What to Do When You've Been Hacked Featured
Written by Jon Baron
Imagine this. Your firm starts receiving calls and emails from clients saying they've been the victim of tax refund identity theft. Sure, you've seen a few of these cases and have a process in place to assist clients, but this appears to be different. The volume of victims is far more than what you'd ever expect.
When you explore the activity on your network, you discover that access has occurred at odd times. Or, some of your partners or staff recall "kicking someone off" the network before they could log in. The client calls and emails begin to accelerate. You ask your staff and partners if they've responded to an odd email or opened an unusual file that seemed to be from a trusted source. You find that they have.
Your firm has been the victim of a spear phishing attack and someone—or a group of people—have all of your firm's data. Don't think it can happen to you? Think again. This doomsday scenario is happening to firms of all shapes and sizes, and the number of occurrences is rising.
How it happens
In many instances, malware that can track keystrokes is residing on an office PC or on your firm's network. The result? The hacker(s) now have legitimate credentials from one or more of your staff. They go freely in and out of your system like legitimate users.
And they know what to look for—full tax returns or W-2s from your payroll services, as well as business financial data. To tax refund thieves, this is a gold mine because it's real data—employers, addresses, dependent names, ages, Social Security numbers, etc. With this data, producing W-2s that look legitimate and then filing fraudulent tax returns is fast and easy for a hacker. And all this happened on your internal network!
The entire existence of your firm depends on what you do, or don't do, directly following the discovery of a cyber-attack. Yes, you have to move fast—the future of your firm is at stake.
What to do immediately
If your systems have been compromised, there are a number of steps to take immediately. These actions should be outlined in your firm's incident response plan. If you don't have one, you should work with your legal counsel and other specialists to develop one immediately. At a minimum, your Incident Response Plan should require that you immediately take or at least consider the following actions.
Note that I'm not a lawyer, so this is not intended as legal or tax advice if you find your firm in this situation. Instead, view these as general guidelines.
1. Your information security team and forensics specialists should quickly determine if you must quarantine any or all of your PCs or other devices, and your network. Because the malware is residing somewhere in your system(s) and will still track keystrokes, simply changing passwords is pointless. If you don't eliminate the root cause, the process can start all over again. The malware essentially "owns" your technology until you hire a professional to remove it. It is also important to note that once you know there's been a security breach, you should assume that the thieves accessed all of your client's data (and employee data, if you do payroll).
2. Contact your attorney and request a reference for someone familiar with data breach regulations. Your insurance carrier may be able to assist with this as well. Legal counsel is a very valuable resource in assisting with the overall management of the incident and engaging with third-parties like law enforcement, forensics, insurance, etc.
3. Have the computer forensics expert assess what was accessed and when.
4. Notify all staff that until a communication plan is established, and you truly understand what occurred, that the situation is to remain confidential.
5. From the known access point, start compiling the list of clients and/or employees whose personal or confidential information may have been accessed. Also determine the states in which these clients and/or employees reside as that will help your legal advisors determine whom must be notified of the incident and by when. It is critical to get the notification process and timing right, and the requirements and timing differ from state to state.
6. Contact your insurance company and inform them of the security breach.
7. Begin to draft an "incident report" that tells the story of what occurred and when, including which parties were engaged to assist (e.g., counsel, forensics, law enforcement) and what remediation efforts you took.
8. Contact the FBI, local law enforcement, and state criminal investigation units of all states where impacted individuals reside.
9. Contact the I They will have a number of questions about how this occurred.
10. Contact the state regulatory authorities if required.
11. Develop your plan for personal contact of key clients, including an escalation process if you receive a negative reaction.
12. Ensure that all partners and staff have the same script for all related client interactions.
13. Assign one person to be the external spokesperson for the firm—your press relations person—and ensure that person has a solid script for any comments. You may also need to draft a press release.
Once again, this list is not intended as legal advice—it is merely a list of suggestions that illustrate some of the action items involved in responding to a data breach. This list is not all inclusive, but rather a general guideline. You should contact an attorney for advice on legal matters.
While this list of action items may seem intimidating, the situation calls for immediate action and total focus. The keys are quarantining your technology, bringing in the forensic experts to assess the damage, contacting your attorney who should be able to assist with engaging with third parties, including managing any notification process and its timing, and building the internal and external communication plans. Remember to remain calm.
If you can show that you took immediate, direct action, documented the incident and remediation steps, and engaged the appropriate third parties for assistance, your outcome will likely be the best possible. If you hesitate, or resist what needs to be done, the outcome may not be as good.
