Key Takeaway
Tax preparers hold SSNs, financial records, and filing credentials. Why hackers specifically target tax firms and the defenses that protect you.
Critical Reality Check
Tax preparers are not randomly targeted - they are specifically hunted by cybercriminals who understand the immense value of tax data and the vulnerabilities in many tax practices.
Why Tax Data Is So Valuable to Criminals
Tax preparer systems contain the most complete personal and financial profiles available anywhere. A single client record in your tax software likely contains their full legal name, Social Security number, date of birth, current and prior addresses, employer information and EIN, bank account and routing numbers for direct deposit, income from all sources, spouse and dependent information, and prior-year tax data. This is not just one piece of personal information. It is the entire identity package.
Tax data is also uniquely actionable. Unlike credit card numbers that can be quickly cancelled, stolen tax identities can be exploited for years. Criminals can file fraudulent tax returns, open new credit accounts, apply for loans, commit employment fraud, claim government benefits, and commit medical identity theft, all using the information from a single tax client's file.
What Makes Tax Data So Attractive to Criminals
Complete Identity Package
Full legal names, SSNs, addresses, employer info, bank details, and family information all in one place
Long-Term Exploitation
Unlike credit cards that can be cancelled, stolen tax identities can be exploited for years
Multiple Attack Vectors
Fraudulent returns, credit accounts, loans, employment fraud, benefits claims, and medical identity theft
High-Value Targets
Each compromised client file represents thousands of dollars in potential criminal profit
How Hackers Target Tax Preparers
Cybercriminals employ both broad and targeted strategies to compromise tax preparers. Understanding their methods reveals just how deliberate and organized these attacks are.
The Criminal Attack Process
Reconnaissance
Criminals research tax preparers' websites, social media profiles, state licensing databases, and IRS directories. They identify which software you use, how many employees you have, and what your security posture likely looks like. Small and solo practices are particularly attractive because they typically have fewer security resources and less technical expertise than larger firms.
Seasonal Timing
Attacks peak during tax season, from January through April. Criminals know that during this period, tax preparers are working long hours, processing high volumes of sensitive documents, and more likely to rush through email without careful examination. The pressure to meet deadlines creates conditions where security mistakes are most likely to happen.
Credential Harvesting
Many attacks begin with stealing your login credentials. Criminals search databases of credentials exposed in prior data breaches, knowing that many people reuse passwords across multiple sites. If your personal email password from a 2019 data breach matches your tax software password, an attacker already has access to your client data.
Key Insight
Small and solo tax practices are specifically targeted because criminals know they typically have fewer security resources and less technical expertise than larger firms.
The Scale of the Problem
The IRS Criminal Investigation division has reported thousands of cases involving stolen preparer credentials and fraudulent filings. The agency has issued numerous alerts specifically warning tax professionals about the threats they face. In recent years, the IRS has seen an alarming increase in the number of data theft reports from tax professionals, with some individual breaches affecting thousands of taxpayers.
The Growing Threat Landscape
IRS Criminal Investigation cases involving stolen preparer credentials
When attacks against tax professionals are most frequent
Individual taxpayers impacted by single tax preparer breaches
Attack Methods Specifically Targeting Tax Professionals
IRS-themed phishing campaigns intensify every tax season, with attackers impersonating the IRS, e-filing providers, tax software vendors, and even clients. These emails often reference real IRS notices, upcoming deadlines, or e-filing requirements to create urgency. A common tactic is sending fake "e-Services" login pages that capture EFIN credentials — giving attackers direct access to e-filing systems where they can submit fraudulent returns.
Remote Access Trojans (RATs) are increasingly deployed against tax professionals. Once installed through a phishing email or malicious download, RATs give attackers silent, persistent access to the preparer's computer — including the ability to view screens, capture keystrokes, access files, and steal tax software credentials. Attackers have been known to monitor preparers' workflows for months, learning their systems before exfiltrating client data.
Client impersonation attacks exploit the high volume of client communications during tax season. Attackers send emails appearing to be from existing clients, attaching malicious files labeled as W-2s, 1099s, or tax documents. During busy season, overworked preparers are more likely to open these attachments without verifying. Business Email Compromise (BEC) variants target preparers with fake requests to change direct deposit information on returns.
