Online Trust Alliance Finds 46% of IRS E-File Tax Services Fail to Adequately Protect Consumer Data

Share Article

Website security and privacy audit identifies risky sites, and provides guidelines to help protect against tax fraud and identity theft

The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust and promote innovation and commerce, today announced the results of its 2016 IRS Free E-File Audit & Honor Roll. The audit evaluates the privacy, security and consumer protection practices of the thirteen IRS-approved free e-filing tax services. After an assessment based on nearly 50 criteria, standards and internationally accepted privacy practices, six of the 13 websites⎯or 46 percent⎯failed due to poor site security and not taking steps to help protect consumers from fraudulent and malicious email. Conversely, the sites that performed specifically well received an “Honor Roll” status.

“Given that tax data is extremely sensitive with a high risk for victimization, the failure rate of over one-third should concern customers and the IRS,” said Craig Spiezle, Executive Director and President at the Online Trust Alliance. “Consumer use and IRS approval of such services should be carefully reconsidered.”

OTA evaluated the IRS-approved e-filing sites using both its own industry developed methodology, and the IRS’ security and privacy mandated standards. Seven sites scored highly in all areas of the audit, five failed due to poor consumer protection and three received failing grades for their site security.

Most failing sites did not properly authenticate email addresses, which leaves consumers open to spear phishing and malicious email scams, the exploit of choice for tax fraud. Based on the IRS security mandates for these tax providers announced in 2010 and updated in 2015, one provider was out of compliance for failing to adopt Extended Validation SSL Certificates. EV SSL Certificates are safeguards for assuring a website owner’s identity to help prevent spoofing and fraud. Other providers were out of compliance for failing to provide adequate third party audits of their privacy policy and web activities, implement anti-botnet protection for fraudulent account signups, and regularly scan their sites for SSL vulnerabilities.

The OTA has been in contact with the IRS regarding these findings offering assistance and briefings. It encourages the IRS to re-evaluate the list of free e-file sites and continued inclusion of firms that do not comply with industry standards and the IRS’ security and privacy mandates.

Honor Roll Recipients:
The following e-file websites have been awarded Honor Roll status:

  •     eSmart Tax
  •     TaxAct
  •     TaxSlayer
  •     FreeTaxUSA    
  •     TurboTax Free File
  •     H&R Block Free File    

Since 2009, OTA has regularly conducted audits examining online security and privacy practices of high profile consumer-facing websites, including those of U.S. presidential candidates, popular websites and online retailers.

Arming Consumers and Businesses to Fight Tax Scams
As part of the audit and honor roll, the OTA has released a checklist of best practices to help consumers and organizations protect themselves from common tax scams like IRS impersonation phone calls or emails, bogus e-file ads that appear on reputable websites and business email compromise. Some key pieces of advice include:

  •     The IRS never contacts consumers to ask for personal information by phone or email. Any message or call that claims to be from them asking for this information is a scam.
  •     File tax returns as early as possible to decrease the risk of someone filing a bogus tax return in your name.
  •     Keep security software on your devices up to date and check the privacy settings on websites and social media sites that you use.    

“Tax season is another reminder of how vulnerable our personal information can be online, even when dealing with a trusted entity like the IRS,” said Roxane Divol, General Manager of Website Security for Symantec. “We are happy to partner with the OTA to offer consumers both technologies and guidelines that help safeguard their data online during tax season and year round.”

“In an increasingly web-connected economy, organizations need to value strong identity assurance and data encryption as critical steps to ensuring consumer privacy and security,” said Jason Sabin, Chief Security Officer at DigiCert. “The findings of this report can help advance consumer safety by recognizing e-filers following best practices and providing guidance to consumers in choosing companies they can trust.”

"Every tax season spoofed email is used to defraud consumers of millions of dollars. This is not acceptable and should not be allowed to continue,” said Patrick Peterson, Founder and CEO, Agari. “The email authentication technologies highlighted here by OTA are used by thousands of enterprises to protect consumers. It is essential for every organization conducting transactions online to take these measures to reduce fraud and protect consumers.”

OTA’s 2016 IRS Free E-File Audit & Honor Roll was powered in part by leading organizations including Symantec, DigiCert and Agari. The complete report and its methodology, as well as the consumer checklist, can be found at

OTA and representatives from DigiCert and Symantec will discuss key findings from the report in a webinar on March 8 at 8 am and 3 PM PST. Register at

About OTA:
The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust and user empowerment while promoting innovation and the vitality of the Internet. Its goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, and meaningful self-regulation and data stewardship. Its members and supporters include leaders spanning the public policy, technology, ecommerce, social networking, mobile, email and interactive marketing, financial, service provider, government agency and industry organization sectors.

Andrew Goss
Voxus PR (for OTA)

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Austin Williams

Andrew Goss

Email >
Follow >
Visit website