Obviously, the firm needs to continue operating while all this activity is going on. In parallel with the forensics analysis, have new stand-alone PCs up and running with the applications you need to serve your clients and to run the practice. The forensics results will determine what occurs next with your environment and network.
How to protect your firm against hacking
While this scenario is quite disconcerting, the best thing you can do to protect your firm against hacking is to educate your staff about the risk and provide them with tips to avoid being hooked by a phishing scheme. Remind them to be vigilant. If something doesn't quite right, they should question it.
Further, ensure you have the best protection available to avoid malware taking hold of your data. Tools that employ "targeted threat protection"—and there are several good ones—should be in place in your firm. This type of protection defends against malicious links in email, attachments and social-engineering attacks. So, if you haven't asked your internal IT staff or your outside consultant about targeted threat protection, you should do so ASAP.
Unfortunately, cybersecurity is now a priority for all of us, particularly those of us in the accounting profession who hold so much personal and financial data for our clients. You owe it not only to your clients, but to your employees and yourself, to take this threat seriously and protect your firm in every way possible.
This column originally appeared on the Thomson Reuters Tax and Accounting Blog
JUNE 23, 2016
Behind every sale is a conversation. Without communication, a lead can't become a handshake, and the dotted line is doomed to remain unsigned.
Then if conversations are key to better results, why do so many salespeople still shoot from the hip? Why are most sales presentations such unstructured messes?
No matter what you're selling, if you want to help convert more leads into happy customers, it's time to take your sales pitch to the next level.
The Six-Shooter's Sales Strategy
Of course, no sharpshooter hits the bull's-eye every time. But everyone can become a better marksman, and just six steps stand between you and a potential pocketful of new sales:
1. Get excited! If you're like me, it's nearly impossible to not get amped up for a sales call. And for the prospect, it could be one of the most fun and interesting parts of his or her day. So don't kill the mood: Break out a smile, and let your energy show.
2. Create a foolproof game plan. After consulting with dozens of companies that struggle to train salespeople, I realized they had something in common: an unscripted sales process. So as soon as I started building LinkedSelling's sales team, I began writing a script. That script, with a few tweaks, has delivered big results.
Craft a living, breathing sales document that team members can read from, word-for-word. They'll find their own style—and that's great—but give them a starting point, complete with room for questions, banter and interjections.
3. Find common ground. People generally like people who they can relate to. In fact, my company signed a high-dollar client because he'd befriended my office manager. They didn't talk business, but instead discussed life outside the office, and it was this connection that sealed the deal.
So craft your sales script to create points of rapport. Try adding some non-business questions like “Where are you from?" and “What are your weekend plans?" that can help cultivate connections.
4. Be a student. Sales is about education, but it can't be one-directional. So build questions into your script to learn a client's business: Ask about their team, values, business model and customers. It's a simple truth: To understand somebody's situation, you need to ask.
My team learned this the hard way. Sales slumped in 2015, and I realized nearly everyone was pitching too early. But after consulting our sales script, I knew the mistake was my own: I'd included icebreaker questions, but hadn't given my team business-oriented questions to ask. After revising the script, we saw sales jump 15 percent nearly overnight.
5. Sell your "why." In a recent TED Talk, leadership expert Simon Sinek said, “People don't buy what you do; they buy why you do it." Now, I'm sure people buy because of the product, too, but Sinek is right that people tend to buy logically and emotionally.
So in every sales call, try tying your business to something bigger. What's your big goal, beyond selling products? Sales is an endeavor of the mind, but it's also tied to the heart.
6. Do the math for them. ROI is—or should be—a part of any sales discussion, so quantify your product's benefits in dollars and cents. A few years ago, we began conducting ROI calculations during sales webinars and consultations, which really helped our product “click" with the logical side of prospects' brains. The focus on tangible ROI, in my opinion, is a big reason my company's business has tripled each of the last three years.
In the end, sales isn't rocket science; it's just people having a conversation about a product's costs and benefits. So if your goal is more conversions, stop “winging it" on sales calls. With a script in hand and data at your fingertips, your team should soon be shooting down its toughest sales targets.
Yes, we’re talking about the British exit from the European Union. We are not sure why the media coined the term “Brexit,” when it’s not only Britain (England and Wales) that voted, but the United Kingdom, which includes Great Britain, Scotland and Northern Ireland, with the latter two not referring to themselves as “British.” But we digress. While the UK didn’t buy into the monetary union and continued to use the Pound Sterling as its currency, it played an active and necessary role in the EU.
With the June 23rd vote to exit the EU, there seem to be more questions than answers.
