Top Security Threats for Tax Preparers Right Now

Tax professionals are under constant assault from cybercriminals who understand the extraordinary value of the data these practitioners handle. From Social Security numbers and financial records to employer identification numbers and banking information, a tax preparer's systems contain everything needed to commit identity theft, tax fraud, and financial crimes on a massive scale.

The IRS reported over 6,400 data thefts targeting tax professionals in 2025, with attackers stealing an average of 400 taxpayer records per incident. These breaches don't just compromise client data—they can result in EFIN suspension, state penalties up to $250,000, and permanent reputational damage that destroys practices built over decades.

Understanding the specific threats targeting your practice right now is essential to building an effective defense that meets IRS Publication 4557 security requirements and protects your clients, your business, and your professional credentials.

1. Ransomware Attacks Targeting Tax Season Deadlines

Ransomware encrypts your files and demands payment for the decryption key. For tax professionals, this means losing access to every client record, tax return, and business document simultaneously—typically during the critical weeks before filing deadlines when you're most vulnerable to pressure.

Attackers know that tax practices operate under tight IRS deadlines and may be more willing to pay quickly to restore operations. Ransomware attacks against tax professionals spike 340% during tax season (January through April), with attackers specifically timing their campaigns to maximize leverage.

The average ransom demand against small tax practices in 2025 was $47,000, but even if you pay, there's no guarantee of data recovery. The FBI reports that only 65% of ransomware victims who pay the ransom successfully recover their files, and 37% of those who do recover still find data corruption.

Ransomware Attack Vectors Targeting Tax Pros

• Phishing emails with malicious attachments disguised as client documents, IRS notices, or tax software updates
• Compromised Remote Desktop Protocol (RDP) connections that allow direct system access
• Malicious macros embedded in Excel or Word documents claiming to be tax worksheets
• Software vulnerabilities in unpatched tax software, operating systems, or office applications
• Drive-by downloads from compromised websites, including fake IRS tax form repositories

Prevention and Detection

Prevention requires a layered approach: maintain tested offline backups stored separately from your network, deploy EDR solutions that detect ransomware behavior patterns before encryption begins, keep all software updated with security patches within 72 hours of release, and train staff to recognize the phishing emails that deliver 78% of ransomware infections.

According to NIST SP 800-184, the 3-2-1 backup rule remains the gold standard: maintain three copies of data, on two different media types, with one copy stored offline. For tax professionals, this means daily backups during tax season with weekly offline rotation.

2. Phishing and Spear Phishing: The Primary Attack Vector

Phishing remains the most common initial attack vector, responsible for 94% of successful breaches according to the Verizon 2025 Data Breach Investigations Report. Generic phishing campaigns cast a wide net with mass emails, while spear phishing targets specific individuals with personalized messages based on reconnaissance.

Tax professionals receive phishing emails impersonating the IRS (including fake CP2000 notices and PTIN suspension warnings), tax software vendors (Intuit, Drake, Thomson Reuters), clients requesting status updates, and financial institutions. During filing season, the volume of these attacks increases dramatically, with some tax offices reporting 50-100 phishing attempts per day in March and April.

2025-2026 Tax Phishing Tactics

The IRS Security Summit has identified these emerging phishing threats targeting tax preparers:

• AI-generated voice phishing (vishing) using deepfake audio of partners or clients requesting urgent file access
• QR code phishing in physical mail claiming to be IRS security updates requiring mobile scanning
• Multi-channel attacks combining email, text messages, and phone calls to establish false legitimacy
• Tax software update scams delivering credential-stealing malware disguised as mandatory security patches
• Client portal spoofing replicating your secure client portal login page to harvest credentials

Prevention requires technical controls combined with human awareness. Deploy email filtering technology that blocks known malicious domains and analyzes message headers for spoofing indicators. Implement security awareness training with monthly phishing simulation exercises that test your team's ability to recognize increasingly sophisticated attacks.

Technical controls include DNS filtering that blocks access to malicious sites even if someone clicks a phishing link, DMARC email authentication to prevent domain spoofing, and browser isolation technology that renders suspicious content in a sandboxed environment.

3. Business Email Compromise (BEC) and Refund Fraud

Business Email Compromise attacks involve compromising or spoofing a trusted email account to manipulate the victim into transferring money or sensitive data. The FBI's Internet Crime Complaint Center (IC3) reports that BEC attacks resulted in $2.9 billion in losses in 2025, with tax professionals representing a disproportionately targeted sector.

