With millions of people logging in to websites and online accounts this holiday season, the IRS and the Security Summit partners remind taxpayers that common mistakes can increase their of risk having sensitive financial and tax data stolen by identity thieves.
The Internal Revenue Service, state tax agencies and the nation’s tax industry remind taxpayers that using strong passwords and keeping them secure are critical steps to preventing thieves from stealing identities, money or using the information to file a fraudulent tax return.
“Taking a few simple steps to protect your passwords can help protect your money and your sensitive financial information from identity thieves, which is critically important as tax season approaches” said IRS Commissioner Chuck Rettig. “Protecting your information makes it harder for an identity thief to file a fraudulent tax return in your name.”
Password protection is the focus of Day 3 of National Tax Security Awareness Week. For the fourth year in a row, the IRS, state tax agencies and the nation’s tax industry – working together as the Security Summit – are highlighting the holiday period as a time to remember important safety tips everyone should take to protect their sensitive tax and financial data.
The week continues through Dec. 6 with a series of special educational efforts taking place at more than 25 partner events across the country to raise awareness about protecting taxpayers and tax professionals from identity theft. The week includes special social media efforts on platforms including Twitter and Instagram, including a special Twitter chat on @IRSnews and #TaxSecurity on Thursday.
Strong passwords protect online accounts and digital devices from data theft. But there have been some important changes many people can overlook.
In recent years, cybersecurity experts’ recommendations on what constitutes a strong password has changed. They now suggest that people use word phrases that are easy to remember rather than random letters, characters and numbers that cannot be easily recalled.
For example, experts previously suggested something like “PXro#)30,” but now suggest a longer phrase like “SomethingYouCanRemember@30.” By using a phrase, users don’t have to write down their password and expose it to additional risk. Also, people may be more willing to use strong, longer passwords if it’s a phrase rather than random characters that are harder to remember.
Protecting access to digital devices is so critical that some now feature fingerprint or facial recognition technology, but passwords remain common for many people.
Given the sensitivity of many of these online accounts, people should consider these passwords tips to protect devices or online accounts:
- Use a minimum of eight characters; longer is better.
- Use a combination of letters, numbers and symbols in password phrases, i.e., UsePasswordPhrase@30.
- Avoid personal information or common passwords; use phrases instead.
- Change default or temporary passwords that come with accounts or devices.
- Do not reuse or update passwords. For example, changing Bgood!17 to Bgood!18 is not good enough; use unique usernames and passwords for accounts and devices.
- Do not use email addresses as usernames if that is an option.
- Store any password list in a secure location, such as a safe or locked file cabinet.
- Do not disclose passwords to anyone for any reason.
- When available, a password manager program can help track passwords for numerous accounts.
Whenever it is an option for a password-protected account, users also should opt for a multi-factor authentication process. Many email providers, financial institutions and social media sites now offer customers two-factor authentication protections.
Two-factor authentication helps by adding an extra layer of protection. Often two-factor authentication means the returning user must enter their credentials (username and password) plus another step, such as entering a security code sent via text to a mobile phone. Another example is confirming “yes” to a text to the phone that users are accessing the account on.
The idea behind multi-factor authentication is that a thief may be able to steal usernames and passwords, but it’s highly unlikely they also would have access to the mobile phone to receive a security code or confirmation to actually complete the log-in process.
Remember: the IRS will never ask for passwords. And watch out for phishing emails posing as trusted companies seeking passwords.
The IRS, state tax agencies, the private sector tax industry, including tax professionals, work in partnership as the Security Summit to help protect taxpayers from identity theft and refund fraud. This is the third in a week-long series of tips to raise awareness about identity theft. See IRS.gov/SecuritySummit for details.