But first, some facts:
Per the BBC, England voted strongly for Brexit by a 53.4 percent to 46.6 percent margin. Wales had a similar outcome, 52.5 percent to 47.5 percent. However, Scotland and Northern Ireland both voted to stay, with Scottish supporters garnering 62 percent and Northern Ireland supporters reaching 55.8 percent.
What Scotland and Northern Ireland have in mind is unclear. If they prefer to remain part of the EU, as some suggest, will they also want to remain a part of the UK? Or will Scotland and Northern Ireland continue to push for autonomy? The UK has two years to negotiate its withdrawal. While a lot can happen in that timeframe, let’s assume the UK truly exits. What’s next?
What’s the Future of the UK?
Suppose Scotland and Northern Ireland secede from the UK. As far as the tax world, they currently operate under the UK system. Note the tax treaty that people often refer to as the “UK-US tax treaty” is called Convention between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland for the Avoidance of Double Taxation and the Prevention of Fiscal Evasion with Respect to Taxes on Income and on Capital Gains. So, the treaty is with all of the UK: Great Britain (England, Scotland, Wales) and Northern Ireland. If Scotland and Northern Ireland leave the UK, presumably the treaty wouldn’t apply to their residents. Instead, they would have to negotiate their own tax treaties. (When Hong Kong became part of China, it did not become part of the China-US tax treaty.) In another example though, the treaties with the USSR and Czechoslovakia were extended for a period of time to the states included in each prior to their break-ups into separate sovereign states.
If you’re a US company with a parent, subsidiary or affiliate in Scotland or Northern Ireland, it may be wise to examine your structure and costs in any potential reorganization. One must bear in mind that the “clock does not begin to tick” until the UK invokes Article 50 of the EU treaty, giving official notice of its exit. Once invoked, it will take at least two years to fully complete the exit. Depending on the impact and cost, we envision that companies may choose to relocate to ensure treaty benefits.
How Will Customs Duties Change?
Once the UK exits, the EU customs duties rules will no longer apply. So, absent trade agreements between the UK and the EU or its members, there are likely to be duties charged on UK-EU trade. The UK may also enter agreements with other countries and/or trade blocs. In theory, UK-EU negotiations would lead to small, if any, duties, but the administrative headaches could be substantial. Furthermore, any trade agreements between the EU and other non-EU countries may be affected and/or subject to renegotiation.
EU vs. UK Tax
Base Erosion and Profit Shifting (BEPS)
The Organization for Economic Cooperation and Development has been pushing its BEPS initiative. Presumably the UK’s exit won’t have a direct impact at the OECD level. However, the UK would arguably be unable to influence EU tax (or any other) policy. This could be important as the EU is the bloc pushing hardest for BEPS implementation. As an aside, the US Treasury has expressed strong reservations about certain BEPS aspects and perhaps can use the UK as an ally; however, the UK was one of the first countries out of the gate to implement a BEPS provision called the Diverted Profits Tax (termed by some as the “Google” tax). The Treasury not only took exception to its passage but is still considering whether it is a creditable tax for US tax purposes.
Value Added Tax (VAT)
VAT or similar indirect taxes are almost omnipresent outside the US. Each EU member has its own VAT law which includes certain provisions that take into consideration the free movement of goods and services between the member states. Such provisions will exclude the UK. In any case, there are more likely to be administrative costs far above and beyond those that exist today. Companies importing into and/or exporting from the UK should begin to consider alternative flows of goods and services depending on the final outcome of the exit and any potential amendments to the UK’s VAT law. Again, it’s far too early to tell or make material decisions. Based on our experience, reviewing product/services flow is a value-added service in its own right as companies often find they’re not always operating as planned and/or don’t have a strong grasp of precisely how and where they’re operating.
Intra-EU Cash Flows
The EU Parent-Subsidiary-Directive is a participation exemption regime allowing dividends to pass tax-free from one EU company to another. The UK won’t benefit from this directive post-exit and would then need to rely on its tax treaty network to keep dividend withholding low. This is critically important to UK companies investing in the rest of the EU since any withholding results in a net cost because the UK exempts certain dividends from foreign subsidiaries received by UK parent companies. Although the EU directives also include an exemption from source withholding for interest and royalty flows, the impact is minimal since such income is taxable in the hands of the UK beneficial owner who should be able to obtain a foreign tax credit for the taxes withheld. Bear in mind that the UK has separate tax treaties with most, if not all, of the members of the EU.
Corporate Income Tax Rate
The UK has been cutting its corporate tax rates. Will it further do so and compete with, say, Ireland and its 12.5 percent rate? Will the exit prompt the EU to more quickly harmonize its tax rates, or will it lead to more squabbling and disagreement? Or will the status quo of “two-steps-forward, one-step-back” hold?
