THE 'NEW CLIENT' SCAM HITTING ACCOUNTANTS: HOW TO DETECT AND STOP THIS ATTACK

By Ṣọ Email Security13 min read

The new client scam is a targeted spear phishing attack where cybercriminals pose as prospective clients to steal accountant credentials and client data. Learn detection methods, prevention controls, and IRS-recommended response procedures.

new client scamaccountant phishingCPA cybersecurityspear phishingIRS security alerttax professional scamsemail fraudidentity theftdata breachSecurity Summit

The 'New Client' Scam Hitting Accountants: How to Detect and Stop This Attack

What is the new client scam targeting accountants?

The new client scam is a spear phishing attack where cybercriminals impersonate prospective clients seeking accounting or tax preparation services. When the accountant responds, attackers send malicious attachments or credential-harvesting links disguised as tax documents. The IRS 2025 Dirty Dozen list identifies this scheme as a pervasive threat, with the Security Summit reporting nearly 300 data breaches affecting up to 250,000 clients in the first half of 2025 alone. This attack succeeds because receiving documents from new clients represents normal business operations for accounting firms.

What exactly is the new client scam?

The new client scam is a form of spear phishing specifically engineered to exploit the client acquisition workflow of accounting practices. Unlike mass phishing campaigns that cast wide nets, this attack targets individual accountants, CPAs, enrolled agents, and tax preparation firms with personalized messages designed to appear as legitimate business inquiries.

According to IRS Tax Tip 2024-06, the new client scam is "an email scheme where cybercriminals pose as potential clients" that "peaks during the busy tax filing season." The scammer contacts a tax professional requesting help with their taxes, then delivers malware or credential-harvesting tools through what appears to be routine document sharing.

The attack exploits a fundamental vulnerability in accounting practice operations. Accountants routinely receive sensitive documents from people they have never met in person. A request from a prospective client to share tax documents raises no immediate suspicion because this exchange represents the normal beginning of a professional relationship.

Defining characteristics of the new client scam:

  • Targeted delivery: Messages are sent to specific accounting professionals rather than mass-distributed
  • Contextual relevance: Content references current tax years, filing deadlines, and industry-specific terminology
  • Two-stage execution: Initial contact establishes legitimacy before payload delivery
  • Document-based deception: Malware arrives disguised as tax returns, W-2 forms, or financial statements
  • Credential focus: Attacks specifically target email passwords, tax software logins, and professional identification numbers

The IRS Commissioner has stated that "these intricate email scams pose a real risk to tax professionals and the taxpayers they represent," emphasizing both the sophistication of these attacks and their cascading impact on client populations.

Why does the new client scam matter?

The new client scam represents one of the most effective attack vectors against the accounting profession because it weaponizes the trust-based nature of client relationships. A single successful attack can compromise an entire firm's client database, enabling large-scale identity theft and tax fraud.

Current threat statistics

The scope of attacks against accounting professionals has reached unprecedented levels:

  • Nearly 300 data breaches were reported by tax professionals in the first half of 2025, according to the IRS Security Summit
  • Up to 250,000 clients were potentially affected by these breaches
  • $16.6 billion in total cybercrime losses were reported to the FBI IC3 in 2024, a 33% increase from the previous year
  • $2.77 billion in losses came from Business Email Compromise schemes, which share tactics with new client scams
  • $8.5 billion in BEC losses were reported over the three-year period from 2022-2024

Why Accountants are high-value targets

Accounting professionals possess exactly what identity thieves need to commit tax fraud at scale:

Data richness: A single accounting firm may hold Social Security numbers, dates of birth, employer identification numbers, bank account details, and income information for hundreds or thousands of clients.

Filing credentials: Attackers specifically target Electronic Filing Identification Numbers (EFINs), Preparer Tax Identification Numbers (PTINs), and Centralized Authorization File (CAF) numbers that enable fraudulent return filing.

Trusted access: Compromised accountant email accounts can be used to request additional information from clients, who trust communications from their tax professional.

Seasonal vulnerability: During filing season (January through April), accountants work under intense time pressure, reducing the scrutiny applied to incoming communications.

