan, they file it under yours. So [00:17:00] this way, the tax, the first tax pro doesn't even know they've had a data breach. It's a way they try to trick because again, you have to remember it's not just you having a data breach. It feels like that when you talk to us. You know, I had a person just today who was was very adamant that, you know, that, you know, we should be taking all steps possible. And he's telling me what we're going to do. And I'm like, we're we're doing that already for you. I've started the process, but I have other people to get to. So let me just finish [00:17:30] the process with you. But this is where, you know, we try to work with them and explain to, you know, we have to explain to each person. This is what we're going to do. Because remember, we're almost at 500 practitioners affected this year. And last year we had 1525 total reported. So we're we're a third of the way, but only a quarter of the way into the year. So we're looking at maybe, you know, 1600 to 2000 [00:18:00] techs, uh, practitioners this year. So we tell them, if you just have anything compromise, you basically say to yourself, you know, like, thank God, because it's not as bad as having the data breach because all we're going to do is going to get you a new number, right? You know.

Annie Schwab: We had a we had an office owner, John Barucci, in fact, he was on one of our podcasts, um, aired mid-November, last mid-November. Um, and he, he did follow protocol and he had [00:18:30] the wisp and we'll talk about that in a second. And he did all the stuff, but he got his even within 24 hours a new effort. Um, and so, you know, a lot of, you know, I've heard before, but then I won't be able to continue with tax season. They're going to take over my computer. I'm not going to be able to e-file returns, but at least in his in his particular scenario, you know he made the phone call. He contacted the right people and he was back up, um, you know, within 24 hours. So, um, that, that was, I thought that was great news to hear. Um, isn't.

Roger Harris: That kind of [00:19:00] standard protocol for people who suffer some sort of problem? Is it you guys will get them back up and running from the standpoint within 24 hours.

Glenn Gizzi: Absolutely. And, and that's why I'm surprised that, you know, we don't take anybody's computer over remotely. Yeah. In fact, we we often encourage the practitioner to call the help desk, get their new phone number because when they finish talking to Ihelp, Ihelp always tells them you have to call your local stakeholder liaison to report the data breach. And [00:19:30] they say, okay, then they call us. And I say, oh, great, you already got your new phone number. What is it? I put it in because they're usually told on the spot what their new number is. Sometimes like on a Monday, they do get backed up pretty fast with a lot of phone calls. So they may say, okay, by tomorrow it'll be in your e-services account, your tax pro account, just pull it up and there it is.

Roger Harris: That's great.

Annie Schwab: Yeah.

Roger Harris: One, one question just because I can, I'm trying to think like some of the listeners are with all the [00:20:00] cutbacks and everything that's happened at the IRS, stakeholder liaison has been impacted like everybody else. But you guys, to my knowledge, you know, you're not going to call you guys and wait three hours on the phone or be told to call back. I mean, you're you're pretty good at getting immediate help to these folks. Am I right with that?

Glenn Gizzi: Absolutely. And I, and I can tell you with certainty that is true because part of my job as a data breach coordinator for the country is [00:20:30] we have a new phone number that is on our stakeholder liaison page. It's a 202 area code in Washington, DC. There are four options on the phone. When you call and you leave a voicemail. Let's say you call and you choose option one. Data breach to my turn over here. I have a phone that has all four lines so it lights up like it is right now and it says data breach. So the data breach line is lit up. So when I'm done with this I'll listen to the voicemail, [00:21:00] which won't be more than 90 minutes old. And I will either take care of it myself or I'll assign it to somebody in the country, depending on where the tax Pro is located based on their area code. And we call people back usually the same day and we get the process going, if not within two hours. I keep statistics and we're pretty much averaging within three hours. Um, out of all those data breaches so far, you know, [00:21:30] uh, over 270 of them, we're right on it. Same day usually. Right on it. We get it into the system and usually by the next day. Um, our department, our return integrity compliance service is sending an email out saying, okay, you have a data breach. Provide us with the following information so we can start working on it because we do the intake. So this way Ric's can do the job.

Roger Harris: Yeah. So. So go ahead and call. Don't act like you're going to be put on hold. You know, you got like the red batphone or something over [00:22:00] there that rings and yeah, you know, that gets you to the hotline and you're you're ready to go. What are the current scams that people are getting? What's happening out there that we need to think about or that, you know, could be something that we need to know about that's happening?

