TAX PREPARER EMAIL SCAMS: THE COMPLETE GUIDE TO PROTECTING YOUR PRACTICE

By Ṣọ Email Security11 min read

Comprehensive guide to email scams targeting tax preparers, accountants, and CPAs. Learn detection methods, prevention controls, and incident response procedures based on IRS, FBI, and NIST guidance.

tax preparer scamsphishing attacksIRS securityemail securityspear phishingnew client scamCPA cybersecuritytax professional securityidentity theftdata breach prevention

Tax Preparer Email Scams: The Complete Guide to Protecting Your Practice

What are tax preparer email scams?

Tax preparer email scams are targeted phishing attacks designed to steal credentials, client data, and professional identification numbers from accountants, CPAs, and enrolled agents. The IRS Security Summit reports nearly 300 data breaches in the first half of 2025 alone, affecting up to 250,000 clients. Attackers impersonate prospective clients, software vendors, and government agencies to trick tax professionals into clicking malicious links or opening infected attachments, ultimately enabling fraudulent tax return filing and refund theft.

What is a tax preparer email scam?

A tax preparer email scam is a form of social engineering attack that specifically targets professionals in the tax preparation industry. These attacks exploit the unique workflow of tax practices, where receiving sensitive documents from clients and responding to new business inquiries represents normal daily operations.

The IRS defines these attacks as phishing schemes where cybercriminals pose as potential clients, government agencies, tax software companies, or financial institutions. The primary objective is obtaining access to taxpayer data that can be used to file fraudulent returns, steal refunds, or commit identity theft.

Tax preparer scams differ from general phishing in their specificity and timing. Attackers research their targets, understand tax industry terminology, and time their campaigns to coincide with filing season when tax professionals are most vulnerable due to high workloads and time pressure.

The 2025 IRS Dirty Dozen list specifically identifies "new client scams and spear phishing" as a pervasive threat, noting that cybercriminals impersonate new potential clients to trick tax professionals into responding to malicious emails.

Key characteristics of tax preparer email scams include:

  • Industry-specific language: Messages reference tax forms, filing deadlines, IRS requirements, and professional credentials
  • Seasonal timing: Attack volume increases significantly during January through April filing season
  • Credential targeting: Scams specifically seek Electronic Filing Identification Numbers (EFINs), Preparer Tax Identification Numbers (PTINs), and Centralized Authorization File (CAF) numbers
  • Document-based delivery: Malware typically arrives disguised as tax documents, W-2 forms, or client information packages

Why do tax preparer email scams matter?

The financial and operational impact of tax preparer email scams extends far beyond individual victims. A single compromised tax practice can expose hundreds or thousands of taxpayers to identity theft and fraudulent return filing.

Statistical overview

The FBI Internet Crime Complaint Center (IC3) 2024 Annual Report documents the broader landscape of email-based fraud affecting professional services:

  • $16.6 billion in total cybercrime losses reported in 2024, a 33% increase from 2023
  • $2.77 billion in losses from Business Email Compromise scams, which share tactics with tax preparer attacks
  • Nearly 300 data breaches affecting tax professionals reported in the first half of 2025, impacting up to 250,000 clients according to the IRS Security Summit

Regulatory consequences

Tax professionals face significant regulatory obligations when handling client data. The Federal Trade Commission requires all tax preparers to implement safeguards including multi-factor authentication and Written Information Security Plans. A data breach can trigger mandatory reporting to the IRS, state tax agencies, state attorneys general, and affected clients.

The IRS Publication 4557, Safeguarding Taxpayer Data, establishes baseline security requirements for tax professionals. Failure to implement adequate protections can result in professional sanctions, loss of filing privileges, and civil liability.

Cascading impact

When attackers compromise a tax professional's systems, the damage multiplies rapidly:

  1. Immediate theft: Attackers harvest Social Security numbers, dates of birth, employer information, and bank account details
  2. Fraudulent returns: Criminals file false tax returns before legitimate taxpayers, claiming refunds
  3. Account takeover: Stolen credentials enable access to tax software platforms and IRS e-Services
  4. Secondary attacks: Compromised email accounts become launching points for attacks on the firm's clients and professional contacts
  5. Credential resale: Stolen professional identification numbers (EFINs, PTINs, CAF numbers) are sold to other criminals

How do tax preparer email scams work?

Tax preparer email scams follow established attack patterns that exploit the operational realities of tax practices. Understanding these patterns enables more effective detection and prevention.

The new client scam attack sequence

The most prevalent attack targeting tax professionals, the "new client" scam, typically unfolds across six distinct phases:

Phase 1: Initial contact

The attacker sends an email posing as a prospective client seeking tax preparation services. The message typically references the current tax year and asks whether the firm is accepting new clients. Subject lines often include phrases like "Tax Preparation Inquiry" or "Need CPA for 2026 Filing."