Regulatory and professional consequences

Beyond financial losses, compromised accountants face significant professional consequences:

  • Mandatory reporting to the IRS, state tax agencies, state attorneys general, and all affected clients
  • FTC compliance obligations under the Safeguards Rule requiring documented security measures
  • Professional sanctions including potential loss of filing privileges
  • Malpractice liability for failure to protect client data
  • Reputational damage that can permanently harm practice viability

How does the new client scam work?

The new client scam follows a predictable attack sequence that exploits the natural workflow of client acquisition. Understanding each phase enables accountants to identify attacks before damage occurs.

Phase 1: Initial reconnaissance

Before making contact, sophisticated attackers research their targets. They identify accounting firms through professional directories, state CPA society listings, LinkedIn profiles, and firm websites. Attackers note specializations, geographic focus, and firm size to craft convincing inquiries.

Phase 2: First contact

The attacker sends an email posing as a prospective client. The message typically:

  • References the current or upcoming tax year
  • Asks whether the firm is accepting new clients
  • Provides a plausible reason for seeking new representation
  • Uses professional but sometimes slightly awkward language

Example from IRS-documented scams:

"My name is [name], I am searching for another CPA to help handle my taxes. Is it safe to say that you are accepting new clients for the 2026 tax season?"

The IRS notes that warning signs in these messages include "awkwardly phrased sentences and odd word usage," though sophisticated attackers may use previously compromised email threads that contain no obvious errors.

Phase 3: Engagement and trust building

If the accountant responds positively, the attacker continues the conversation to build credibility. They may:

  • Ask about fees and services
  • Describe their tax situation in general terms
  • Provide fabricated personal or business details
  • Express urgency about filing deadlines

This phase may span multiple email exchanges over several days, making the eventual document request appear natural.

Phase 4: Payload delivery

Once trust is established, the attacker delivers the malicious payload. This typically occurs in one of two ways:

Malicious attachment: The attacker sends an email claiming to contain prior-year tax returns, W-2 forms, 1099s, or other financial documents. The attachment contains malware that installs when opened.

Credential harvesting link: The attacker sends a link to a fake document-sharing portal (mimicking Dropbox, Google Drive, or tax-specific platforms) that requests login credentials to access the "shared documents."

Phase 5: System compromise

When the accountant interacts with the malicious content:

Malware installation: Keyloggers record all subsequent typing, capturing passwords, client data, and financial information. Remote access trojans allow attackers to control the computer directly. Information stealers extract saved passwords and browser data.

Credential capture: Fake login portals immediately transmit entered credentials to attackers, who can then access the accountant's actual email, tax software, and cloud storage.

Phase 6: Data exfiltration and exploitation

With access established, attackers:

  • Search email archives for client Social Security numbers and financial data
  • Access tax preparation software to harvest client records
  • Locate and steal EFIN, PTIN, and CAF credentials
  • Use the compromised email account to request additional information from clients
  • File fraudulent tax returns using stolen client identities
  • Redirect refunds to accounts they control
  • Sell harvested credentials to other criminals

The IRS warns that "some scammers may also load malware onto the tax pro's computer to gain access to their system – and their clients' data. Scammers may also use that tax professional's hacked email account to target clients."

What are real examples of new client scam attacks?

Case Study 1: The keylogger attack

Security researcher Brian Krebs documented a case where a CPA firm was compromised through a spear phishing attack disguised as a new client inquiry. The attackers deployed a web-based keylogger that recorded every keystroke and periodically captured screenshots of the victim's computer.

The attackers monitored the accountant's activity, waited for an opportune moment, then took remote control of the system. They completed pending Form 1040s for clients, changed the direct deposit information to accounts they controlled, and filed the returns electronically—all while the accountant was away from their desk.

The fraud was discovered only when clients reported receiving unexpected refunds in their bank accounts. The attackers then impersonated IRS contractors and attempted to convince these taxpayers to forward the fraudulent refunds to them.

Case Study 2: The compromised email thread

The IRS has documented cases where attackers gained access to a previous victim's email account, then used legitimate email threads between that victim and their accountant as templates for new attacks.

In these scenarios, the attacker sends a message that appears to continue an existing conversation, complete with accurate references to past communications. Because the message history appears genuine and contains no grammatical errors, even vigilant accountants may be deceived.