Glenn Gizzi: Sure. So, Roger, right now, the still biggest scam is an email scam. There's always the email phishing and it's one of two scams. It's either [00:22:30] a scam or the new client scam. Now the scam is looks like an IRS email. It even has Practitioner Priority Services phone number at the bottom. But when you put your cursor on the link from where the email originated from. If anything is coming from IRS, it's going to be irs.gov, not uni dash b o n n dot d e, which is the University of Bonn in Germany. [00:23:00] That should be the trick right there to tell you something's wrong. Plus it has a link saying there's a problem with your ethanw. Click on this link which is a transcript viewer. Well, when you put your cursor on the link, more gobbledygook shows up. And one of the things is it says dot m e, which is Montenegro, which is Montenegro. So again, we're not outsourcing our work, you know. We even though we've lost people, we don't outsource [00:23:30] our work. So these are, you know, ways to tell that it's an effin scam because when you put your cursor on it, it's a completely different address than the one that shows up. It should be the same address that shows up. It should be at IRS.gov. So that's the first one. The second one is always the new client scam. And you're busy during the filing season. And all of a sudden you see this email. Hey, your, uh, client Joe or Mary or Karen told me that you did [00:24:00] a really good job with their return. And I would like you to, uh, do my return. Now, most of these people, you know, tax pros are going to have a client named Mary or Joe, whatever. So they just click on the link because it says, here's my basic information, you know? Do you think we could set up a meeting? Know who's going to send you their documents.

Roger Harris: Without even having an appointment?

Glenn Gizzi: Just exactly.

Roger Harris: Right.

Glenn Gizzi: And, and there's no phone number on the email, just the link. [00:24:30] And when they click on the link, that's when the malware gets immediately downloaded. Because one of the things I found out this year in dealing with our online fraud prevention and detection department is that a lot of these scammers are now using trusted sites like Amazon, Adobe Connect. Oh, the the company data there, they're putting the information there. They're hacking, um, or malicious software on those sites. So when you [00:25:00] go and click on the link and your computer reads data or Adobe Connect, etc., it thinks it's a real, it's a real site, which it is. So it assumes it doesn't have a virus and it's kind of getting around some of these antivirus protection. So they're working on, you know, the virus antivirus companies are working on updating their software to catch these small type, uh, malicious, uh, viruses that are coming through. And again, they're they're using these trusted sites. [00:25:30] So it looks legitimate and the person thinks it's legitimate. So they have no problem clicking on the link. And that's when they get caught.

Roger Harris: Andi I think we've had a I know I've seen some of those. I, I think we've heard about a lot of those kinds of emails.

Annie Schwab: Yeah. A lot of our offices will get something or their client will get something and nobody wants to click on anything. So they just sort of like forward it to us at the home office. And they're like, is this real or is this a scam or whatever? So we have seen versions of, of ones before. [00:26:00] I mean, I generally do reach out and they're like, the IRS is not going to call you. They're not going to email you. They're not going to text you. You know, the they correspond by mail. Um, but you know, most of the, the, the new client click this portal link here kind of thing. Um, does, does get people, but I mean, and then we have multi-factor authentication, but even, I mean, they're getting around that too. So, you know, you think you've got all these securities and you know, [00:26:30] you've got spamware and malware and all the stuff, right? And so.

Glenn Gizzi: But the problem, there's two problems with, um, the things that you've mentioned, nanny is one, practitioners and regular taxpayers don't always update the anti-malware spamware, etc. and they should be updating it every time an update comes out, they should allow it. Second is with multi-factor authentication, which really is helpful. There's two small problems with it. One, the [00:27:00] tax practitioners don't always install it from the software companies. Software companies are allowing them to choose whether they want to use MFA. There should be no choice. It should be required. And the second thing with multi-factor authentication is when a hacker breaks into your computer system, the first thing they're going to do is they're going to compromise your email because where do most practitioners have their one time passcodes for MFA sent [00:27:30] to to their email. Have it sent as a text message to your phone. Because I would rather be that practitioner at 2:00 in the morning, hear my phone buzz, look over at it and see Glen's software company is here's your OTP, you know, OTP. And it'd be like, wait a minute, I'm not doing tax returns right now, but because I'm getting it on my phone as a text, that means these hacker is not getting it. So I can just roll over and go back to sleep and I'll take care of it [00:28:00] in the morning, because they're not going to be able to file a return.

Roger Harris: Right?

