Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax43 min readDeep Dive

EFIN Security Requirements: Protect Your Filing ID

EFIN security requirements for tax preparers: MFA, encrypted storage, weekly monitoring. Protect your filing ID from theft and IRS revocation in 2026.

EFIN Security Requirements: Protect Your Filing ID - efin security requirements

What Are EFIN Security Requirements?

EFIN security requirements are the mandatory federal safeguards that tax professionals must implement to protect their Electronic Filing Identification Numbers from unauthorized access, credential theft, and fraudulent filing schemes. The IRS mandates these controls through two primary publications: Publication 4557 (Safeguarding Taxpayer Data) and Publication 1345 (IRS e-file Security and Privacy Standards). Core requirements include multi-factor authentication (MFA) on all IRS e-Services accounts, encrypted credential storage with access logging, weekly monitoring of EFIN usage reports, and immediate breach reporting to the IRS e-help desk at 866-255-0654.

A compromised EFIN enables criminals to file hundreds of fraudulent returns within hours, exfiltrate taxpayer Personally Identifiable Information (PII) at scale, and permanently eliminate a tax firm's e-filing privileges through EFIN revocation. According to IBM's 2025 Cost of a Data Breach Report, financial services breaches now average $6.08 million in total costs. For the 2026 filing season, the IRS and its Security Summit partners continue to warn of escalating phishing campaigns and credential-stealing malware specifically targeting tax professionals.

This guide covers the complete EFIN security framework — from IRS application requirements and mandated technical controls to threat detection, incident response, and compliance integration with the FTC Safeguards Rule and Gramm-Leach-Bliley Act (GLBA). For broader context on how EFIN security fits into your firm's overall obligations, see our overview of IRS cybersecurity requirements for tax preparers.

EFIN Security: By the Numbers

$6.08M
Avg. Financial Services Breach Cost

IBM Cost of Data Breach Report 2025

45 Days
EFIN Application Processing Time

IRS standard review timeline for new applications

28 Days
e-Services Confirmation Deadline

Window to return your IRS e-Services confirmation code

Understanding the Electronic Filing Identification Number

An Electronic Filing Identification Number (EFIN) is a unique six-digit identifier assigned by the Internal Revenue Service to firms and individuals authorized to electronically file federal tax returns on behalf of clients. E-filing has become the industry standard for tax submission, and the EFIN system was created to enhance the security and integrity of the electronic filing process — giving the IRS the ability to monitor filing volumes by provider and identify anomalous patterns that may signal fraud.

EFIN vs. PTIN: What Is the Difference?

These two identifiers serve distinct purposes. A Preparer Tax Identification Number (PTIN) identifies the individual tax preparer and is required for anyone who prepares or assists in preparing federal tax returns for compensation. An EFIN, by contrast, belongs to the business entity — associated either with the firm's Employer Identification Number (EIN) or, for sole proprietors, with the owner's Social Security Number. A sole practitioner typically needs both: a PTIN for their individual preparer identity and an EFIN for the firm's e-filing authorization. Employees at a firm who prepare returns need their own PTINs but operate under the firm's EFIN when transmitting returns electronically. Our guide on PTIN and WISP requirements for tax preparers explains both identifiers and their associated compliance obligations in detail.

Designated Roles Required by the IRS

Firms obtaining an EFIN must designate three key roles in the IRS e-file provider application:

  • Principal: The business owner or officer holding 5% or greater ownership stake, responsible for overall compliance
  • Responsible Official: The individual who oversees e-file operations and day-to-day security compliance
  • Primary Contact: The person managing IRS communications and account maintenance

Each designated individual undergoes an IRS suitability check that includes credit verification, tax compliance review, criminal background checks, and prior e-file compliance history. Per IRS Publication 3112, fingerprinting is required for all principals and responsible officials who are not currently certified as CPAs, attorneys, or enrolled agents — establishing individual accountability from the outset of the application process. While the EFIN itself does not expire, EFIN holders must keep their IRS e-Services accounts current and meet ongoing security and compliance obligations to maintain their Authorized e-file Provider status.