IRS Requirements for Tax Preparer Cybersecurity
The IRS requires all tax preparers to implement and maintain a Written Information Security Plan (WISP) as outlined in Publication 4557 — Safeguarding Taxpayer Data. This is not a recommendation — failure to maintain adequate security safeguards can result in EFIN revocation, IRS sanctions, and penalties. The WISP must document your security policies, risk assessment, employee training, incident response plan, and specific safeguards for protecting client data.
Publication 4557 mandates specific security controls including: using anti-malware and anti-virus software, encrypting all client data at rest and in transit, implementing strong password policies and multi-factor authentication, maintaining firewalls, using secure WiFi, backing up data regularly, and verifying the security practices of all third-party service providers who access client data.
EFIN holders have additional responsibilities. The IRS can suspend or revoke your EFIN if you fail to maintain required security measures or if client data is compromised due to inadequate protections. Annual security awareness training for all employees who handle taxpayer data is required, and the IRS increasingly audits tax preparers' security practices as part of its ongoing taxpayer protection initiatives.
Frequently Asked Questions
Phishing emails are by far the most common attack vector, accounting for over 90% of successful breaches of tax practices. During tax season, preparers receive phishing emails impersonating the IRS, e-filing services, tax software providers, and clients. The high volume of legitimate communications during busy season makes it difficult to distinguish real messages from attacks.
A Written Information Security Plan (WISP) is a documented set of security policies and procedures required by the IRS for all tax preparers. It outlines how you protect client data, train employees, respond to incidents, and manage security risks. Yes, you absolutely need one — the IRS can revoke your EFIN for failing to maintain a WISP, and it's required under IRS Publication 4557.
Yes. The IRS can suspend or revoke your Electronic Filing Identification Number if you fail to implement required security safeguards, experience a data breach due to inadequate security, or fail to report a breach to the IRS within the required timeframe. Maintaining documented security controls and a current WISP are your best protections against EFIN revocation.
Report data breaches to the IRS immediately by emailing phishing@irs.gov with "Data Breach" in the subject line, contacting your local IRS Stakeholder Liaison, and filing a complaint with the FBI Internet Crime Complaint Center (IC3). You must also notify affected clients and relevant state attorneys general according to applicable breach notification laws.
Tax preparers should carry cyber liability insurance that covers data breach response costs, client notification expenses, credit monitoring for affected clients, regulatory fines, legal defense, business interruption, and ransomware recovery. Policies typically cost $500-$2,000 annually for small practices. Many insurers now require MFA, encryption, and documented security policies as conditions for coverage.
Tax Preparer Security Checklist
- Create and maintain a Written Information Security Plan (WISP)
- Enable multi-factor authentication on tax software and email
- Encrypt all client data at rest and in transit
- Install and update anti-malware software on all devices
- Conduct annual security awareness training for all staff
- Use secure client portals instead of email for document exchange
- Back up client data daily to encrypted, offsite storage
- Verify client identity before processing sensitive requests
Protect Your Tax Practice and Clients
Our tax industry cybersecurity experts help preparers implement IRS-compliant security controls, create WISPs, and protect client data from the latest threats.
The consequences extend far beyond the immediate breach. Affected clients spend years dealing with identity theft, filing identity theft affidavits, and monitoring their credit. Tax professionals face IRS investigations, potential loss of their EFIN and PTIN, malpractice lawsuits, regulatory penalties, and devastating reputational damage. Some practices never recover from a significant data breach.
How Tax Preparers Can Defend Against These Attacks
Understanding why hackers target tax professionals is only half the battle. The other half is building defenses that actually work against the specific attack methods used in this industry. Here's what effective protection looks like:
Implement a Written Information Security Plan (WISP)
The IRS requires all tax professionals to have a WISP under IRS Publication 4557. But beyond compliance, a well-crafted WISP forces you to think systematically about your security posture. Your WISP should document:
- Who is responsible for security in your firm (even if it's you)
- How you protect client data at rest and in transit
- Your incident response procedures — what you do when something goes wrong
- Employee training requirements and schedules
- How you vet and monitor technology vendors
- Physical security controls for your office and equipment
Lock Down Your Tax Software
Your tax preparation software is the crown jewel attackers are after. Protecting it requires multiple layers:
- Multi-factor authentication (MFA) on every account — not just the admin account. SMS-based MFA is better than nothing, but authenticator apps (like Microsoft Authenticator or Google Authenticator) are significantly more secure.