Annie Schwab: That's exactly what happened to our our franchisee, John Barrucci. He it was the middle of the night and he saw his phone and he was like, you know, after like the third ping or something. He's like, I'm getting up. I'm going to the office. And he saw somebody moving around on his computer when he walked in.

Roger Harris: Yeah, right.

Annie Schwab: Crazy.

Roger Harris: Let me ask you, let me I want to go back to the client. You know, whether it's because, you know, some of those might be legitimate. It's the clicking on the link that gets you in trouble. If [00:28:30] you reply to the email and say, call this number if you're interested in being a new client or something. You got to click on the link. So if you, if you really can't determine, and I think if you do what you did, you'll know. But if you're really trying to figure out, is this a legit client or is this a scammer? Just reply to the email and say, call this number. We don't take information or something. Can you do that? Or is that just as bad?

Glenn Gizzi: No. You can, you can reply to the email that way as long as you don't click on any links.

Roger Harris: Click on the link.

Glenn Gizzi: That is correct [00:29:00] and just say, you know, call me or just say, listen, you know right now if you know you're getting a refund, contact me. Call me after April 15th. Because as you know, there's no penalty for filing after April 15th with a refund and say, we will sit down and we'll do a new client intake then. And I have to say, Roger, 99.99% of the time you will not hear back.

Glenn Gizzi: We'll never hear back. No, of course not.

Annie Schwab: You didn't give them the answer they wanted?

Glenn Gizzi: Yeah, exactly.

Roger Harris: Click on the link. Or in many cases, [00:29:30] you're not taking new clients. So it's fine to reply to the email and say not taking on new clients. Just don't click on the link.

Annie Schwab: Right.

Glenn Gizzi: That is correct. Yeah. Don't click on any especially a video link because you think it says Zoom. You think you're going to Zoom and then it goes to Zoom. So you're back in Germany. And again, we're we're you know, we're not doing that. And most people are not using, uh, foreign based, you know, uh, app to contact you. [00:30:00] So you have to immediately say, you know, to yourself, it's a scam. And listen, if you've got a full, you know, client load, are you really losing anything? If that one out of a thousand is actually a real client, right?

Glenn Gizzi: Just, yeah,

Roger Harris: If you're not taking them on you, who cares if you make them mad? I mean, you're not exactly your client. So what difference does it make? Um, the other thing. And Annie and I have talked about this and I want you to speak up to it. We think of all this as being us, but if we have [00:30:30] people working for us, we need to make sure they hear this stuff. They're aware of this because it doesn't take the owner to click on the link. An employee clicking on the link is going to create the same problem. So don't just put this internal to yourself. Talk to your staff. Show the staff the kinds of emails we're talking about and the kind of scams that you're talking about. Glenn. I mean, make your make your staff listen to this podcast and understand because they can get [00:31:00] you in just as much trouble as in fact, a lot of times I've heard about it. It was a staff person. It wasn't the owner who knew this but didn't think it was important to tell the staff.

Glenn Gizzi: Correct. And you're right, because we we hear it all the time from the tax professionals when they call us. You know, one of the questions we'll ask, well, you know, have you called an IT vendor? Have they determined it. Oh, yes. Our administrative aid, our data entry person. They clicked on a link or they opened their personal email on their business computer [00:31:30] and they clicked on something or they went somewhere they shouldn't have, and it downloaded the malware into our system. And of course, it's a bonus when they realize they're in an accounting system and all that information they're able to steal. So yes, now once in a while, it does turn out to be the owner. And I had one where I was giving, you know, all the information and I was talking and, and I said, listen, whoever you know, in your, on your staff accidentally did this. Listen, they're going to feel bad, you [00:32:00] know, because you got a couple dozen clients, they're going to have to file by paper and they're not going to get a refund till late next year. And I was going on and explaining everything because I also sent an email, which I was referring to, and it was on speakerphone. And finally, this one person, this guy just said, okay, okay, it was me, it was me, it was me. He was the owner. And I was like, oh, okay. So don't you know you're banned from email ever again? So but it's mostly the staff, you [00:32:30] know, so they should listen.

Annie Schwab: I got a question of, of all these people that that call, do they know what the written information security like the wisp is? Do they have these things? I mean, I know when you get your PTEN, you check the box and you say, you know what it is, but do they really know what it is and really have one? Or are they like, I don't know what to do.