How to Apply for an EFIN: Three Steps

1

Create an IRS e-Services Account

Register at the IRS e-Services portal. Account confirmation codes must be returned within 28 days of receipt. Account creation takes several days, so begin well before your intended filing start date. CPAs, attorneys, and enrolled agents submit professional credentials; all other applicants arrange fingerprinting through a trained fingerprint professional.

2

Submit the Authorized e-File Provider Application

Select the Electronic Return Originator (ERO) option in the e-file application. Provide complete business information, designate your Principal and Responsible Official, and submit all required documentation. Ensure your business address, EIN, and contact information are accurate — discrepancies can delay the suitability review.

3

Complete the Suitability Check and Await Approval

The IRS conducts credit checks, tax compliance reviews, criminal background checks, and prior non-compliance verification for all designated principals and responsible officials. Approval typically takes 45 days from a complete submission. Processing times extend during the active filing season (January–April), so plan accordingly if you need an EFIN before a specific date.

2026 Tax Season Security Alert

The IRS Security Summit warns that cybercriminals are deploying increasingly sophisticated phishing campaigns and credential-stealing malware timed to coincide with the 2026 filing season. Tax professionals who have not implemented the full range of IRS-mandated security controls — including MFA, encrypted credential storage, and weekly EFIN monitoring — face elevated risk of compromise. If you suspect your EFIN has been accessed without authorization, contact the IRS e-help desk immediately at 866-255-0654.

Why Cybercriminals Target EFIN Credentials

A stolen EFIN is among the highest-value targets in tax-related cybercrime — more useful to criminals than most individual taxpayer records — because it functions as a master key to the federal e-filing system. With a single compromised EFIN, a criminal organization can file fabricated returns claiming illegitimate refunds before detection occurs, with some incidents involving hundreds of fraudulent submissions in a single filing day. Beyond the immediate financial fraud, EFIN theft enables large-scale exfiltration of taxpayer PII — including Social Security Numbers, addresses, income data, and banking information — for every client whose return passes through the compromised firm.

The downstream consequences for the victimized firm are severe. The IRS can permanently revoke e-filing privileges, effectively ending the firm's ability to serve clients electronically. Firms face potential criminal prosecution if investigators determine that inadequate security controls contributed to the breach. Clients whose data was exposed face years of identity theft remediation, and the reputational damage to the firm typically outlasts any technical recovery effort.

The IRS Security Summit identifies three primary threat windows: the pre-season period (October through December) when criminals establish footholds in tax systems before filing begins; the active filing season (January through April) when fraudulent submissions peak; and the post-season period when tax professionals reduce their vigilance. Understanding common phishing attack patterns is the first line of defense across all three windows, since phishing remains the most common entry point for EFIN credential theft.

Mandatory IRS Security Controls for EFIN Protection

Multi-Factor Authentication Requirements

Multi-factor authentication (MFA) is the foundational EFIN security control mandated by the IRS for all e-Services accounts. MFA requires users to provide two or more verification factors — something they know (password), something they have (authenticator app or hardware security key), or something they are (biometric verification) — before granting system access.

The IRS requires MFA on the e-Services portal, but best practice extends this requirement to all tax preparation software with EFIN access privileges, email accounts associated with IRS communications, enterprise password vaults storing encrypted EFIN credentials, and remote access systems including VPN connections to tax preparation environments. SMS-based authentication codes are the weakest acceptable MFA method and remain vulnerable to SIM-swapping attacks, where criminals redirect your phone number to a device they control. Tax professionals should instead deploy hardware security keys compliant with the FIDO2 standard or authenticator applications — such as Google Authenticator, Microsoft Authenticator, or Authy — that generate time-based one-time passwords (TOTP).

For firms operating multiple office locations, MFA implementation must cover every site and every remote access point where staff connect to tax systems. Our guide on centralized security management for multi-location tax offices covers the practical deployment considerations for practices with multiple sites.