Example language from IRS-documented scams: "My name is [name], I am searching for another CPA to help handle my taxes. Is it safe to say that you are accepting new clients for the 2026 tax season?"

Phase 2: Establishing credibility

If the tax professional responds positively, the attacker provides additional details designed to appear legitimate. This may include a fabricated employment history, questions about services and pricing, or references to specific tax situations. Sophisticated attackers research their targets and may reference the firm's specializations or geographic area.

Phase 3: Payload delivery

The attacker sends a follow-up message containing either a malicious attachment or a link to a credential-harvesting website. The attachment is typically disguised as prior-year tax returns, W-2 forms, or other client documentation. Links may lead to fake document-sharing portals that request login credentials.

Phase 4: Credential harvesting

When the tax professional opens the attachment, malware installs on their system. This may include keyloggers that capture all subsequent typing, remote access trojans that allow attackers to control the computer, or information stealers that extract saved passwords and browser data. Fake login portals capture email credentials in real time.

Phase 5: Lateral movement

With access to the tax professional's email account, attackers search for client data, bank account information, and professional identification numbers. They may access connected cloud storage, tax preparation software, and IRS e-Services portals. The compromised email account enables attacks on the firm's clients and contacts.

Phase 6: Exploitation

Attackers use harvested information to file fraudulent tax returns before legitimate taxpayers. They may change direct deposit information to redirect refunds, sell stolen credentials to other criminals, or maintain persistent access for ongoing data theft.

Variant attack types

Beyond the new client scam, tax preparers face several related threats:

EFIN/PTIN theft schemes: Attackers impersonate tax software companies and claim they need EFIN documents for verification to transmit tax returns. The IRS reports receiving dozens of reports of this specific scam variant.

Clone phishing: A newer technique where attackers clone legitimate email messages and resend them with malicious attachments or links. These attacks are particularly effective because the message content appears familiar.

AI-enhanced correspondence: The IRS Security Summit warns that scammers now use artificial intelligence to create fake IRS letters that are mailed to victims, expanding attack vectors beyond email alone.

Real-world case studies

Case 1: The keylogger compromise

Security researcher Brian Krebs documented a case involving a New Jersey CPA firm where attackers deployed a web-based keylogger through a spear phishing email. The malware recorded every keystroke and periodically captured screenshots.

The attackers gained access to the accountant's tax preparation software, completed pending Form 1040s for clients, changed direct deposit information to accounts they controlled, and filed the returns electronically. All actions were performed remotely while the accountant was away from their computer.

The fraud was discovered only when clients reported receiving unexpected refunds. The attackers then impersonated IRS contractors and attempted to convince these taxpayers to forward the fraudulent refunds.

Case 2: Accounting & tax associates breach (2025)

In July 2025, Accounting & Tax Associates, a Massachusetts-based family-run accounting firm, disclosed a data breach involving unauthorized access to their Intuit Lacerte Tax software platform. An unauthorized actor gained access on May 14, 2025.

The forensic investigation confirmed that customer names and personally identifiable information were potentially compromised. The firm was required to notify affected individuals, contact law enforcement, follow IRS protocols through the Return Integrity & Compliance Services department, and offer credit monitoring services.

Case 3: The 2025 security summit statistics

The IRS Security Summit's August 2025 report revealed the scale of ongoing attacks against the tax professional community. In the first half of 2025 alone, nearly 300 data breaches were reported, potentially affecting up to 250,000 clients.

These incidents prompted the Summit to issue renewed warnings about fake "new client" schemes, phishing emails designed to steal EFINs, PTINs, and CAF numbers, and AI-generated fake IRS correspondence.

How can you detect tax preparer email scams?

Effective detection requires systematic evaluation of incoming communications. Use this checklist to assess suspicious messages.

Email analysis checklist

Sender Verification

  • Does the sender's email domain match their claimed organization?
  • Are there subtle misspellings in the domain name (microsaft.com vs microsoft.com)?
  • Is this an expected communication from this sender?
  • Can you verify the sender through independent channels?

Content Analysis

  • Does the message create artificial urgency or pressure?
  • Are there grammatical errors, awkward phrasing, or unusual word choices?
  • Does the request align with normal business processes?
  • Is the sender asking for information they should already have?

Link and Attachment Inspection

  • Does hovering over links reveal unexpected URLs?
  • Are there attachments in unexpected formats (especially .exe, .scr, .zip)?
  • Is the sender asking you to enable macros or disable security features?
  • Does a supposed "document portal" request credentials not related to document access?

Timing and Context

  • Did this message arrive during high-volume filing season when scrutiny may be reduced?
  • Is a "new client" sending tax documents before any engagement agreement?
  • Does the communication pattern match legitimate client behavior?