Glenn Gizzi: I think most practitioners know, understand and understand and have a wisp. Now, obviously, if you're a sole practitioner, [00:33:00] we made it so easy. Publication 5708 is a sample plan. Put your name on it and you've got a plan because you you have to be in charge of everything. A lot of firms do have a wisp. They do keep it, uh, as we call evergreen because staff comes and goes and they do talk about it, but you do run into a few people and you say to them, well, what is your wish? Say to do next? And they're like, what? Because they really don't pay attention [00:33:30] to it. And they are checking that box. And it would be very interesting if IRS were to say, okay, before we finish processing your renewal for your PTEN. Uh, you just checked. Yes. Please supply us with your whisk within 24 hours and we will then finish your processing. If we could do that, it would be, it would definitely would probably be missing about a, I don't know, maybe a third quarter to a third, uh, would be a little bit late in getting us a whisk because they'd have to put one together. Yeah. [00:34:00] You know, so.

Roger Harris: You get a lot of people hanging up on you too.

Glenn Gizzi: Yes, exactly. You know, but it's there. It's there to help them whether they choose to use it or not. Again, we give all of these tools, all of this information. Your office gives it, our office gives it. It's up to the individual to decide whether they want to take advantage of it.

Roger Harris: Yeah, I'll tell you a funny story. I do a panel at these IRS forums and one of the panelists would [00:34:30] read whatever it is, the box, you know, word for word, you know, to start the presentation, they would read it and say, how many? Raise your hand if you know what this is. And in the room, half the people didn't even know what that was. But, you know, it's like, well, you all check the box to it. You might know what it is, but you know, so yeah, it's I mean, I think some people just think I got a whisk enough to check this box. I don't know what it is. I don't even know what it stands for, but I'm sure I got one. So I'm [00:35:00] checking the box.

Annie Schwab: I've always had a PTEN. I'm sure I have a I.

Roger Harris: Have one of these too. Yeah, yeah, I got a PTEN, I gotta have a whistle.

Glenn Gizzi: And it's so funny because this started in 2007. It's gone through several iterations of the name. We used to call it the data recovery plan. Uh, we always refer to our publication. I believe it's 4557 safeguarding taxpayer data. And we even had on pages 14 through 18 [00:35:30] the checklist which became later the wisp, which was named by the Federal Trade Commission and became law in 2023. And what a lot of practitioners don't realize is by not having a wisp, if the FTC were to come into your office and say, please produce the wisp and you can't, they can say, okay, you're shut down and there are daily fines. It's not IRS, it's the Federal Trade Commission, because this comes from and I always say this, uh, not I can never say the word [00:36:00] right. The Gramm bliley Gramm-Leach-Bliley act. Yes. Thank you. Thank you. Roger. Yeah. You know, and that's where it comes from. And again, this is now 23 years in the making. Yeah. And there are practitioners who still don't have it. In fact, what you should do next time, Roger, is ask the people who don't have a whisk to quickly raise their hand. You'll be knocked over by the wind from the you know, the whoosh because they they don't have one.

Roger Harris: No. [00:36:30] And and and it's we're just living in a world right now. Even if you don't have to have one, you ought to have one. I mean, right, it shouldn't be something that somebody should tell you you have to do. I mean, it's something that we all need to do. Um, so we got the f-n scam. Any other. I heard something at one of the meetings that where they're jumping into the bank account information and changing the bank account because they, what they here's the process. And I think a lot of practitioners [00:37:00] go to, we finish a return, we close the E file, might even set up the file to be sent while we wait on the signatures on the authorization forms to come back. When they come back, we just go and click and send. What we don't realize is in between the time we created the file, we got those forms back. Somebody has gone into that file and changed the bank account.

Glenn Gizzi: Absolutely. And that is why we recommend that you do not put the banking information in [00:37:30] until the day you are ready to file the return. The same way, Roger, you should not put in an IP pin that your client gives you until the day you are ready to file. Because what happens is if that is in there already, they'll use that IP pin to file a fake return. But we'll consider it a real return because it has the IP pin on it. So.

Annie Schwab: Mhm.

Roger Harris: Yeah, yeah, yeah. At least if you're going to put it in before you file it, go back [00:38:00] in and look at it.

Glenn Gizzi: And double check it.

Roger Harris: Yeah. Make sure it hasn't changed. Don't just assume when you because somebody said, well, once I create the file and do this and do that. No, if it's not protected. Yeah. So and you never know. And the client just doesn't get the refund. And by the time they call you, you go in there and go, well, that's the wrong bank account.