Encrypted Credential Storage Standards

The IRS explicitly prohibits storing EFIN credentials in plain text, whether in spreadsheets, unencrypted documents, email drafts, or handwritten notes left unsecured. EFIN security requirements mandate encrypted storage using enterprise-grade password management solutions with detailed access controls and audit logging. Enterprise password vaults — such as 1Password Business, Keeper Enterprise, or Bitwarden Secrets Manager — using AES-256 encryption provide the necessary combination of security and auditability. Our guide to the best password managers for tax professionals provides specific recommendations for firms of different sizes and budgets.

Implementation should include role-based access control limiting EFIN credential visibility to designated principals and essential personnel, access audit trails recording every instance of credential viewing with timestamps and IP addresses, and automatic session timeouts configured to lock vaults after 10 minutes of inactivity. Browser-based password saving features built into web browsers are not an acceptable substitute — they lack enterprise-grade encryption, role-based access controls, and the audit capabilities required by IRS Publication 4557. For context on why encryption standards matter for credential protection, our explainer on hashing vs. encryption explains the difference between storing credentials securely and simply obscuring them.

EFIN Security Implementation Checklist

  • Enable MFA on all IRS e-Services accounts used for EFIN management
  • Configure MFA on all tax preparation software with EFIN access privileges
  • Enable MFA on email accounts associated with IRS EFIN applications and communications
  • Deploy an enterprise password vault with AES-256 encryption for EFIN credential storage
  • Restrict EFIN credential access to designated principals using role-based access control
  • Enable audit logging on all systems that store or access EFIN credentials
  • Review EFIN usage reports weekly (daily during January through April filing season)
  • Designate a Responsible Official accountable for ongoing EFIN security compliance
  • Conduct quarterly access reviews and immediately revoke credentials for departed employees
  • Document your incident response procedures for EFIN compromise scenarios
  • Train all staff annually on phishing recognition and social engineering defense
  • Maintain a current Written Information Security Plan (WISP) per IRS Publication 4557

Weekly EFIN Usage Monitoring and Anomaly Detection

The IRS provides weekly EFIN usage reports through the e-Services EFIN Status page, and reviewing these reports is a key detection control for unauthorized EFIN use. The IRS recommends at minimum weekly reviews, but during the active filing season from January through April, daily monitoring is the security best practice. Detecting compromise quickly limits the volume of fraudulent returns that can be submitted before the IRS suspends the EFIN and before the firm becomes aware of the intrusion.

EFIN usage reports display total returns filed for the current season, chronological filing activity that reveals unusual volume spikes, rejection rate percentages (high rejection rates on submissions can indicate fabricated returns failing IRS validation), IP address origins for filing transmissions that may reveal access from unexpected geographic locations, and taxpayer identification patterns such as duplicate SSN usage or sequential number sequences characteristic of manufactured returns.

Monitoring thresholds should be calibrated to your firm's normal filing patterns. A sole practitioner filing 300 returns per season should flag any day with an anomalous number of submissions. A large firm with many preparers needs different baselines. Automated monitoring tools integrated with your tax software can alert you to anomalies in real time rather than requiring manual daily reviews. For firms that do experience a suspected incident, our guide on incident response planning for tax practices provides a structured approach to containment and IRS notification.

Common EFIN Compromise Attack Vectors

Phishing Campaigns Targeting Tax Professionals

Phishing attacks represent the most common entry point for EFIN credential theft. The IRS Security Summit identifies several recurring attack patterns each filing season. Fake IRS correspondence emails claim EFIN suspension or pending legal action, creating artificial urgency to override normal verification instincts. Messages impersonating tax software vendors — including Intuit, Thomson Reuters, and Drake Software — request EFIN re-entry for fabricated system updates or security verification prompts. Business email compromise (BEC) attacks use spoofed accounts from firm partners or administrators to request EFIN credentials for staged emergency filing situations. State tax agency spoofing creates fake communications appearing to come from state revenue departments requiring EFIN verification.