Mergers & Acquisitions
M&A thrives on opportunity, and uncertainty generally acts as a brake on such activity. With the Pound Sterling and US Treasury Bonds showing material drops the day after voting, we’ve got unrest in global markets. There’s currency volatility and market uncertainty, arguably leading to reduced M&A activity for the faint of heart. The tax uncertainty doesn’t help and may wreak havoc with financial calculations and valuations for M&A candidates. On the other hand, those with higher risk tolerance may have great opportunity.
Free movement of people
With the exit, companies on both sides of the divide may find it more difficult and costly to move personnel between the UK and other EU member states.
Future of EU
Will other countries also try to leave the EU? Some commentators have posited that the negotiations will be very difficult and the major (France and Germany) EU members will want to send a strong message that it will be costly to any other countries that are contemplating an exit.
Marc Schwartz is a founding partner, Paul Tadros is a partner and Richard Hartnig is a senior advisor at Schwartz International, an international tax and business consulting firm that serves companies and individuals. For more information, visit www.schwartzintl.com.
IR-2016-89, June 17, 2016
WASHINGTON ― The Internal Revenue Service today issued a consumer alert about possible fake charity scams emerging due to last weekend’s mass shooting in Orlando, Fla., and encouraged taxpayers to seek out recognized charitable groups.
When making donations to assist victims of last weekend’s terrible tragedy, there are simple steps taxpayers can take to ensure their hard-earned money goes to legitimate charities. IRS.gov has the tools taxpayers need to quickly and easily check out the status of charitable organizations.
While there has been an enormous wave of support across the country for the victims and families of Orlando, it is common for scam artists to take advantage of this generosity by impersonating charities to get money or private information from well-meaning taxpayers. Such fraudulent schemes may involve contact by telephone, social media, e-mail or in-person solicitations.
The IRS cautions donors to follow these tips:
- Be sure to donate to recognized charities.
- Be wary of charities with names that are similar to familiar or nationally known organizations. Some phony charities use names or websites that sound or look like those of respected, legitimate organizations. The IRS website at IRS.gov has a search feature, Exempt Organizations Select Check, through which people may find qualified charities; donations to these charities may be tax-deductible.
- Don’t give out personal financial information — such as Social Security numbers or credit card and bank account numbers and passwords — to anyone who solicits a contribution. Scam artists may use this information to steal a donor’s identity and money.
- Don’t give or send cash. For security and tax record purposes, contribute by check or credit card or another way that provides documentation of the gift.
- Consult IRS Publication 526, Charitable Contributions, available on IRS.gov. This free booklet describes the tax rules that apply to making tax-deductible donations. Among other things, it also provides complete details on what records to keep.
Bogus websites may solicit funds for victims of this tragedy. These sites frequently mimic the sites of, or use names similar to, legitimate charities, or claim to be affiliated with legitimate charities in order to persuade people to send money or provide personal financial information that can be used to steal identities or financial resources.
Additionally, scammers often send emails that steer recipients to bogus websites that appear to be affiliated with legitimate charitable causes.
Taxpayers suspecting fraud by email should visit IRS.gov and search for the keywords “Report Phishing.”
More information about tax scams and schemes may be found at IRS.gov using the keywords “scams and schemes.”
April 20, 2016
Written by Mark Castro, CPA - CrossLink Professional Tax Software
It’s important to know how many full-time employees you have because two provisions of the Affordable Care Act – employer shared responsibility and employer information reporting for offers of minimum essential coverage – apply only to applicable large employers. Employers average the number of their full-time employees, including full-time equivalents, for the months from the previous year to see whether they are considered an applicable large employer.
Whether your organization is an ALE for a particular calendar year depends on the size of your workforce in the preceding calendar year. To be an ALE, you must have had an average of at least 50 full-time employees – including full-time-equivalent employees – during the preceding calendar year. So, for example, you will use information about the size of your workforce during 2016 to determine if your organization is an ALE for 2017.
- A full-time employee is an employee who is employed on average, per month, at least 30 hours of service per week, or at least 130 hours of service in a calendar month.
- A full-time equivalent employee is a combination of employees, each of whom individually is not a full-time employee, but who, in combination, are equivalent to a full-time employee.
- An aggregated group is commonly owned or otherwise related or affiliated employers, which must combine their employees to determine their workforce size.
There are many additional rules on determining who is a full-time employee, including what counts as hours of service.
For more information, see the Information Reporting by Applicable Large Employers and the Employer Shared Responsibility Provisions pages on IRS.gov/aca.