Glenn Gizzi: Correct.

Annie Schwab: And you didn't get it because it didn't go to your.

Glenn Gizzi: Exactly. And it's weeks later. So it's not like we can grab it back. Uh, the money's already gone. [00:38:30] If we could catch it early enough in the in the processing, we can stop the refund from going out. Very interestingly enough, just this week, I had a practitioner tell me that he had a third level of security, that it was optional through his, um, company that he uses the software for and said that he could have an individual password per client. And he didn't choose to do that because it was a little bit cumbersome. You know, a few hundred clients. [00:39:00]

Roger Harris: Thing to remember, right.

Glenn Gizzi: But that would also be another MFA layer that would prevent somebody from going into that account, the hacker and changing any information like the bank account information because it has a separate password. But again, as long as that OTP, the one time passcode is going to the phone as a text message, not showing up as an email on the phone, because that's not going to help. Again, they need to do it as a text message [00:39:30] because most data thieves are not in your backyard. They're not cloning your phone. They're somewhere in the, you know, in the world, uh, you know, doing, you know, their data thievery from, you know, an office building. Don't kid yourselves because it's not just somebody in a basement, you know, hiding. This is people who report to an office, punch a clock, do 10 to 12 hours of work, punch out and go home.

Roger Harris: Yeah. You mentioned if you caught a refund [00:40:00] soon enough. Talk a little bit about that. You know, what is the timeline? What is what kind of things can a practitioner, if they realize there's a problem, who do they call? What do they do if there's some? Because I don't know. Everybody knows that. That's I think they assume once they hit that button and the returns gone, it's out of their hands and nobody can help them.

Glenn Gizzi: No, no, it's not true. They we we can help them. Now, we know we always say that it takes 21 days for a tax return to be processed to get your refund. And we tell the taxpayers they can't call us until [00:40:30] 21 days have passed. But I'm sure you've seen that it can be as early as 12 days to get a direct deposit in somebody's bank account. So we have a small window of time to stop that return. The problem is, there's a lot of good practitioners who realize when they have a problem, they contact stakeholder liaison, either by going to our page and sending us an email or calling the 202 number and leaving a message and that I'll get and we'll call them back and we'll start the process. [00:41:00] But there's also a large group of practitioners who want to find out first what happened. So I got to call my IT person. I gotta call my lawyer. And by the time they get around to this. And you'd be surprised, we were taking data breaches where they knew it three weeks ago. And then. And they're even asking us, can you get the money back?

Roger Harris: Yeah.

Glenn Gizzi: How? I mean, well, honestly, yes, we have a department that is going to handle going back to the bank, trying to track the money, trying to, you know, try [00:41:30] to get it back. But it's not that money that we need to get back to give to your client. Your client will still get their refund. It's just going to have to wait 500 days.

Roger Harris: But yeah.

Glenn Gizzi: If you had contacted us immediately and that's what I stressed to practitioners in presentations, contact Stakeholder liaison immediately. If you even think you have a data breach, contact us. Let us put it in and then let us start the process. Rics would love to have you in their program, give you some extra layers [00:42:00] of protection, and then later, if it turns out you didn't really have a data breach, maybe it was just an even compromise. Okay. No harm, no foul. But if it was a data breach, you've saved a lot more of your clients.

Annie Schwab: Exactly.

Glenn Gizzi: You know.

Roger Harris: You know, it's funny, and I haven't even told you this yet. Um, the quickness of refunds is great, but it's also bad because it makes it very hard for you guys to have time to do anything and, and any. What's happening in Georgia this year. I [00:42:30] don't know if it's happening anywhere else. We've got people getting their refunds within two days of filing.

Glenn Gizzi: Wow.

Roger Harris: So there's no time to do anything. Uh, I saw a case the other day. They already got a notice on a return that was filed last Wednesday.

Annie Schwab: That's great. I mean, that's wonderful, I guess. Good.

Roger Harris: Everything's good.

