Protecting kids online and safeguarding tax data

Many countries are considering banning kids’ social media accounts. Australia has already taken the leap. But for all other wary parents, here’s help to protect their children from ubiquitous scams on their devices. And with U.S. tax season approaching, here are ways to safeguard tax professional firms and their clients from identity theft.

Bobby, a 15-year-old, is an avid TikTok user who posts videos about Fortnite, his favorite video game. One day he received a direct message from TikTok, with information about how he can see who shares his videos on the social media app if he creates an account with a website outside of TikTok. Curious, Bobby clicked on the link in the message, which took him to a site where he was asked to provide his account information, including his password. Bobby provided his personal information, but he never got to see who was sharing his content. Instead, when he tried logging into his TikTok account the next day, he was locked out. When he contacted TikTok, he learned that he was a victim of a common scheme on the video-sharing app where scammers pose as representatives of TikTok to phish for account information and access users’ TikTok Shop accounts and the money in it.

This fictitious example shows just one of many scams that ensnare adolescents (and adults) who use their devices online. Parents, understandably, want to warn their children about ubiquitous online attempts to steal their personally identifiable information (PII) and money.

The Australian government has found a way to inadvertently prevent scamming of children: Under-16s in the country are now banned from using social media services, including TikTok, X, Facebook, Instagram, YouTube, Snapchat and Threads. The government imposed the December 2025 ban to protect young people from harmful content, but the law may deter online fraudsters. Other countries, including Denmark, France, Spain, Italy, Greece and Germany, are considering bans on children’s social media. In January 2026, Prime Minister Keir Starmer announced that the U.K. government is also considering a social media ban for children under 16.

For all those other parents who still warily allow their kids to live online, the U.S. Federal Trade Commission (FTC) offers help:

• Set automatic updates on phones, tablets and laptops to protect apps, web browsers and operating systems.
• Use strong passwords. Make sure your kids’ accounts and devices are protected by unique passwords. Consider helping teenagers set up and use password managers or password generators — and remind them not to leave their devices unattended in public places.
• Secure your home Wi-Fi network. Frequently change your router’s default name and password. Turn off remote management and log out as the administrator once the router is set up.
• Use parental controls to help reinforce good online habits and create safer spaces for children to learn and play online. To have a better handle on what kids might be spending online, consider using parental controls to disable in-app purchases or require a password for all purchases on phones or tablets. You can also set up an approval process for all apps downloaded and installed on your children’s devices.

Protecting foster youth from identity theft

Minors don’t typically have credit reports, so they might not discover they are identity theft victims until later in life, such as when they apply for credit or jobs. This problem is compounded for children in foster care because they move often and more people have access to their PII.

The FTC provides advice for adults who care for foster children:

• Check if the minor has a credit report. Ask the three nationwide credit bureaus, Equifax, Experian and TransUnion (IdentityTheft.gov), for manual searches for the minor’s Social Security number. You may have to provide credit bureaus with copies of documents that prove you’re the child’s parent, legal guardian or an authorized child welfare representative.
• Freeze their credit. The process for obtaining a freeze for minors differs from adults. Find instructions at Equifax, Experian and TransUnion. A U.S. federal law requires child welfare agencies to obtain and review credit reports every year for foster youth ages 14 and older, which can help them spot identity theft with time to address it.
• Secure their personal data. Secure kids’ paper documents, such as medical bills or government identification cards, in safe places and under passwords online. Shred documents before throwing them away. Talk with all kids in your life about why keeping PII safe is important.

Tax professionals protecting client data

As U.S. tax season approaches, remember that cyber criminals target tax professionals’ client information to file fraudulent tax returns and claim fake refunds. For years, these fraudsters have stolen identities of tax professionals using their preparer tax identification numbers (PTIN), electronic filing identification numbers (EFIN) and centralized authorization numbers (CAF) to file fraudulent returns or steal even more PII. (See the Fraud Magazine articles, “Identity theft tax refund fraud,” parts 1 and 2, by the author, Tiffany McLeod and Adrian Harrington.)