In a tax context, an attacker might compromise a client's email account and send a request to change refund direct deposit information to an attacker-controlled account. By the time the legitimate client realizes their refund never arrived, the funds have been dispersed through a network of money mules and are unrecoverable.

Alternatively, attackers impersonate firm partners or senior preparers and instruct junior staff to send client data to an external email address "for an urgent meeting with a prospective client" or "for the accountant working on the year-end financials." Without proper verification procedures, well-meaning employees comply with what appears to be a legitimate request from management.

BEC Attack Chain

Sophisticated BEC attacks follow a methodical approach:

1. Reconnaissance: Attackers research your firm's organizational structure, email naming conventions, and client relationships through LinkedIn, your website, and public records
2. Infrastructure setup: They register lookalike domains (bellatorguard.com vs bellatorguard.net) or compromise a legitimate email account through credential theft
3. Relationship building: They may monitor email communications for weeks to understand business processes and timing
4. Attack execution: They send carefully crafted requests that match normal business communication patterns but include fraudulent instructions

Prevention requires implementing email authentication protocols including DMARC (Domain-based Message Authentication, Reporting, and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) to prevent domain spoofing. These technical standards, defined in RFC 7489, verify that emails claiming to come from your domain are actually sent from your authorized mail servers.

Equally important: establish verbal verification procedures for any changes to financial information, including refund routing, payment instructions, or wire transfer details. A 30-second phone call to a known number (not one provided in the suspicious email) prevents catastrophic losses.

4. Credential Theft and Account Takeover

Attackers steal login credentials through phishing, keylogger malware, credential stuffing attacks using passwords exposed in data breaches, or by purchasing credentials on dark web marketplaces. Once they have your tax software credentials, they can access your entire client database. If they obtain your IRS e-Services credentials, they can compromise your EFIN and file fraudulent returns under your professional identity.

The 2025 Verizon DBIR found that stolen credentials were involved in 49% of breaches, making credential compromise the second most common attack pattern after phishing (which itself is often used to steal credentials).

Credential stuffing attacks are particularly effective against tax professionals who reuse passwords across multiple services. Attackers use automated tools to test billions of username/password combinations obtained from breaches at unrelated companies. If you use the same password for your tax software that you used for a compromised retail website, attackers can access your professional systems without sophisticated hacking techniques.

Credential Protection Requirements

IRS Publication 4557 Section 2.3 specifically requires tax preparers to implement strong authentication controls:

• Unique passwords for every account and system—no password reuse across services
• Complex passwords meeting NIST SP 800-63B guidelines: minimum 12 characters (recommend 16+), mix of character types
• Multi-factor authentication (MFA) on all systems containing taxpayer data, especially tax software and email
• Periodic password changes when compromise is suspected or staff depart
• Password manager usage to generate and store unique passwords securely

Prevention includes using unique, strong passwords for every account (generated and stored in an enterprise password manager like 1Password or Bitwarden), enabling multi-factor authentication on all systems (prioritizing authenticator apps or hardware keys over SMS), monitoring for compromised credentials through dark web monitoring services, and deploying endpoint protection that detects keylogger malware behavior.

For tax software specifically, the IRS requires MFA for all tax professionals accessing the EFIN system. Many tax software vendors now enforce MFA by default—attempting to disable it violates your software license agreement and creates liability in the event of a breach.

5. Insider Threats: The Risk Within Your Organization

Not all threats come from outside your organization. Current or former employees, contractors, or business partners with access to your systems can intentionally or accidentally compromise client data. The 2025 Ponemon Cost of Insider Threats Study found that insider incidents cost organizations an average of $16.2 million annually, with malicious insiders accounting for 26% of incidents and negligent insiders responsible for 56%.

A disgruntled seasonal preparer who copies client files to a USB drive before leaving, an employee who falls for a phishing email and enters credentials into a fake portal, or a contractor who misconfigures cloud storage permissions can cause just as much damage as an external attacker—often more, because insiders have legitimate access that bypasses perimeter security controls.

Insider Threat Scenarios in Tax Practices

• Data exfiltration: Employees copying client databases to personal devices before departing to start a competing practice
• Credential sharing: Staff sharing login credentials with colleagues or family members, creating untracked access
• Negligent data handling: Emailing tax returns to personal Gmail accounts to "work from home," exposing data outside your security controls
• Unauthorized access: Employees accessing client files they have no business reason to view (celebrity clients, ex-spouses, neighbors)
• Shadow IT: Using unauthorized cloud storage, file sharing, or communication tools that bypass your security policies

Prevention includes implementing least-privilege access controls (users only access systems and data necessary for their specific job function), promptly revoking access when employees depart (within 1 hour of termination, same day for resignations), monitoring user activity for unusual behavior (access at unusual hours, bulk downloads, accessing unrelated client files), and conducting background checks on all staff with access to sensitive data.

The FTC Safeguards Rule (16 CFR § 314.4) requires tax preparers to implement access controls and monitor for insider threats as part of their information security program. This includes maintaining audit logs of who accessed what data and when, with logs retained for at least 3 years.

6. Remote Desktop Protocol (RDP) Exploitation

Many tax practices use Remote Desktop Protocol to allow remote access to office computers, enabling work from home or access to desktop tax software from outside the office. Exposed RDP services are a favorite target for attackers, who use brute force attacks (automated attempts to guess passwords) or stolen credentials to gain access.

Once inside via RDP, attackers have the same access as if they were physically sitting at your computer. They can access tax software, client files, email, and use your system as a launching point for attacks against other systems on your network. RDP is one of the top three initial access vectors in ransomware attacks, according to the Cybersecurity and Infrastructure Security Agency (CISA).

The problem is exacerbated by tax professionals using weak passwords on RDP accounts (the same password used for years, or simple passwords like "TaxPro2026"), exposing RDP directly to the internet without additional security layers, and failing to monitor login attempts for brute force patterns.

RDP Security Requirements

If your practice uses RDP, NIST SP 800-46 and IRS Publication 4557 require these security controls:

• Never expose RDP directly to the internet—use a VPN as a gateway, requiring VPN authentication before RDP access is possible
• Enable Network Level Authentication (NLA)—requires authentication before a full RDP session is established, preventing some exploit techniques
• Implement account lockout policies—lock accounts after 5 failed login attempts to prevent brute force attacks
• Require strong passwords and MFA—minimum 16 characters for RDP accounts, with MFA enforced through the VPN layer
• Use non-standard ports—while security through obscurity isn't a primary defense, using a port other than default 3389 reduces automated scanning
• Monitor and alert on RDP login attempts—log all RDP connections and alert on failed attempts or connections from unusual locations
• Restrict RDP access by IP address—if users always connect from known locations, whitelist only those IP ranges

Better alternatives to exposed RDP include using a VPN for remote access, implementing remote desktop gateway services with additional authentication layers, or migrating to cloud-based tax software that eliminates the need for direct system access entirely.

7. SQL Injection and Web Application Attacks

Tax practices using web-based client portals, intake forms, or custom applications face SQL injection and other web application attacks. SQL injection occurs when attackers insert malicious code into web form fields, exploiting poor input validation to access or manipulate your database directly.

A successful SQL injection attack against your client portal could expose your entire client database, including names, Social Security numbers, tax returns, and financial records. According to the OWASP Top 10 2021, injection attacks remain one of the most critical web application security risks.

Prevention requires secure coding practices including parameterized queries (prepared statements that separate code from data), input validation and sanitization on all user-submitted data, least-privilege database accounts (web applications should not connect to databases with administrative credentials), and regular web application security testing including automated scanning and manual penetration testing.

If you use a third-party client portal or tax software vendor's web interface, verify they undergo annual penetration testing and maintain SOC 2 Type II certification. Ask for their latest security audit report and confirm they follow OWASP secure development guidelines.

8. Wi-Fi Eavesdropping and Network Attacks

Unsecured or poorly secured wireless networks allow attackers to intercept data transmitted over the network. If your office Wi-Fi uses weak encryption (WEP, or WPA with a weak password), or if you're using a shared password that hasn't been changed in years, an attacker in a nearby car or building could intercept client data as it moves across your network.

This is particularly dangerous in shared office buildings where your wireless network may overlap with neighboring businesses, or in retail tax preparation locations in shopping centers where public foot traffic provides cover for attackers conducting wireless reconnaissance.

Wireless Network Security Requirements

NIST SP 800-153 provides wireless security guidelines for organizations handling sensitive data:

• Use WPA3 encryption (or WPA2 at minimum)—WEP and WPA with TKIP are trivially broken by modern attack tools
• Implement a strong, unique Wi-Fi password—minimum 20 characters, changed annually and whenever staff depart
• Separate guest and business networks—client waiting room Wi-Fi should be completely isolated from your business network
• Disable WPS (Wi-Fi Protected Setup)—this convenience feature has known vulnerabilities that allow password bypass
• Hide SSID broadcast for business networks—while not a primary security control, it reduces casual visibility
• Use certificate-based authentication (802.1X) for enterprise deployments—eliminates shared password vulnerabilities
• Monitor for rogue access points—detect unauthorized wireless devices connected to your network

For handling truly sensitive transactions (bulk client data transfers, tax software logins when traveling, accessing client portals from uncertain networks), use a VPN that encrypts all traffic regardless of the underlying network security.

9. Physical Theft and Loss of Devices

Stolen laptops, lost USB drives, and break-ins at tax offices result in data breaches that must be reported under state notification laws. A single stolen laptop containing unencrypted client data can affect hundreds or thousands of taxpayers, triggering notification requirements in all 50 states plus potential IRS reporting obligations.

The average cost of a data breach involving lost or stolen devices is $3.86 million according to IBM's Cost of Data Breach Report, but for tax professionals, the real cost is in client notification expenses, regulatory penalties, reputational damage, and potential PTIN suspension.

State data breach notification laws vary, but generally require notification to affected individuals within 30-90 days of discovery. If the stolen device contained 500+ Massachusetts residents' data, you must also notify the Massachusetts Attorney General and local media. If it contained 500+ records nationally, you must notify major credit bureaus. These notification requirements alone can cost $50,000-$100,000 for a mid-sized tax practice.

Physical Security Controls

Prevention includes encrypting all devices and removable media with full-disk encryption (BitLocker for Windows, FileVault for macOS), enabling remote wipe capability on laptops and mobile devices through Microsoft Intune or similar MDM platforms, implementing physical security controls at your office (alarmed entry, locked file cabinets for backup media, security cameras), and avoiding storing client data on portable devices whenever possible.

IRS Publication 4557 Section 3.2 specifically requires encryption of all portable devices and removable media containing taxpayer data. This isn't optional—if your laptop is stolen and wasn't encrypted, you've violated IRS security requirements and face potential PTIN consequences.

For mobile tax preparers who work at client locations, use encrypted cloud storage rather than storing files locally on devices that could be stolen from vehicles. If local storage is necessary, use FIPS 140-2 validated encryption solutions and maintain a current inventory of all devices containing client data.

10. Supply Chain Attacks and Third-Party Risk

Attackers compromise a software vendor or service provider that your practice relies on, using that access as a pathway into your systems. If your tax software vendor, cloud storage provider, or IT service company is breached, the attackers may gain access to your data through the trusted connection between your systems and theirs.

The 2020 SolarWinds attack demonstrated the devastating scale of supply chain compromises—attackers infiltrated SolarWinds' software development process and distributed malware through trusted software updates to 18,000+ organizations. While SolarWinds targeted enterprise and government networks, the same attack pattern applies to tax software vendors whose updates are automatically installed by tens of thousands of tax professionals.

More recently, the 2023 MOVEit Transfer vulnerability affected thousands of organizations through a single secure file transfer vendor. When attackers discovered a zero-day vulnerability in MOVEit, they systematically exploited it across the vendor's entire customer base, stealing data from hundreds of companies simultaneously.

Third-Party Risk Management

The FTC Safeguards Rule requires tax preparers to assess and address third-party service provider risks. This includes:

• Vetting security practices of all vendors and service providers before engagement—request SOC 2 Type II reports, penetration test results, and security policies
• Limiting access granted to third-party software and services—principle of least privilege applies to vendor access just as it does to employees
• Reviewing vendor contracts for security requirements, incident notification obligations, and liability provisions
• Monitoring for unusual activity from vendor connections—log all third-party access and investigate anomalies
• Maintaining independent backups not controlled by vendors—if your cloud storage provider is compromised, your offline backup remains safe
• Requiring vendor notification of security incidents within 24-72 hours
• Annual vendor security reassessment—review SOC 2 reports and security questionnaires yearly

For cloud services, verify the provider maintains compliance certifications relevant to your industry (SOC 2 Type II, ISO 27001, potentially FedRAMP if handling government data). Ask specifically about their incident response procedures, data backup and recovery capabilities, and whether they maintain cyber insurance covering customer data breaches.

Your Written Information Security Plan (WISP) must document your third-party risk management process per IRS Publication 4557 Section 4.2. This includes maintaining an inventory of all vendors with access to taxpayer data and evidence of security due diligence.

Emerging Threats: What's Coming in 2026

As we move deeper into 2026, several emerging threats are becoming increasingly prevalent in attacks against tax professionals:

AI-Powered Social Engineering

Attackers are using generative AI to create highly convincing phishing emails that adapt to the recipient's communication style, write in perfect English with no obvious grammar errors, and reference specific details scraped from social media and public records. These AI-generated phishing campaigns are harder to detect because they lack the traditional red flags (poor grammar, generic greetings) that training programs teach employees to recognize.

Deepfake voice and video technology allows attackers to impersonate executives, partners, or clients with frightening accuracy. In 2025, the FBI reported a 300% increase in vishing (voice phishing) attacks using AI-generated voices, with tax professionals specifically targeted during filing season.

Cryptocurrency Ransomware Evolution

Ransomware gangs are demanding payments in privacy-focused cryptocurrencies (Monero, Zcash) that are harder to trace than Bitcoin. They're also implementing "double extortion" tactics—encrypting your data AND threatening to publish it publicly if you don't pay. For tax professionals, this means attackers can threaten to release thousands of taxpayer records publicly, creating regulatory notification requirements even if you successfully restore from backups.

Cloud Account Takeover

As tax practices migrate to cloud-based tax software and storage, attackers are shifting focus to cloud account compromise. By stealing credentials to cloud platforms (Microsoft 365, Google Workspace, Drake Tax cloud), attackers gain access to email, client files, and tax software simultaneously. Cloud account takeover is particularly dangerous because it bypasses traditional perimeter security and can persist even after you change passwords if attackers establish alternative access methods (OAuth tokens, application passwords, forwarding rules).

Mobile Tax Software Threats

Mobile tax preparation apps introduce new attack surfaces. Attackers target mobile devices with malware that captures tax software logins, intercepts SMS-based MFA codes, and screenshots sensitive data. Mobile devices also face greater physical theft risk than desktop systems, and many tax preparers fail to implement adequate mobile security controls (encryption, MDM, remote wipe).

Building a Layered Defense Strategy

No single security control can prevent all attacks. Effective tax preparer security requires a layered approach that combines technical controls, processes, and people:

• Technical controls: EDR/MDR endpoint protection, email filtering, DNS filtering, MFA, encryption, patch management, network segmentation
• Process controls: Written Information Security Plan (WISP), incident response plan, backup and recovery procedures, access control policies, vendor risk management
• People controls: Security awareness training, phishing simulations, role-based access, background checks, security culture

The IRS Security Summit provides a "Security Six" framework specifically for tax professionals: antivirus software, firewall, two-factor authentication, backup, encryption (for sensitive data), and security awareness training. These six controls address the majority of attacks targeting tax practices.

For comprehensive protection aligned with IRS Publication 4557 requirements, consider implementing the NIST Cybersecurity Framework (CSF) 2.0. The framework provides a structured approach to identifying assets, protecting systems, detecting threats, responding to incidents, and recovering from attacks.

Regulatory Compliance and Incident Response

Understanding these threats is only half the battle—you must also understand your legal obligations when incidents occur. Tax professionals face regulatory requirements from multiple sources:

IRS Requirements (Publication 4557)

IRS Publication 4557 ("Safeguarding Taxpayer Data") establishes minimum security requirements for all tax preparers. Key requirements include:

• Written Information Security Plan (WISP) documenting your security program
• Security awareness training for all employees with access to taxpayer data
• Physical, administrative, and technical safeguards for taxpayer information
• Incident response procedures and reporting obligations
• Annual security review and WISP updates

Failure to comply can result in PTIN suspension, preventing you from preparing returns and effectively shutting down your practice. The IRS can also refer serious violations to the Office of Professional Responsibility for disciplinary action.

FTC Safeguards Rule (16 CFR § 314)

The FTC Safeguards Rule applies to tax preparers as "financial institutions" under the Gramm-Leach-Bliley Act. Requirements include:

• Designating a qualified individual to oversee your information security program
• Risk assessment identifying reasonably foreseeable internal and external threats
• Safeguards to control identified risks
• Regular monitoring and testing of safeguards
• Vendor oversight and third-party risk management
• Incident response planning
• Annual reporting to senior management/ownership

The updated rule (effective June 2023) added specific requirements for multi-factor authentication, encryption of data in transit and at rest, and penetration testing for larger firms.

State Data Breach Notification Laws

All 50 states plus DC, Puerto Rico, and the Virgin Islands have data breach notification laws with varying requirements. Generally, you must notify affected individuals within 30-90 days of discovering a breach. Some states (California, Massachusetts, New York) have additional requirements:

• Attorney General notification
• Media notification for large breaches (500+ residents)
• Credit bureau notification
• Specific content requirements for notification letters
• Offering credit monitoring services to affected individuals

Your incident response plan must address these notification requirements to ensure timely compliance when breaches occur.