Income Tax Pros Beware: Tax Scammers Are Targeting Your Network and Your Customers Data
Image: NCCC

Income Tax Pros Beware: Tax Scammers Are Targeting Your Network and Your Customers Data

Scammers are getting even better at using all sorts of tricks to steal your sensitive information in order to steal your customers' information

August 7, 2025

Tax season remains prime time for identity thieves and cybercriminals to attack both taxpayers and tax professionals. In 2025, these bad actors leverage advanced tactics, AI-driven phishing, deepfake voice calls, supply-chain malware and sophisticated business-email compromise—to breach your network, harvest client data and file fraudulent returns. Even a single compromised credential can expose hundreds of returns and result in redirected refunds, regulatory penalties and irreparable reputational harm. Protecting your firm and your clients demands constant vigilance, up-to-date security measures and clear response plans.

Fake IRS Emails and Spoofed Websites

Scammers create near-perfect replicas of IRS emails and login pages to harvest credentials. They update phishing kits weekly to match IRS branding changes and launch targeted campaigns just before filing deadlines. Always verify the sender address: official IRS communications come from “irs.gov” domains with valid DMARC records. Hover over links before clicking and confirm they direct to IRS.gov rather than look-alike domains. Enable DMARC, SPF and DKIM on your email domain to block spoofed messages before they reach staff inboxes.

Urgent Update Scams for EFIN, PTIN and Software

Emails claiming your Electronic Filing Identification Number or Preparer Tax Identification Number has been suspended are on the rise. They link to fake e-Services portals that capture login credentials. Similarly, counterfeit tax software update notices deliver remote-access trojans or keyloggers. Always download official updates directly from your software provider’s portal, never via email links. Verify digital signatures on installers and compare checksums against vendor published values.

Business-Email Compromise and Spear-Phishing

In business-email compromise (BEC) schemes, attackers research your partners and clients, then send customized invoices or refund requests from your address or look-alike domain. A 2024 study showed a 40 percent increase in BEC attempts against accounting firms. Require dual-approval for changes to refund destinations or bank account details, and confirm all requests by voice or video call using a number on file, not the one provided in the email.

Deepfake Vishing and Voice-Clone Scams

Vishing attacks now employ AI-generated voice clones of IRS or software-support agents. The criminal may call claiming your network was breached and urge you to install a “security patch” that is actually malware. Always verify caller identity by hanging up and calling the IRS practitioner hotline at (866) 255-0654 or your software vendor’s published support line. Never allow remote-access sessions at the first request and require written work orders for any support engagement.

Two-Part Phishing Schemes and Malicious Attachments

Scammers send an initial innocuous email, “Can you review this client file?”—then follow up with a password-protected PDF or Word document containing macros that install remote-access tools. Train staff to treat unsolicited attachments as dangerous. Disable macros by default, scan attachments with updated endpoint protection and open files only in sandboxed environments.

Multi-Factor Authentication and Hardware Keys

Passwords alone are insufficient. Implement multi-factor authentication (MFA) for all e-Services, software portals and remote-access tools. Wherever possible, use hardware tokens or FIDO2 keys rather than SMS-based codes. If a phishing site already captured credentials, MFA blocks unauthorized logins. Require MFA on email, cloud storage and any VPN or remote-desktop gateways.

Endpoint Detection and Response

Deploy endpoint detection and response (EDR) on every workstation and server. EDR tools identify suspicious behaviors, process injection, file tampering, lateral movement—and quarantine infected devices automatically. In 2025, ransomware gangs increasingly target tax firms during peak filing periods; EDR combined with offline backups minimizes downtime and data loss.

Secure File Sharing and Data Encryption

Tax professionals must protect client PII in transit and at rest. Use secure portals or SFTP for exchange of tax returns and supporting documents instead of email attachments. Encrypt data volumes on local machines and servers, and enforce full-disk encryption on laptops. Ensure backups are encrypted and stored offsite in a different region to survive a local ransomware attack or hardware failure.

Incident Response Planning and Breach Notification

Maintain an incident response plan that defines roles, communication channels and legal obligations under state law. North Carolina requires data-breach notifications to affected residents within 30 days and reporting to the NC Department of Justice Consumer Protection Division. Engage counsel experienced in cyber incidents to guide regulatory filings and client notifications, reducing risk of fines under the NC Identity Theft Protection Act.

Ongoing Staff Training and Phishing Simulations

Regularly train employees on new scam trends. Conduct quarterly phishing simulations that mimic current BEC and AI-powered phishing lures. Review simulation results with staff, identify weak spots and reinforce best practices. A well-trained team blocks the vast majority of targeted attacks before they reach sensitive systems.

Vendor and Supply-Chain Security

Attackers increasingly compromise software vendors to distribute malicious updates. Require vendors to provide security attestations, SOC 2 reports or ISO 27001 certifications. Segment networks so that critical tax systems are isolated from vendor portals and test all updates in a staging environment before production deployment.

North Carolina Professional Standards and Resources

Certified public accountants in North Carolina should follow the NC Board of Accountancy’s technology guidelines and the IRS Publication 4557 checklist for safeguarding taxpayer data. For state-level guidance on consumer data protection, contact the NC Department of Justice Consumer Protection Division at 919-716-6000 or file a complaint online. NC firms may also consult the NC Office of the State Chief Information Officer for best practices on data security and breach response.

Responding to a Compromise

If you suspect your credentials are stolen, immediately reset all passwords and revoke tokens. Contact the IRS e-Services Help Desk at (866) 255-0654 to secure your account. Notify affected clients, offer credit monitoring and document every step taken. Rapid, transparent response preserves trust and limits exposure under both federal and state breach notification laws.

By combining robust technical controls, staff education and clear response procedures, tax professionals can defend against evolving scams and keep client data secure during every filing season.