Warning signs specific to tax practices

The IRS identifies these red flags indicating potential compromise:

  • Client e-filed returns being rejected because returns with their Social Security numbers were already filed
  • Clients receiving IRS authentication letters (5071C, 4883C, 5747C) for returns they did not file
  • Clients receiving refunds without having filed tax returns
  • More e-file acknowledgements received than returns actually filed
  • Notification that your EFIN or CAF number has been used without authorization
  • Responses appearing to emails you never sent
  • Computer cursor moving or changing numbers without input
  • Being unexpectedly locked out of network or computer systems

How can you prevent tax preparer email scams?

The IRS Security Summit identifies six essential protections—the "Security Six"—that provide baseline defense against email-based attacks. These recommendations align with NIST Cybersecurity Framework guidelines and FTC requirements.

The security six

1. Anti-virus software

Deploy and maintain current anti-virus protection on all computers and devices. Configure automatic updates and schedule regular full-system scans. NIST guidance emphasizes that up-to-date anti-virus software may help prevent malware from installing even if a phishing attack tricks the user.

2. Firewall protection

Enable firewalls on all systems to shield computers and networks from malicious or unnecessary web traffic. Configure firewalls to block unauthorized inbound and outbound connections.

3. Multi-Factor Authentication

Multi-factor authentication is a Federal Trade Commission requirement for all tax professionals. Enable MFA on all accounts, prioritizing:

  • Email accounts
  • Tax preparation software
  • IRS e-Services and Transcript Delivery System
  • Cloud storage services
  • Banking and financial accounts

NIST recommends phishing-resistant MFA such as hardware security keys or biometric authentication for highest protection.

4. Backup software and services

Maintain regular backups of all critical files to protect against ransomware attacks and device failures. Store backups offline or in isolated cloud storage that cannot be accessed from compromised systems. Test backup restoration procedures regularly.

5. Drive encryption

Enable full-disk encryption on all computers and mobile devices containing client data. Encryption protects information if devices are lost or stolen.

6. Virtual Private Network (VPN)

Use a VPN when accessing client data or tax software from outside the office. A VPN encrypts internet traffic and prevents interception on public networks.

Additional prevention controls

Email security configuration

  • Configure SPF, DKIM, and DMARC records for your domain with DMARC set to "reject"
  • Enable email filtering that scans attachments for malware
  • Implement banner warnings on emails from external senders
  • Block high-risk file types (.exe, .scr, .js) at the email gateway

New client verification procedures

  • Require prospective clients to complete intake through secure portals or in-person meetings
  • Never open attachments from unknown senders without independent verification
  • Call prospective clients using independently verified phone numbers before accepting documents
  • Establish standard onboarding workflows that interrupt the new client scam sequence

Staff training

  • Conduct regular phishing awareness training with tax-industry-specific examples
  • Run periodic phishing simulations to test staff response
  • Establish clear procedures for reporting suspicious communications
  • Document and share examples of current scam tactics

Written information security plan

Tax professionals are legally required to maintain a Written Information Security Plan (WISP). IRS Publication 5708 provides templates and guidance for creating compliant plans. A WISP should document:

  • Risk assessment procedures
  • Employee security training requirements
  • Physical and technical safeguards
  • Incident response procedures
  • Vendor management requirements

How should you respond to a tax preparer email scam incident?

When a data breach or suspected compromise occurs, rapid response can limit damage and help protect affected clients. The IRS provides specific guidance for tax professionals experiencing security incidents.

Immediate response steps

Step 1: Contain the breach

  • Disconnect compromised systems from the network immediately
  • Change passwords on all potentially affected accounts
  • Disable compromised user accounts
  • Preserve evidence by not deleting logs or emails

Step 2: Contact the IRS

Report client data theft to your local IRS Stakeholder Liaison immediately. The liaison will notify IRS Criminal Investigation and other appropriate offices. If reported quickly, the IRS can take steps to block fraudulent returns in clients' names.

Contact information for IRS Stakeholder Liaisons is available at IRS.gov or by calling the IRS tax practitioner hotline.

Step 3: Notify State agencies

Contact the Federation of Tax Administrators at StateAlert@taxadmin.org to report the breach to affected state tax agencies. Most states require notification to the state attorney general for data breaches. Visit the Federation of Tax Administrators Report a Data Breach page for state-specific contact information.

Step 4: Engage professional support

  • Retain a cybersecurity expert to determine the cause and scope of the breach
  • Contact your insurance company to report the incident and check coverage for breach response expenses
  • Consult with legal counsel regarding notification obligations and liability

Step 5: Notify affected clients

Work with law enforcement to determine appropriate timing, then send individual letters to all potential victims. Clients should:

  • Complete IRS Form 14039 (Identity Theft Affidavit) if they receive IRS notices or have returns rejected
  • Consider applying for an IRS Identity Protection PIN
  • Monitor credit reports and financial accounts
  • Place fraud alerts or credit freezes with credit bureaus

Step 6: Report to additional authorities

  • File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov
  • Report to the Federal Trade Commission at IdentityTheft.gov
  • File a report with local law enforcement

Documentation requirements

Maintain detailed records of:

  • Timeline of incident discovery and response actions
  • Systems and data potentially affected
  • Notifications sent to regulators, clients, and other parties
  • Remediation measures implemented
  • Communications with law enforcement and cybersecurity consultants

Frequently Asked Questions

What is the most common email scam targeting tax preparers?