- Unique, complex passwords for each tax software account. A password manager makes this practical without sacrificing convenience.
- IP restrictions where available — limit login access to known office IP addresses or VPN connections.
- Audit logging — review login activity regularly for suspicious access patterns, especially during off-hours or from unusual locations.
- Separate user accounts for each staff member. Shared accounts make it impossible to track who did what and when.
Secure Your Email
Email remains the primary attack vector for tax firms. Phishing emails impersonating the IRS, state tax agencies, tax software companies, and even your own clients are increasingly sophisticated. Protect yourself with:
- Advanced email filtering that scans attachments in sandboxed environments and checks URLs against known malicious sites
- Email authentication records (SPF, DKIM, DMARC) to prevent attackers from spoofing your firm's email domain
- Encrypted email for all client communications containing sensitive data — standard email is not secure
- Client verification procedures — never process tax document requests received solely via email without verbal confirmation
Encrypt Everything
Encryption converts readable data into unreadable code that can only be accessed with the proper key. For tax professionals, encryption should be applied at three levels:
- Data at rest: Full-disk encryption on all computers and external drives (BitLocker for Windows, FileVault for Mac). If a laptop is stolen, the data is useless without the encryption key.
- Data in transit: TLS/SSL encryption for all web-based applications, VPN connections for remote work, and encrypted email for client communications.
- Data in backups: Encrypted backups stored in a separate location with different access credentials than your primary systems.
IRS Publication 4557: What It Actually Requires
IRS Publication 4557, "Safeguarding Taxpayer Data," outlines the minimum security requirements for tax professionals. While the document provides a framework, many firms underestimate what compliance actually entails:
- Risk assessment: You must identify potential threats and vulnerabilities specific to your firm's operations, technology, and data handling practices.
- Access controls: Limit access to taxpayer data to only those employees who need it for their job functions.
- Data protection: Implement encryption, secure disposal, and physical security measures for all client data.
- Monitoring: Regularly review system logs, access records, and security alerts for signs of unauthorized activity.
- Incident response: Have a documented plan for responding to security incidents, including notification procedures for affected clients and the IRS.
- Employee training: Train all staff on security awareness, phishing identification, and proper data handling procedures.
The IRS can revoke your PTIN, EFIN, or CAF number for failure to comply with data protection requirements. Beyond IRS enforcement, the FTC Safeguards Rule (which applies to tax preparers as financial service providers) carries its own penalties including fines up to $100,000 per violation.
Real-World Breach Examples in the Tax Industry
These aren't hypothetical scenarios — they're documented incidents that illustrate the real impact of inadequate security:
- IRS Get Transcript Breach (2015): Criminals used stolen personal data to access the IRS "Get Transcript" service, filing fraudulent returns for over 700,000 taxpayers. The breach highlighted how stolen tax data cascades through the entire system.
- Tax preparer phishing campaigns (ongoing): The IRS Security Summit reports that every tax season brings waves of phishing emails targeting tax professionals. In 2024, the IRS identified over 200 distinct phishing campaigns specifically targeting EFIN holders.
- Ransomware attacks on accounting firms: Multiple regional accounting firms have been forced to pay ransoms ranging from $50,000 to $500,000 to recover client data during peak filing season. Attackers deliberately time these attacks for maximum leverage — a firm can't file extensions for all clients and expect to survive.
What to Do If Your Firm Is Compromised
Despite best efforts, breaches happen. Having a response plan means the difference between a manageable incident and a firm-ending catastrophe:
- Contain immediately: Disconnect affected systems from the network. Don't turn them off — forensic evidence may be needed.
- Report to the IRS: Contact the IRS Stakeholder Liaison for your state and report to the Identity Protection Specialized Unit (IPSU). The IRS has specific procedures for tax preparer data theft.
- Notify law enforcement: File a report with local police and the FBI's Internet Crime Complaint Center (IC3).
- Engage forensics: Hire a cybersecurity firm to investigate the breach, identify the scope, and preserve evidence.
- Notify affected clients: State data breach notification laws set timelines — typically 30 to 90 days. Provide clear instructions on how clients can protect themselves, including IRS Identity Protection PINs.
- Document everything: Keep detailed records of the incident, your response actions, and all communications. This documentation is critical for regulatory compliance and potential litigation defense.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