The common thread is urgency. Criminals engineer artificial time pressure that bypasses normal caution. A key procedural defense is establishing an out-of-band verification protocol: any request for EFIN credentials, regardless of its apparent source, requires a phone call to a number already on file — never a number provided in the suspicious message itself. Staff training to recognize these patterns is the most cost-effective control available. Our in-depth guide on recognizing and avoiding phishing attacks covers the full range of techniques used against tax professionals.

Credential-Stealing Malware and Keyloggers

Specialized malware families target tax preparation environments through multiple infection vectors. Tax software trojans disguise themselves as legitimate software updates or plugins and capture EFIN credentials during the login process. Keylogging malware records all keyboard input, capturing EFINs, passwords, and taxpayer Social Security Numbers as they are typed. Screen capture trojans take periodic screenshots when tax applications are active, harvesting visible credentials and client data. Remote access trojans (RATs) provide attackers real-time control of infected systems for on-demand credential theft and data exfiltration.

Defending against credential-stealing malware requires deploying Endpoint Detection and Response (EDR) solutions on all systems that access EFIN credentials. Understanding the differences between EDR, MDR, and XDR security solutions helps tax practices select the level of endpoint protection appropriate for their risk exposure and staff capacity. At minimum, all tax workstations should run current endpoint security software with real-time protection enabled, automatic definition updates configured, and regular full-system scans scheduled outside business hours.

Staff training is the last line of defense against social engineering. Employees who recognize the warning signs of a phishing email or a suspicious software prompt prevent many attacks before they reach technical controls. The IRS recommends annual security awareness training for all firm personnel with EFIN access — make it a documented requirement in your Written Information Security Plan, not just an informal reminder at the start of each filing season.

Bottom Line

EFIN compromise can end a tax preparation business. A stolen six-digit identifier gives criminals the ability to file hundreds of fraudulent returns within hours, trigger permanent revocation of e-filing privileges, and expose thousands of clients to identity theft. The IRS mandates specific technical controls through Publication 4557 and Publication 1345 — and the FTC Safeguards Rule independently requires a formal information security program. Meeting these requirements is not an option for any firm that electronically files tax returns on behalf of clients.

Long-Term EFIN Security: Organizational Culture and Best Practices

Sustainable EFIN security compliance requires organization-wide commitment extending beyond technology to encompass people, processes, and leadership. Technical controls are necessary but not sufficient — a firm can deploy the best password vault and MFA solution available and still suffer a breach if staff circumvent controls under time pressure or if leadership treats security as someone else's responsibility.

Effective security culture in a tax firm starts with executive sponsorship: a designated partner or senior administrator must own security outcomes with real authority and budget. Access controls must apply equally to senior staff — exceptions for partners who lack time for MFA are among the most common sources of high-privilege credential compromise. Leadership accountability for security metrics, documented in performance expectations, changes behavior more reliably than policy documents alone.

Network architecture also plays a direct role in EFIN protection. Tax systems that process EFIN credentials should be isolated from general office networks through segmentation controls. Dedicated workstations for tax preparation — separate from machines used for general browsing and email — reduce the attack surface for credential-stealing malware significantly. Remote access to tax systems must use encrypted VPN tunnels and require MFA at the connection point. Our guide on online tax filing security risks for 2026 covers network-level controls for firms of different sizes and budget constraints.

Compliance Framework Integration

EFIN security requirements exist within a broader federal compliance framework. Tax professionals must simultaneously meet obligations under multiple authorities:

  • IRS Publication 4557: Safeguarding Taxpayer Data requirements for all tax return preparers handling taxpayer information
  • IRS Publication 1345: IRS e-file Security and Privacy Standards specifically for Authorized e-file Providers with EFIN credentials
  • FTC Safeguards Rule: Requires financial institutions — including tax preparers — to implement a formal information security program; the FTC Safeguards Rule for tax preparers has specific documentation and technical control requirements that overlap significantly with IRS Publication 4557
  • Gramm-Leach-Bliley Act (GLBA): Mandates security and privacy protections for customer financial information collected by financial institutions, a category that includes most tax preparation firms
  • State data breach notification laws: Require notification of affected individuals when personal information is compromised, with state-specific timelines and thresholds that vary significantly across jurisdictions

