Tax professionals are under constant assault from cybercriminals who understand the extraordinary value of the data these practitioners handle. From Social Security numbers and financial records to employer identification numbers and banking information, a tax preparer's systems contain everything needed to commit identity theft, tax fraud, and financial crimes on a massive scale. Understanding the specific threats targeting your practice is essential to building an effective defense.
Key Takeaway
The biggest security threats facing tax preparers today. From IRS impersonation scams to data exfiltration, what to watch for and how to respond.
Tax Preparer Threat Landscape
Major attack vectors targeting tax practices
Increased attacks during tax season
Leading ransomware entry point
1. Ransomware Attacks
Ransomware encrypts your files and demands payment for the decryption key. For tax professionals, this means losing access to every client record, tax return, and business document simultaneously. Attackers know that tax practices are under tight deadlines and may be more willing to pay quickly to restore operations. Ransomware attacks against tax professionals spike during tax season when the pressure to meet filing deadlines is greatest.
Prevention includes maintaining tested offline backups, deploying EDR solutions that detect ransomware behavior, keeping all software updated, and training staff to recognize the phishing emails that typically deliver ransomware.
2. Phishing and Spear Phishing
Phishing remains the most common initial attack vector. Generic phishing campaigns cast a wide net, while spear phishing targets specific individuals with personalized messages. Tax professionals receive phishing emails impersonating the IRS, tax software vendors, clients, and financial institutions. During filing season, the volume of these attacks increases dramatically.
Prevention requires email filtering technology, regular security awareness training, phishing simulation exercises, and technical controls like DNS filtering that block access to malicious sites.
Email-Based Attack Vectors
Business Email Compromise
Compromising trusted email accounts to manipulate victims into transferring money or sensitive data
Malicious Tax Documents
Malware-laden files disguised as W-2s, 1099s, and other tax documents sent via email
Spear Phishing
Personalized attacks targeting specific individuals with convincing impersonation tactics
3. Business Email Compromise (BEC)
BEC attacks involve compromising or spoofing a trusted email account to manipulate the victim into transferring money or sensitive data. In a tax context, an attacker might compromise a client's email and send a request to change refund direct deposit information, or they might impersonate a firm partner and instruct staff to send client data to an external email address.
Prevention includes implementing email authentication protocols (DMARC, DKIM, SPF), establishing verbal verification procedures for any changes to financial information, and training staff to recognize BEC tactics.
4. Credential Theft and Account Takeover
Attackers steal login credentials through phishing, keylogger malware, or by purchasing credentials exposed in data breaches. Once they have your tax software credentials, they can access your entire client database. If they obtain your IRS e-Services credentials, they can compromise your EFIN and file fraudulent returns under your identity.
Prevention includes using unique, strong passwords for every account, enabling multi-factor authentication everywhere, monitoring for compromised credentials on the dark web, and deploying endpoint protection that detects keylogger malware.
Credential Protection Steps
Implement Strong Passwords
Use unique, complex passwords for every account and system
Enable Multi-Factor Authentication
Add an extra layer of security to all critical accounts
Monitor Dark Web
Watch for compromised credentials being sold online
Deploy Endpoint Protection
Detect and block keylogger malware before it steals credentials
5. Insider Threats
Not all threats come from outside your organization. Current or former employees, contractors, or business partners with access to your systems can intentionally or accidentally compromise client data. A disgruntled seasonal preparer who copies client files before leaving, or an employee who falls for a phishing email, can cause just as much damage as an external attacker.
Prevention includes implementing least-privilege access controls, promptly revoking access when employees depart, monitoring user activity for unusual behavior, and conducting background checks on staff with access to sensitive data.
RDP Security Alert
Remote Desktop Protocol is one of the top three initial access vectors in ransomware attacks. Many tax practices expose RDP directly to the internet, making them easy targets for brute force attacks and credential stuffing.
6. Remote Desktop Protocol (RDP) Exploitation
Many tax practices use Remote Desktop Protocol to allow remote access to office computers. Exposed RDP services are a favorite target for attackers, who use brute force attacks or stolen credentials to gain access. Once inside via RDP, attackers have the same access as if they were sitting at your computer. RDP is one of the top three initial access vectors in ransomware attacks.
Prevention includes disabling RDP if not needed, using a VPN to access RDP rather than exposing it to the internet, enabling Network Level Authentication, implementing account lockout policies, and monitoring RDP login attempts.
Physical and Network Security Risks
Wi-Fi Eavesdropping
Unsecured wireless networks allow attackers to intercept client data transmitted over your network
Physical Theft
Stolen laptops and lost USB drives result in data breaches affecting hundreds of taxpayers
Supply Chain Attacks
Compromised vendors and service providers provide attackers with trusted access to your systems
8. Wi-Fi Eavesdropping
Unsecured or poorly secured wireless networks allow attackers to intercept data transmitted over the network. If your office Wi-Fi uses weak encryption or a shared password that has not been changed in years, an attacker in a nearby car or building could intercept client data as it moves across your network.
Prevention includes using WPA3 encryption (or WPA2 at minimum), using a strong, unique Wi-Fi password, separating guest and business networks, and using a VPN for all sensitive transactions.
9. Physical Theft and Loss
Stolen laptops, lost USB drives, and break-ins at tax offices result in data breaches that must be reported under state notification laws. A single stolen laptop containing unencrypted client data can affect hundreds or thousands of taxpayers.
Prevention includes encrypting all devices and removable media with full-disk encryption, enabling remote wipe capability on laptops and mobile devices, implementing physical security controls at your office, and avoiding storing client data on portable devices whenever possible.
10. Supply Chain Attacks
Attackers compromise a software vendor or service provider that your practice relies on, using that access as a pathway into your systems. If your tax software vendor, cloud storage provider, or IT service company is breached, the attackers may gain access to your data through the trusted connection between your systems and theirs.
Prevention includes vetting the security practices of all vendors and service providers, limiting the access granted to third-party software and services, monitoring for unusual activity from vendor connections, and maintaining your own backups independent of vendor systems.
Protect Your Tax Practice Today
Schedule a free consultation to discuss your cybersecurity needs and IRS compliance requirements.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