Glenn Gizzi: Yeah. If everything's legitimate and above board, it's it's a great thing. But when it's not, it's it's definitely a problem. I mean, that's [00:43:00] why at the beginning of the filing season, we never process EitC and child tax credit returns right away. You have to wait until middle of February before they'll be processed. Just because we want to make sure of certain things before we give away that kind of money. But it's the same thing. You know, everybody wants things faster and faster these days. You can order and you know, you can get an Amazon delivery and, you know, within hours. So people are getting used to this quickness, but it's that very quickness [00:43:30] that is also a detriment. At the same time, as you said, Roger, because we don't have the opportunity or the time to make sure and you know, you got to face it. When do most of these data breaches occur? Late Friday into Saturday, Saturday into Sunday. And they're hoping that people won't notice because, you know, they're not working on the weekend, you know, or even throwing a holiday. And, you know, and then we're not open. So I came in on the day [00:44:00] after, um, not Martin Luther King, uh, president's day and the. The phone was lit up.

Roger Harris: Blowing.

Glenn Gizzi: Up and I had like six messages and most of them were from that Monday saying, I have a data breach. Where are you people? You know, I need help.

Roger Harris: I'm like.

Glenn Gizzi: I understand, but we were closed and the data thieves know when we're closed. So they, they, they use that to their advantage. You know.

Roger Harris: I think Georgia does I don't know if you could do this on a national level. They will not issue an electronic refund [00:44:30] if it's the first time you filed a return.

Annie Schwab: Oh, interesting.

Roger Harris: So you have to wait and get a paper check for the year one.

Glenn Gizzi: So it would be it would be nice except the executive order bans paper checks.

Roger Harris: I know you just decided there's none of that happening. Yes, but it's kind of interesting that they're able to speed up getting your money if it's the first time. Nope. We're going to take our little time on the first one to make sure that this is legit. So I mean, there's things like that. We're [00:45:00] going to see more and more stuff again. You got an executive order. So, you know. Yeah, I could see. Let's let's just hold refunds for 90 days so we can figure it out if it's all right. I mean.

Glenn Gizzi: I mean, I wish I, I, I, I can't advocate for that on, on the IRS side.

Roger Harris: Of course not.

Glenn Gizzi: But personally, if I think if we built in a delay, if there was a built in delay of at least 30 days, it could possibly cut back a lot of refund fraud. But the one thing that Annie, you mentioned at the beginning of this IP [00:45:30] pins.

Annie Schwab: Mhm.

Roger Harris: Yeah.

Glenn Gizzi: That's right. They're an IP pin that it's not in the tax software until the day of filing will prevent a fraudulent electronic return from coming in. And that is the number one thing that taxpayers can do to protect themselves. And it's something that tax professionals should be encouraging of each and every client. Now, if you have a lot of clients and if you do have a lot of older clients, [00:46:00] uh, you know, because Roger opened the door on that earlier. So I can say that. Then then hire some accounting students out of college.

Roger Harris: Right.

Glenn Gizzi: You know, to do the work because it'd be cheaper to pay them per hour and let them contact. You know, you send the email out first. Hey, I have a new employee, you know, Glenn. He's going to contact you and help you get your ID me account and, and have them do that and save you the time of because that's another thing is that time [00:46:30] and I don't want to charge those clients is a complaint that I've received from the tax pros. And they feel bad saying, well, you know, if I make, you know, $200 an hour, I got to charge $200 because it's going to take me that long, you know, to bring them through, you know, opening up a secure account. Fully understandable. That's why it's great if they, as Roger said before, you have children, grandchildren that, you know, zip through that technology. My, my father's 90 years old. Two years ago, [00:47:00] I, you know, we got him an IP pin and my mother, who back then was 83. They, you know, they weren't going to be able to do it. He had a flip phone. You know it's not it wasn't really going to happen unless I or one of my two brothers did it. And neither one of them were going to do it because why? I work for IRS. So I'm going to help them with any tax matters. So of course. Yeah, absolutely. So, you know, it's it is that population that can have the problem and fully understandable. And that's [00:47:30] why they are a targeted, um population. And that's why over the years IRS has realized they are an underserved community. And we have done a lot of presentations in the past with AARP and other organizations to encourage the seniors to ask questions and go to their tax professional, go to their children and grandchildren, talk about, I need to get an IP pin. So Glenn said. So I got to get one. And absolutely. And most everybody can qualify for it.

Roger Harris: I [00:48:00] think one of the things that I'm sitting here thinking. So let's put this on our to do list. Yeah, I think if you called every taxpayer that you've got and said, I have to charge you $100, but if I do this process, if I get you an ID, me, I get you a pen and I have the proper procedures in my office so that I don't put that pen in. I don't verify the bank account until right before I transmit. You are protected if I get hacked. Is [00:48:30] that worth paying somebody $100 to do this now? But you got to have the process in your office at the same time.