The NIST Cybersecurity Framework provides a structured approach that maps well to IRS requirements, organizing security activities across five functions: Identify, Protect, Detect, Respond, and Recover. Firms that adopt the NIST framework as their baseline can typically demonstrate compliance with IRS, FTC, and GLBA requirements more efficiently than those implementing each regulation separately. The starting point for most tax firms is a Written Information Security Plan (WISP) — a document required by IRS Publication 4557 that formalizes your security policies, procedures, and controls in writing. Our guide on how to create a WISP for your tax firm walks through every required section.

Does Your Firm Have a Compliant WISP?

IRS Publication 4557 requires every tax firm to maintain a Written Information Security Plan covering EFIN security controls, access management, and incident response. Our WISP template is purpose-built for tax preparers.

Professional Resources for EFIN Security

Tax professionals seeking to strengthen their EFIN security posture have access to several authoritative resources. The IRS Security Summit — a partnership between the IRS, state tax agencies, and the tax industry — publishes annual security guidance and threat intelligence specifically for tax professionals. IRS Identity Theft Central provides step-by-step resources for responding to taxpayer identity theft and fraudulent filing incidents. The Cybersecurity and Infrastructure Security Agency (CISA) publishes cybersecurity guidance and threat intelligence applicable to small businesses and financial services firms at no cost.

For firms that need ongoing security support rather than one-time resources, managed security services designed for tax preparation practices provide 24/7 monitoring, endpoint protection, incident response, and compliance management. This is particularly valuable for firms without dedicated IT staff — the seasonal nature of tax work makes it difficult to maintain internal security expertise year-round, while the threats are present every month.

Firms handling sensitive taxpayer data should also review our resources on tax data protection strategies and the tax preparer cybersecurity framework we have developed specifically for accounting and tax preparation environments. For those recovering from a security incident, our guide on what to do after a data breach provides a structured response framework that addresses both technical containment and client notification obligations.

Protect Your EFIN with Expert Cybersecurity

Bellator Cyber Guard provides managed security services for tax professionals, including endpoint protection, threat monitoring, incident response, and IRS compliance support tailored to the seasonal demands of tax preparation practices.

Frequently Asked Questions About EFIN Security Requirements

Contact the IRS e-help desk immediately at 866-255-0654 to report the suspected compromise and request EFIN suspension. Do not wait to confirm the breach before calling — early reporting limits the number of fraudulent returns that can be filed using your identifier. Simultaneously, change all passwords associated with your tax preparation software, IRS e-Services account, and email accounts used for IRS communications. Enable or verify MFA is active on all these accounts. Document the date, time, and nature of the suspected compromise in writing. After stabilizing the immediate situation, follow your firm's written incident response plan, which should address client notification and, depending on your state, a formal data breach notification filing. Our guide on what to do after a data breach provides a step-by-step recovery framework.

The IRS recommends reviewing your EFIN usage reports at minimum once per week through the e-Services EFIN Status page. During the active filing season from January through April, daily monitoring is the security best practice. Usage reports show total returns filed, filing date distributions, rejection rates, and other indicators that can reveal unauthorized activity. Establishing a regular monitoring routine and documenting your review dates demonstrates compliance with IRS Publication 4557's monitoring requirements and creates an audit trail showing good-faith security practices — which can be relevant in any subsequent IRS review of your firm's compliance posture.

No. EFINs are not transferable and cannot be sold, assigned, or passed to a new owner as part of a business sale. The EFIN is tied to the specific individual or entity that applied for it, including the associated Employer Identification Number or Social Security Number. When a tax preparation business changes ownership, the new owner must apply for a new EFIN through the standard IRS application process, which typically takes 45 days. The prior owner's EFIN should be formally deactivated at the time of the sale. Continued use of a prior owner's EFIN by new personnel constitutes unauthorized EFIN use and can result in revocation and potential enforcement action.