The "new client" scam is the most prevalent email attack targeting tax professionals. In this scheme, cybercriminals impersonate prospective clients seeking tax preparation services. After initial contact, they send malicious attachments disguised as tax documents or links to credential-harvesting websites. The IRS 2025 Dirty Dozen list specifically identifies this attack as a pervasive threat during filing season.

How can I verify if a new client inquiry is legitimate?

Verify new client inquiries by contacting the person through independently obtained contact information rather than using details provided in the suspicious email. Search for the person or business online to confirm their existence. Request an initial phone or video consultation before accepting any documents. Legitimate prospective clients will not object to standard verification procedures.

What should I do if I clicked a suspicious link or opened a malicious attachment?

Immediately disconnect the affected computer from your network to prevent lateral spread. Change passwords for all accounts that may have been accessed from that device, prioritizing email and tax software. Run a full anti-virus scan. Contact your IRS Stakeholder Liaison to report potential client data exposure. Engage a cybersecurity professional to assess the scope of compromise.

Are tax preparers legally required to have cybersecurity protections?

Yes. The Federal Trade Commission requires tax professionals to implement safeguards including multi-factor authentication as part of the Safeguards Rule. Tax preparers must also maintain a Written Information Security Plan (WISP) documenting their security policies and procedures. IRS Publication 4557 and Publication 5708 provide guidance on compliance requirements.

How do I report a phishing email claiming to be from the IRS?

Forward suspicious emails claiming to be from the IRS to phishing@irs.gov. Include the full email headers if possible. Do not click any links or open any attachments before forwarding. The IRS uses these reports to track emerging scam campaigns and issue warnings to the tax professional community.

Executive summary (TL;DR)

Tax preparer email scams are targeted phishing attacks exploiting the trusted relationship between accountants and their clients. The IRS Security Summit reports nearly 300 data breaches in the first half of 2025, affecting up to 250,000 clients.

The threat: Cybercriminals impersonate prospective clients, software vendors, and government agencies to steal credentials, client data, and professional identification numbers (EFINs, PTINs, CAF numbers). Successful attacks enable fraudulent tax return filing and refund theft.

Attack method: The "new client" scam involves fake client inquiries followed by malicious attachments or credential-harvesting links disguised as tax documents.

Financial impact: FBI IC3 reported $16.6 billion in total cybercrime losses in 2024. Business email compromise schemes, which share tactics with tax preparer attacks, caused $2.77 billion in losses.

Required protections: Implement the IRS "Security Six"—anti-virus software, firewalls, multi-factor authentication, backup systems, drive encryption, and VPN. Maintain a Written Information Security Plan as required by the FTC.

Detection priorities: Verify new client inquiries independently, inspect email sender addresses carefully, never open unexpected attachments, and watch for signs of system compromise including rejected client e-files and unexpected IRS authentication letters.

Incident response: Report breaches immediately to your IRS Stakeholder Liaison, state tax agencies via the Federation of Tax Administrators, and law enforcement. Notify affected clients with guidance on protective measures including IRS Identity Protection PINs.

Additional Resources

IRS Publications

  • Publication 4557: Safeguarding Taxpayer Data
  • Publication 5293: Data Security Resource Guide for Tax Professionals
  • Publication 5708: Creating a Written Information Security Plan
  • Publication 5709: How to Create a Written Information Security Plan for Data Safety

IRS Online Resources

  • Identity Theft Central: irs.gov/identity-theft-central
  • Data Theft Information for Tax Professionals: irs.gov/individuals/data-theft-information-for-tax-professionals
  • Security Summit information: irs.gov/tax-professionals/security-summit

Reporting Resources

  • Report phishing to IRS: phishing@irs.gov
  • FBI Internet Crime Complaint Center: ic3.gov
  • Federation of Tax Administrators Data Breach Reporting: taxadmin.org

NIST Guidance

  • NIST Small Business Cybersecurity: nist.gov/itl/smallbusinesscyber
  • NIST Phishing Guidance: nist.gov/itl/smallbusinesscyber/guidance-topic/phishing

This article was prepared by Ṣọ Email Security based on official guidance from the Internal Revenue Service, FBI Internet Crime Complaint Center, and National Institute of Standards and Technology. Information is current as of February 2026. Tax professionals should consult current IRS guidance and legal counsel for compliance requirements specific to their practice.