Glenn Gizzi: That that.

Roger Harris: Is the rule. Otherwise, you're just ripping everybody off by charging $100 and then you don't follow your own process. But I think most people, consumers, if you, if you actually had that process and explained it that way, would be happy to pay you. I just used 100. I don't know what your number is, but it can. It can be something that could help affirm [00:49:00] cover the cost. Maybe make a little bit and make it almost impossible for those clients to be, uh, compromised.

Glenn Gizzi: Correct. And as long as you don't put the IP pin into the software, that's one of the processes, then it would be it would be a very good way to do business. And again, I understand it takes time and effort to do those processes. But think about what happens if you don't. Exactly. [00:49:30] Because your clients are going to be calling you. They're going to be taking up your time on the phone, especially if you're a sole practitioner. And then you, then you have to hire more people. So that's more expense out of your pocket. Just answer the phone. But they don't want to talk to that person. They want to talk to you because you are their accountant. So it becomes a major time. Um, you know, waste of time for you to be constantly be on the phone instead of doing the returns and getting things done.

Roger Harris: Yeah, that's [00:50:00] a good project.

Annie Schwab: You know, maybe in the summer when you're not so busy. Another, you know, touch point with the client. You know, something that kind of use it sort of as a checking in to see how your year is going. We're at mid-year point. I think you got to tell me. Oh, and by the way, you know, we have so and so accounting intern who can help you out or you know.

Roger Harris: Yeah, right. If you can do it yourself, do it. But, you know, if you need our help, we can do that. And then like you said, it's most important that when you get those IP pins and [00:50:30] your bank accounts, when you put them in the system and when you file the return, because you can blow all that good work. But I can promise you, there's one thing I do know for sure. Somebody might pay me to do that in June before they get hacked. Me trying to explain to them, you got hacked, and it's going to take me a long time to get you out of this, and I'm going to have to charge you for it. It's not going to go over well.

Glenn Gizzi: Yeah, correct. You're right.

Roger Harris: Yeah. So I got one shot there. They're, um, kind of going for people who aren't as familiar. We've talked about stakeholder [00:51:00] liaison a lot of things. I know you've got fewer regions or fewer people working regions. Talk tell people who aren't familiar with stakeholder liaison, all the kinds of things that you guys can do and when to reach out and how to figure out who they should be calling. Does it matter where they are, who they are, what they do? Give a little plug for what you guys do, because I know a lot about it and he knows a lot about it. And I think more people in our profession need to understand what you guys do.

Glenn Gizzi: Okay. Yeah. No, absolutely. Roger. So, you [00:51:30] know, stakeholder liaison is the educational arm of the Internal Revenue Service. So our primary goal is to educate and work with tax professionals throughout the United States. So we have personnel in various states. Not every state unfortunately, but we do have every state covered. So if a tax professional is not sure you know who their local stakeholder liaison is. They just go to IRS.gov, put in stakeholder liaison in the search box, [00:52:00] and it will come up with a landing page. And on there they find their state. And right now we have five areas in the country and they just see which area. And they can send an email right to that area mailbox saying, hey, I'm in new Jersey. You know, I have a question. Who's my local stakeholder liaison? And someone who covers that state will get back to them. Besides educating persons, you know, that way we also go out and do presentations. We work with national [00:52:30] and local organizations, statewide organizations. We give presentations both live and we give them virtually like we're doing right now and doing this podcast. So we have events throughout the year. Now, granted, some of them are more metropolitan areas. We'll have a lot more events. Some of the more outlying areas may only have 1 or 2 events a year, but they usually are pretty big draw because it's it's that important. We assist in giving these presentations for C CPE [00:53:00] purposes and CE purposes. We also have our own webinars that we run that we advertise. Um, not myself anymore. Being in data breach, but all the other stakeholder liaison folks always send out, you know, plenty of email to the main organization saying, hey, we're having this webinar. And of course, all of our webinars are free and they usually qualify for two CE credits. So we try to give as much information that we can [00:53:30] and try to educate practitioners. And again, we tell them about all of the availability we have. It's up to the organizations to actually utilize us. Sure. You know.

Roger Harris: Well, more people need to know if you don't know about stakeholder liaison or you don't know who your local representative is, you should, should go and find that out and, uh, make a connection because, I mean, it's one of these things, you may not need them today, but when you need them, you need them.