Fingerprinting is required for all principals and responsible officials in an EFIN application who are not currently certified as CPAs, attorneys, or enrolled agents. Fingerprints must be submitted through a trained fingerprint professional — the IRS does not accept self-administered fingerprinting. The fingerprints are used for criminal background checks as part of the suitability review process. Certified professionals provide their professional credentials and license information instead of fingerprints. Per IRS Publication 3112, the fingerprinting requirement applies to any individual in a principal or responsible official role who lacks one of these recognized professional certifications at the time of application.

Yes, the IRS generally requires a separate EFIN for each physical office location from which returns are electronically filed. If your firm operates from multiple sites, each location must have its own EFIN registered to that specific address. This requirement supports the IRS's monitoring function — filing activity is tracked by location, making it easier to identify anomalous volume patterns at a specific office. Sole practitioners who work from a single location need only one EFIN. If you are expanding to a new office, begin the EFIN application process at least 45 to 60 days before the new location is scheduled to begin e-filing to account for standard processing time and potential delays during peak season.

A Preparer Tax Identification Number (PTIN) identifies an individual tax preparer and is required for anyone who prepares or assists in preparing federal tax returns for compensation. A PTIN is personal to the individual and must be renewed annually. An Electronic Filing Identification Number (EFIN), by contrast, identifies the business entity authorized to electronically transmit returns and belongs to the firm rather than to any individual. A sole practitioner who both prepares and e-files returns needs both: a PTIN for their identity as a preparer and an EFIN for their firm's electronic filing authorization. From a security standpoint, the EFIN carries greater risk because compromise affects all clients filed under it, not just one preparer's work.

EFIN holder information must be kept current through the IRS e-Services portal. Any changes to your business address, phone number, ownership structure, or responsible official must be updated promptly — the IRS requires notification within 30 days of most material changes. To update your information, log into your e-Services account, access the e-File Application section, and submit the revised information. Changes that involve adding or replacing a responsible official may trigger an additional suitability review, which can take several weeks. Keeping this information current is a condition of maintaining your EFIN in good standing, and outdated contact information can delay IRS notifications in the event of a security incident.

The IRS e-Services portal accepts several forms of multi-factor authentication, including time-based one-time passwords (TOTP) generated by authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy, as well as SMS text message codes sent to a registered phone number. SMS-based MFA, while accepted, is the weakest option because it is vulnerable to SIM-swapping attacks where criminals redirect your phone number to a device they control. Security best practice for EFIN holders is to use an authenticator application or a FIDO2-compliant hardware security key rather than SMS codes. Whichever method you choose, document it in your WISP as part of your formal access control policy so that the control is auditable and consistently applied across all staff with EFIN access.

If you stop preparing tax returns temporarily — for example, due to a medical leave or career change — your EFIN does not automatically expire, but it may become inactive if no returns are filed over multiple seasons. The IRS monitors filing volume by EFIN holder and may flag dormant identifiers for review. If you plan to resume tax preparation after a gap, contact the IRS e-help desk to confirm your EFIN remains in active status before the filing season begins. If you permanently stop preparing returns, formally deactivate your EFIN to prevent any future unauthorized use of the identifier. Deactivation requests can be submitted through the IRS e-Services portal. Leaving a dormant EFIN active without monitoring creates an unnecessary security exposure.

Yes. Tax professionals who fail to implement required EFIN security controls face consequences from multiple directions. The IRS can suspend or permanently revoke an EFIN if the holder is found to have inadequate security practices, particularly following a breach. The FTC Safeguards Rule — which applies to most tax preparers under the Gramm-Leach-Bliley Act — authorizes civil penalties for failure to implement required information security controls. State attorneys general can bring enforcement actions under state data breach and consumer protection laws with their own penalty structures. Beyond regulatory penalties, firms that experience a breach resulting from inadequate controls face potential civil liability from affected clients. The combination of IRS, FTC, and state enforcement authorities means that security lapses can draw penalties from multiple regulators simultaneously. Our resource on FTC Safeguards Rule compliance for tax preparers details the specific documentation and technical control requirements that reduce enforcement exposure.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.