The U.S. IRS provides steps that tax professionals can follow to help prevent identity theft and tax refund fraud. To help protect client data, U.S. federal law requires tax professionals of any firm size to create, implement and maintain information security plans. A firm may accomplish this by using its own cybersecurity expert or hiring one. If this isn’t feasible, these publications will be useful:

1. Publication 4557, “Safeguarding Taxpayer Data.” This publication provides an overview of tax professionals’ legal obligations to protect taxpayer information and provides a step-by-step checklist on how to create and maintain security plans for tax professionals’ digital networks and offices.
2. The National Institute of Standards and Technology’s (NIST), “Small Business Information Security: The Fundamentals.” NIST, a branch of the U.S. Commerce Department, sets the information security framework for federal agencies. It produced this document to provide small businesses with an overview of those steps to security data. Its focus is on five principles: identify, protect, detect, respond and recover.
3. “Tax Security 2.0: The Taxes-Security-Together Checklist.” This is a quick overview of security steps that tax professionals should take.
4. “Protect your clients; protect yourself — Summer 2024.” The IRS and Security Summit partners remind tax professionals to stay alert against new and ongoing threats.

The IRS warns tax professionals about the following red flags:

• The IRS returns a client’s e-filed return because it received another return with a client’s government identification number.
• The tax professional firm receives more e-file acknowledgments than tax returns that it knows it filed.
• The firm’s clients respond to emails it didn’t send.
• The firm experiences slow or unexpected responsiveness from its computer or network, such as:

• Software or actions take longer to process than usual.
• The cursor moves or changes numbers without touching the mouse or keyboard.
• The firm is locked out of its network or computer.

A firm’s clients may also receive:

• Authentication letters (5071C, 4883C, 5747C) from the IRS even though they haven’t filed a return.
• Refunds even though they haven’t filed returns.
• Tax transcripts they didn’t request.
• Emails or calls from the firm it didn’t initiate.
• Notices that someone created IRS online accounts for them without their consent.
• Notices they weren’t expecting that someone accessed their IRS online accounts or the IRS disabled their IRS online accounts.

The IRS provides the following advice to tax professionals to help protect against stolen data:

• Use separate personal and business email accounts.
• Protect email accounts with strong passwords and two-factor authentication if available.
• Install an anti-phishing tool bar to help identify known phishing sites. (Anti-phishing tools may be included in security software products.)
• Use security software to help protect systems from malware and scan emails for viruses.
• Never open or download attachments from unknown senders, including potential clients; verify emails from clients by calling them.
• Send password-protected and encrypted documents only.
• Do not respond to suspicious or unknown emails; if a questionable email is IRS-related, forward it to phishing@irs.gov.

  Here are some other IRS suggestions for protecting data:

• Track returns that a firm files through its daily e-file acknowledgments. Dig deeper if the firm receives more acknowledgments than tax returns that it knows it filed.
• Track weekly EFIN usage. The IRS weekly posts the number of returns filed with a firm’s EFIN.

1. Log into the firm’s e-Services account.
2. Access the firm’s e-file application and check “EFIN Status.”
3. If the numbers are off, the firm should contact the e-Help desk.
4. A firm should keep its EFIN application current with all phone, address and personnel changes.
5. A firm should check its PTIN account for a weekly report of returns filed with its PTIN if the firm is a “Circular 230 practitioner” or an “annual filing season program participant” and it files 50 or more returns a year.

If a tax professional firm is a data-theft victim, it should immediately:

• Report it to the firm’s local stakeholder liaison. A liaison will notify IRS Criminal Investigation and others within the agency on the firm’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in the firm’s clients’ names and will assist it through the process.
• Get information on how to report victim information to state tax agencies. It should visit the Federation of Tax Administrators’ Report a Data Breach to find state contact information.

I’m here to help

Please use this information in your outreach programs and among your family members, friends, and co-workers. As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles. I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished emeritus professor of accounting and research at Central Washington University. He serves on the ACFE Advisory Council, the ACFE Editorial Advisory Committee and the ACFE’s inaugural CFE Exam Content Development Committee. In 2005 he received the ACFE’s Outstanding Achievement in Accounting award and the ACFE’s Educator of the Year award in 2006. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.