Glenn Gizzi: Correct. And when and when you want to report a data breach. [00:54:00] Like I said, if you go to our website, you'll see the phone number, which is (202) 317-4015, and that's it. Yes, while it's in Washington, I'm in new Jersey. Uh, I cover that. My backup is in Oklahoma. So she covers it from there. And, uh, but we, we, we get those phone calls and surprisingly, we do get calls from tax payers. Now it's really not designed for them. But again, if a taxpayer calls us up and leaves a message, we're [00:54:30] going to get back to them. Yeah. You know, we can't look up individual accounts we don't have access to, you know, see what the status of a refund is or, you know, what's the status of my collection, you know, issue, but we can get you to the right department. So we can also lead you to where you need to go to. That's another thing that we do. And I, you know, keep stats of the phone calls we've been getting. And, you know, we're averaging at the moment about 55 calls a week to the phone numbers. [00:55:00] And oddly enough, I had one person who left a message very early in the morning around 12:30 a.m.. At first I thought maybe it was Hawaii calling. And as I listened to the message, he just went on and on and I could tell he was a little bit inebriated and he's. And at the end he's like, well, you're never going to find me. So, you know, he told me what he thought of the IRS. So I.

Annie Schwab: Just wow.

Glenn Gizzi: I just hit the button to get his pull up his phone number from, you know, the, the system, you know, it popped up and I [00:55:30] called him back and I just said, listen, are you sober now? Can we talk? What? What is the problem? He was shocked, but then he told me he was mad because he gets a very small refund and everybody else talks about these big refunds. Well, I found out he's claiming, like five or, you know, under the old system on his W-4 form. So I explained to him how it works and he said, wow, nobody's ever told me that. Not even my payroll department told me what the problem was. Well, now you know, and now you don't have to call it government number at night, you know, and [00:56:00] complain. So I did, but I did shock him. I did shock him and I, and I was he was surprised to hear back from us. So, uh, but I said we are the government. So we were able to, you know, get your phone number.

Annie Schwab: And get your phone number.

Roger Harris: Was he sober?

Glenn Gizzi: He was in the morning. Yes. So I think this is a regular thing for him, you know, that he he wasn't hungover. He he this was like about 830 in the morning. I called him because it was, uh, in my time zone. So I, I thought it was, you know, hey, I helped them. [00:56:30] The way I looked at it is I helped them, you know?

Roger Harris: Well, that's a, that's a story I'll have to retell. I've never heard of a drunk calling the IRS and getting a call back the first thing the next morning. That's interesting.

Annie Schwab: Yeah.

Roger Harris: Any what else? Let's wrap it up.

Annie Schwab: You know, I, I know everybody's busy. We're getting to that time of year and, this was great. Thank you. It's always a nice refresher to hear about what's going on. Kind of keeps you on your toes. So I appreciate it and hopefully the listeners enjoyed it. And if you're looking to go back for that, John. Um, [00:57:00] we had him on about his, his particular breach. Um, it was last mid-November, so you can easily find that. Um, but that's all I've got today. Roger.

Roger Harris: Well, Glenn, thank you for coming back again. And you have an open invitation anytime you got more stories and I can tell my friends, if you get drunk, call Glenn. He'll call you back. If you don't like something about the IRS, give Glenn a call. He'll. He's got the batphone at his desk, and he'll.

Glenn Gizzi: Exactly.

Roger Harris: So I know exactly how to get you back. [00:57:30]

Glenn Gizzi: But I do. I do appreciate you having me back on here. And, you know, just to all the practitioners who have listened to this, you know, take security seriously. Get your own IP pin, get your client's IP pins, use your multifactor authentication. Don't opt out of it. Put extra layers of security and make sure to update all of your anti everything. So this way you're protected as well as you can be.

Roger Harris: Yeah yeah. All right. Well for all of you that are listening and it's not April [00:58:00] 15th yet. Hang in there for all of you that are listening after April 15th. Congratulations. You made it through that. And, uh, I hope you'll come back to another federal tax update podcast. Annie, we've got some good stuff coming up. Looking forward, we got a special thing happening in, in May. We'll tell you about, uh, someone that Glenn knows pretty well. Uh, we're going to do a podcast with. Thanks for listening. Um, good luck or congratulations depending on when you listen. And, um, we'll [00:58:30] be back in a couple of weeks with another federal tax update podcast. Thanks for listening and see you again soon.