Building Trust 17 June 2016

Online Trust Alliance Finds 46% of IRS Free E-File Tax Services Fail to Adequately Protect Consumers

Wed, Feb 24, 2016

Updated June 17, 2016

Editor’s Note – Since the original audit all eFile sites were re-audited as part of the 2016 Audit and updated methodology.  As of June 14, 2016, all of the free eFile sites now qualify for the Honor Roll. OTA appreciates the response from the eFile firms and their quick response to remediating their consumer protection, security and privacy deficiencies.

The Online Trust Alliance (OTA) today announced the results of its 2016 IRS Free E-File Audit & Honor Roll. The audit evaluates the privacy, security and consumer protection practices of the thirteen IRS-approved free e-filing tax services. After an assessment based on nearly 50 criteria, standards and internationally accepted privacy practices, six of the 13 websites, or 46 percent, failed due to poor site security and not taking steps to help protect consumers from fraudulent and malicious email. Conversely, the sites that performed specifically well received an “Honor Roll” status.

“Given that tax data is extremely sensitive with a high risk for victimization, the failure rate of over one-third should concern customers and the IRS,” said Craig Spiezle, Executive Director and President at the Online Trust Alliance. “Consumer use and IRS approval of such services should be carefully reconsidered.”

OTA evaluated the IRS-approved e-filing sites using both its own industry developed methodology, and the IRS’ security and privacy mandated standards. Seven sites scored highly in all areas of the audit, five failed due to poor consumer protection and three received failing grades for their site security.

Most failing sites did not properly authenticate email addresses, which leaves consumers open to spear phishing and malicious email scams, the exploit of choice for tax fraud. Based on the IRS security mandates for these tax providers announced in 2010 and updated in 2015, one provider was out of compliance for failing to adopt Extended Validation SSL Certificates. EV SSL Certificates are safeguards for assuring a website owner’s identity to help prevent spoofing and fraud. Other providers were out of compliance for failing to provide adequate third party audits of their privacy policy and web activities, implement anti-botnet protection for fraudulent account signups, and regularly scan their sites for SSL vulnerabilities.

The OTA has been in contact with the IRS regarding these findings, offering assistance and briefings. It encourages the IRS to re-evaluate the list of free e-file websites and continued inclusion of firms that do not comply with industry standards and their own security and privacy mandates. 

Honor Roll Recipients

eSmart Tax TaxAct TaxSlayer
FreeTaxUSA TurboTax Free File
H&R Block Free File

Since 2009, OTA has regularly conducted audits examining online security and privacy practices of high profile consumer-facing websites, including those of U.S. presidential candidates, popular websites and online retailers.

Arming Consumers and Businesses to Fight Tax Scams

As part of the audit and honor roll, the OTA has released checklists of best practices to help consumers and organizations protect themselves from common tax scams like IRS impersonation phone calls or emails, bogus e-file ads that appear on reputable websites and business email compromise. Some key pieces of advice include:

  • The IRS never contacts consumers to ask for personal information by phone or email. Any message or call that claims to be from them asking for this information is a scam.
  • File tax returns as early as possible to decrease the risk of someone filing a bogus tax return in your name.
  • Keep security software on your devices up to date and check the privacy settings on websites and social media sites that you use.    
  • The complete report, methodology and checklists can be found here.

About OTA: 

The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust and user empowerment while promoting innovation and the vitality of the Internet. Its goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users’ security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, and meaningful self-regulation and data stewardship. Its members and supporters include leaders spanning the public policy, technology, ecommerce, social networking, mobile, email and interactive marketing, financial, service provider, government agency and industry organization sectors.

Related resources

Building Trust 8 October 2019

OTA’s Trust Audit Scores U.S. Presidential Candidates’ Campaigns, Finds Major Failures in Privacy Statements

Reston, VA. – October 8, 2019 – The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy...

Building Trust 25 September 2019

The Internet Society’s Online Trust Alliance Announces Methodology for Eleventh Online Trust Audit and Honor Roll

Criteria updated to include increased focus on encryption and global privacy regulations; international retail segments added

Building Trust 9 July 2019

Internet Society’s Online Trust Alliance Reports Cyber Incidents Cost $45B in 2018

Reston, VA – July 9, 2019 – The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy...