Top Security Threats for Tax Preparers Right Now

Why Tax Professionals Are Prime Targets for Cybercriminals

Tax professionals are under constant assault from cybercriminals who understand the extraordinary value of the data these practitioners handle. From Social Security numbers and financial records to employer identification numbers and banking information, a tax preparer's systems contain everything needed to commit identity theft, tax fraud, and financial crimes on a massive scale.

The IRS reported over 6,400 data thefts targeting tax professionals in a recent year, with attackers stealing an average of 400 taxpayer records per incident. These breaches don't just compromise client data—they can result in EFIN suspension, state penalties up to $250,000, and permanent reputational damage that destroys practices built over decades.

Understanding the specific tax preparer security threats targeting your practice right now is essential to building an effective defense that meets IRS Publication 4557 security requirements and protects your clients, your business, and your professional credentials. Below are the ten most active threats—and the specific controls that stop them.

1. Ransomware Attacks Targeting Tax Season Deadlines

Ransomware encrypts your files and demands payment for the decryption key. For tax professionals, this means losing access to every client record, tax return, and business document simultaneously—typically during the most pressured weeks before filing deadlines when you're most vulnerable. Attackers know that tax practices operate under tight IRS deadlines and may be more willing to pay quickly to restore operations.

Ransomware attacks against tax professionals spike 340% during tax season (January through April), with attackers specifically timing their campaigns to maximize pressure. The average ransom demand against small tax practices runs into tens of thousands of dollars, and even paying is no guarantee of recovery. The FBI reports that only 65% of victims who pay the ransom successfully recover their files, and 37% of those who do recover still find data corruption.

The most common delivery mechanisms include phishing emails with malicious attachments disguised as client documents or IRS notices, compromised Remote Desktop Protocol (RDP) connections, malicious macros embedded in Excel or Word files, and software vulnerabilities in unpatched tax software or operating systems. Drive-by downloads from fake IRS form repositories round out the top attack vectors.

Prevention requires a layered approach. According to NIST SP 800-184, the 3-2-1 backup rule remains the gold standard: maintain three copies of data, on two different media types, with one copy stored offline. For tax professionals, this means daily backups during tax season with weekly offline rotation. Pair tested offline backups with an Endpoint Detection and Response (EDR) solution that detects ransomware behavior patterns before encryption begins, and patch all software within 72 hours of each security release. Our complete ransomware protection guide for tax practices covers layered defense implementation in detail.

2. Phishing and Spear Phishing: The Primary Attack Vector

Phishing remains the most common initial attack vector, responsible for 94% of successful breaches according to the Verizon 2025 Data Breach Investigations Report (DBIR). Generic phishing campaigns cast a wide net with mass emails, while spear phishing targets specific individuals with personalized messages built from reconnaissance on your firm, your staff, and your clients.

Tax professionals receive phishing emails impersonating the IRS (including fake CP2000 notices and PTIN suspension warnings), tax software vendors such as Intuit, Drake, and Thomson Reuters, clients requesting status updates, and financial institutions. During filing season, some tax offices report 50–100 phishing attempts per day in March and April.

The IRS Security Summit has identified several emerging phishing tactics targeting preparers in 2026. AI-generated voice phishing (vishing) uses deepfake audio of partners or clients requesting urgent file access. QR code phishing arrives in physical mail claiming to be IRS security updates requiring mobile scanning. Multi-channel attacks combine email, text messages, and phone calls to establish false legitimacy. Tax software update scams deliver credential-stealing malware disguised as mandatory security patches. Client portal spoofing replicates your secure client portal login page to harvest credentials at scale. Our guide to how phishing attacks work covers each of these tactics with detection guidance.

Defense requires technical controls combined with human awareness. Deploy email filtering that blocks known malicious domains and analyzes message headers for spoofing indicators. Use DNS filtering to block access to malicious sites even when someone clicks a link. Implement DMARC (Domain-based Message Authentication, Reporting, and Conformance) email authentication in enforcement mode—not just monitoring—to prevent domain spoofing. For the human layer, pair security awareness training with monthly phishing simulation exercises that test your team's ability to recognize increasingly sophisticated attacks.

3. Business Email Compromise (BEC) and Refund Fraud

Business Email Compromise (BEC) attacks involve compromising or spoofing a trusted email account to manipulate the victim into transferring money or sensitive data. The FBI's Internet Crime Complaint Center (IC3) reports $2.9 billion in BEC losses in 2025, with tax professionals representing a disproportionately targeted sector.

In a tax context, an attacker might compromise a client's email account and send a request to change refund direct deposit information to an attacker-controlled account. By the time the legitimate client realizes their refund never arrived, the funds have been moved through a network of money mules and are unrecoverable. Alternatively, attackers impersonate firm partners or senior preparers and instruct junior staff to send client data to an external email address for an "urgent meeting with a prospective client." Without proper verification procedures, well-meaning employees comply with what appears to be a legitimate management request.

Prevention requires implementing DMARC, DKIM, and SPF email authentication as defined in RFC 7489, which verify that emails claiming to come from your domain are actually sent from your authorized mail servers. Equally important: establish verbal verification procedures for any changes to financial information, including refund routing, payment instructions, or wire transfer details. A 30-second phone call to a known number—not a number provided in the suspicious email—prevents catastrophic, unrecoverable losses. For a deeper look at the social engineering tactics behind BEC attacks, including pre-attack reconnaissance methods, see our social engineering defense guide.

4. Credential Theft and Account Takeover

Attackers steal login credentials through phishing, keylogger malware, credential stuffing attacks using passwords exposed in prior data breaches, or by purchasing credentials on dark web marketplaces. Once they have your tax software credentials, they can access your entire client database. If they obtain your IRS e-Services credentials, they can compromise your EFIN and file fraudulent returns under your professional identity.

The 2025 Verizon DBIR found that stolen credentials were involved in 49% of breaches, making credential compromise the second most prevalent attack pattern after phishing—which is itself often used to steal credentials in the first place. Credential stuffing attacks are particularly effective against tax professionals who reuse passwords across multiple services. Attackers use automated tools to test billions of username/password combinations obtained from unrelated company breaches. If you use the same password for your tax software that you used for a compromised retail website, attackers can access your professional systems without any sophisticated techniques at all.

IRS Publication 4557 Section 2.3 specifically requires tax preparers to implement strong authentication controls: unique passwords for every account with no reuse across services, complex passwords meeting NIST SP 800-63B guidelines (minimum 12 characters, recommended 16+), and multi-factor authentication (MFA) on all systems containing taxpayer data. For tax software specifically, the IRS requires MFA for all professionals accessing the EFIN system—attempting to disable it violates your software license agreement and creates direct liability in the event of a breach.

Prevention includes using unique, strong passwords generated and stored in an enterprise password manager (1Password or Bitwarden are widely used), enabling MFA on all systems with a preference for authenticator apps or hardware security keys over SMS codes, monitoring for compromised credentials through dark web monitoring services, and deploying endpoint protection that detects keylogger malware behavior before credentials are captured. The table below compares each MFA method's strengths and vulnerabilities.

5. Insider Threats: The Risk Within Your Organization

Not all threats come from outside your organization. Current or former employees, contractors, or business partners with legitimate access to your systems can intentionally or accidentally compromise client data. The 2025 Ponemon Cost of Insider Threats Study found that insider incidents cost organizations an average of $16.2 million annually, with malicious insiders accounting for 26% of incidents and negligent employees responsible for 56%.

A disgruntled seasonal preparer who copies client files to a USB drive before leaving, an employee who falls for a phishing email and enters credentials into a fake portal, or a contractor who misconfigures cloud storage permissions can cause just as much damage as an external attacker—often more, because insiders have legitimate access that bypasses perimeter security controls entirely.

The most common insider threat scenarios in tax practices include data exfiltration (employees copying client databases to personal devices before departing to start a competing practice), credential sharing (staff sharing login credentials with colleagues, creating untracked access to sensitive records), negligent data handling (emailing tax returns to personal Gmail accounts to work from home, placing data outside your security perimeter), unauthorized access to client files with no business reason, and shadow IT (using unauthorized cloud storage or file sharing tools that bypass your security policies).

Prevention requires implementing least-privilege access controls so users only access systems and data necessary for their specific job function. Revoke access promptly when employees depart—within one hour of termination, or the same day for resignations. Monitor user activity for unusual behavior: access at unusual hours, bulk downloads, or accessing client files with no clear business justification. Conduct background checks on all staff with access to sensitive data.

The FTC Safeguards Rule (16 CFR § 314.4) requires tax preparers to implement access controls and monitor for insider threats as part of their formal information security program. This includes maintaining audit logs of who accessed what data and when, with logs retained for at least three years. Your Written Information Security Plan (WISP) must document your access control and monitoring procedures as a named requirement.

6. Remote Desktop Protocol (RDP) Exploitation

Many tax practices use Remote Desktop Protocol (RDP) to allow remote access to office computers—enabling work from home or access to desktop tax software from outside the office. Exposed RDP services are a favored target for attackers, who use brute force attacks (automated attempts to guess passwords) or stolen credentials to gain access. According to the Cybersecurity and Infrastructure Security Agency (CISA), RDP is one of the top three initial access vectors in ransomware attacks.

Once inside via RDP, attackers have the same access as if they were physically sitting at your computer—tax software, client files, email, and a launching point for attacks against other systems on your network. The problem is compounded when tax professionals use weak or long-unchanged passwords on RDP accounts, expose RDP directly to the internet without additional security layers, or fail to monitor login attempts for brute force patterns.

NIST SP 800-46 and IRS Publication 4557 require these controls for any practice using RDP: never expose RDP directly to the internet—use a VPN as a gateway requiring separate authentication before RDP access is possible; enable Network Level Authentication (NLA) so credentials are required before a full session is established; implement account lockout policies after five failed login attempts; require minimum 16-character passwords with MFA enforced through the VPN layer; and monitor all RDP connections with alerts on failed attempts or connections from unusual geographic locations. Our guide to choosing a VPN for remote tax practice access covers implementation for common scenarios. For a deeper look at how attackers evade endpoint controls once inside, see our analysis of advanced endpoint evasion techniques used in 2026.

7. SQL Injection and Web Application Attacks

Tax practices using web-based client portals, intake forms, or custom-built applications face SQL injection and other web application attacks. SQL injection occurs when attackers insert malicious code into web form fields, exploiting inadequate input validation to access or manipulate your database directly. A successful attack against your client portal could expose your entire client database—names, Social Security numbers, tax returns, and financial records—without triggering the failed login alerts that other attack types generate.

According to the OWASP Top 10, injection attacks remain among the most prevalent web application security risks. Prevention requires parameterized queries (prepared statements that separate code from data), input validation and sanitization on all user-submitted data, and least-privilege database accounts so web applications never connect with administrative credentials. If you use a third-party secure client portal, verify the vendor undergoes annual penetration testing and holds a current SOC 2 Type II certification—request their latest audit report before onboarding.

8. Wi-Fi Eavesdropping and Network Attacks

Unsecured or poorly secured wireless networks allow attackers to intercept data transmitted across the network. If your office Wi-Fi uses weak encryption (WEP, or WPA with a weak password), or if you're using a shared password that hasn't changed in years, an attacker in a nearby car or building could intercept client data moving across your network without triggering any alarms.

This is particularly dangerous in shared office buildings where your wireless network overlaps with neighboring businesses, or in retail tax preparation locations where public foot traffic provides cover for wireless reconnaissance. NIST SP 800-153 provides wireless security guidelines for organizations handling sensitive data: use WPA3 encryption (WPA2 at minimum—WEP and WPA with TKIP are trivially broken by modern tools); implement a strong, unique Wi-Fi password of at least 20 characters changed annually and whenever staff depart; completely isolate guest and business networks so waiting room Wi-Fi cannot reach your practice systems; and disable WPS (Wi-Fi Protected Setup), which has known vulnerabilities that allow password bypass. See our guide to firewall and network security for tax offices for complete network hardening steps.

For any sensitive transactions—bulk client data transfers, tax software logins when traveling, or accessing client portals from uncertain networks—use a VPN that encrypts all traffic regardless of the underlying network's security posture.

9. Physical Theft and Loss of Devices

Stolen laptops, lost USB drives, and break-ins at tax offices trigger data breach notification requirements under laws in all 50 states. A single stolen laptop containing unencrypted client data can affect hundreds or thousands of taxpayers, triggering state notification timelines (generally 30–90 days from discovery) plus potential IRS reporting obligations and PTIN consequences.

IRS Publication 4557 Section 3.2 explicitly requires encryption of all portable devices and removable media containing taxpayer data. Use BitLocker for Windows and FileVault for macOS on all laptops and desktops. Enable remote wipe capability through Microsoft Intune or a comparable Mobile Device Management (MDM) platform. For mobile tax preparers who work at client locations, use encrypted cloud storage rather than storing files locally on devices that could be stolen from vehicles. If local storage is necessary, use FIPS 140-2 validated encryption solutions and maintain a current inventory of all devices containing client data. The full tax document encryption requirements guide covers portable device compliance in detail.

10. Supply Chain Attacks and Third-Party Risk

Supply chain attacks compromise a software vendor or service provider your practice relies on, then use that trusted relationship as a pathway into your systems. If your tax software vendor, cloud storage provider, or IT service company is breached, attackers may gain access to your data through the connection between your systems and theirs—bypassing all the controls you've put in place to secure your own perimeter.

The 2020 SolarWinds attack demonstrated the scale of this threat: attackers infiltrated SolarWinds' software development process and distributed malware through trusted software updates to over 18,000 organizations. The 2023 MOVEit Transfer vulnerability affected thousands of organizations through a single file transfer vendor. When attackers discovered a zero-day vulnerability in MOVEit, they systematically exploited it across the vendor's entire customer base, stealing data from hundreds of companies simultaneously. Tax software vendors face the same attack surface—their automatic updates are installed by tens of thousands of tax professionals, making them high-value targets for this attack pattern.

The FTC Safeguards Rule requires tax preparers to assess and address third-party service provider risks. This includes vetting security practices of all vendors before engagement by requesting SOC 2 Type II reports, penetration test results, and security policies; limiting access granted to third-party software and services using the principle of least privilege; reviewing vendor contracts for security requirements and incident notification obligations; and monitoring for unusual activity from vendor connections. Require vendors to notify you of security incidents within 24–72 hours contractually, and conduct annual vendor security reassessments.

For cloud services, verify the provider holds compliance certifications relevant to your industry: SOC 2 Type II, ISO 27001:2022, and potentially FedRAMP if handling government-related data. Maintain independent backups not controlled by any vendor—if your cloud storage provider is compromised, your offline backup remains intact. Your WISP must document your third-party risk management process per IRS Publication 4557 Section 4.2, including a vendor inventory and evidence of security due diligence for each vendor with access to taxpayer data.

Emerging Tax Preparer Security Threats Accelerating in 2026

Several attack categories are gaining momentum specifically against tax professionals as we move through 2026.

AI-Powered Social Engineering — Attackers are using generative AI to create highly convincing phishing emails that adapt to the recipient's communication style, use perfect grammar and formatting, and reference specific details scraped from social media and public records. These campaigns are harder to detect because they lack the traditional red flags—poor grammar, generic greetings—that awareness training programs teach staff to recognize. Deepfake voice and video technology now allows attackers to impersonate executives, partners, or clients with enough accuracy to deceive staff under time pressure. The FBI has reported a 300% increase in vishing (voice phishing) attacks using AI-generated voices, with tax professionals specifically targeted during filing season. Our analysis of how AI is reshaping the cyber threat kill chain covers this evolution and what it means for human-focused defenses.

Double-Extortion Ransomware — Ransomware gangs have shifted to demanding payments in privacy-focused cryptocurrencies (Monero, Zcash) that are harder to trace than Bitcoin, while also implementing double-extortion tactics: encrypting your data AND threatening to publish it publicly if you don't pay. For tax professionals, a public dump of client Social Security numbers, financial records, and tax returns represents an existential threat to client relationships and professional standing—far beyond the cost of the ransom payment itself. This is why tested offline backups, while they address the encryption problem, do not eliminate the extortion risk.

Identity-Based Attacks Targeting IRS Systems — Attackers who compromise a tax professional's IRS e-Services credentials can file fraudulent returns under your EFIN, request transcripts of clients' prior-year returns for use in future fraud campaigns, and access the Income Verification Express Service (IVES) to harvest wage and income data at scale. The IRS Security Summit's identity theft prevention resources for tax professionals document these attack patterns and the specific controls required to stop them.

Dark Web Sale of Tax Data — Stolen tax professional credentials and client databases are actively traded on dark web marketplaces because a tax preparer's data gives attackers access to complete financial profiles of hundreds or thousands of individuals simultaneously. Dark web monitoring services alert you when your credentials or client data appear in these markets—often before the attacker has used the data—giving you time to respond and contain the damage. Ongoing credential monitoring is a requirement, not an option, under IRS Publication 4557.

For a full picture of how these threats interact with one another in real attacks, see our overview of documented cyberattacks on tax firms and the MITRE ATT&CK framework techniques most frequently used against financial services targets.