Case Study 3: The 2025 breach wave

The IRS Security Summit's August 2025 report revealed that nearly 300 data breaches had been reported by tax professionals in just the first six months of the year, potentially affecting up to 250,000 clients.

The Summit specifically cited fake "new client" schemes as a primary attack vector, along with phishing attempts targeting EFINs, PTINs, and CAF numbers. The scale of these breaches prompted renewed warnings and the development of additional guidance through the "Protect Your Clients; Protect Yourself" campaign.

Case Study 4: Accounting & tax associates (2025)

In July 2025, Accounting & Tax Associates, a Massachusetts-based family accounting firm operating since 1974, disclosed a data breach. An unauthorized actor gained access to the company's Intuit Lacerte Tax software platform on May 14, 2025.

The forensic investigation confirmed that customer names and personally identifiable information were potentially compromised. The firm was required to notify the Maine Attorney General, contact law enforcement, follow IRS protocols through the Return Integrity & Compliance Services department, and offer affected clients identity theft protection services.

How Can Accountants detect new client scam attempts?

Systematic evaluation of new client inquiries can identify attacks before they succeed. Use this detection framework for all unsolicited business inquiries.

Email header analysis

  • Does the sender's domain exactly match their claimed identity?
  • Are there subtle misspellings (e.g., "rnicrosoft.com" using "rn" instead of "m")?
  • Does the reply-to address differ from the from address?
  • Was the email sent from a free email service (Gmail, Yahoo, Outlook) when a business domain would be expected?

Message content evaluation

  • Does the greeting use your name, or is it generic ("Dear Sir/Madam," "Dear CPA")?
  • Are there awkward phrases or unusual word choices?
  • Does the message create artificial urgency?
  • Is the sender asking to share documents before any engagement agreement?
  • Does the request bypass your normal intake procedures?

Behavioral red flags

  • Is a "prospective client" sending tax documents in their initial inquiry?
  • Are they resistant to phone calls or video consultations?
  • Do they provide excessive personal information unprompted?
  • Are they unusually eager to move quickly?
  • Do they claim to be traveling or otherwise unavailable for direct contact?

Technical warning signs

  • Do links in the email lead to unexpected domains when you hover over them?
  • Are attachments in unusual formats (.exe, .scr, .zip, .js)?
  • Does a "document portal" request credentials unrelated to document access?
  • Does the email ask you to enable macros or disable security features?

Signs your systems may already be compromised

The IRS identifies these indicators of potential breach:

  • Client e-filed returns being rejected because returns with their Social Security numbers were already filed
  • Clients receiving IRS authentication letters (5071C, 4883C, 5747C) without having filed returns
  • Clients receiving refunds they did not request
  • More e-file acknowledgements than returns you actually submitted
  • Receiving responses to emails you never sent
  • Computer cursor moving without your input
  • Being unexpectedly locked out of systems or accounts
  • Notification that your CAF number has been compromised

How can accountants prevent new client scam attacks?

Effective prevention combines technical controls with procedural safeguards that interrupt the attack sequence at multiple points.

Implement the IRS "security six"

The IRS Security Summit identifies six essential protections for tax professionals:

1. Anti-virus software Deploy current anti-virus protection on all systems with automatic updates enabled. NIST guidance confirms that up-to-date anti-virus may prevent malware installation even if a user interacts with malicious content.

2. Firewall protection Enable firewalls on all computers and network perimeters to block unauthorized traffic and prevent data exfiltration.

3. Multi-Factor Authentication MFA is a Federal Trade Commission requirement for tax professionals. Enable it on:

  • All email accounts
  • Tax preparation software
  • IRS e-Services and Transcript Delivery System
  • Cloud storage services
  • Financial and banking accounts

NIST recommends phishing-resistant MFA (hardware security keys, biometrics) for highest protection.

4. Backup systems Maintain regular backups stored offline or in isolated cloud storage. Test restoration procedures to ensure recoverability after ransomware or data loss.

5. Drive encryption Enable full-disk encryption on all devices containing client data to protect information if devices are lost or stolen.

6. Virtual private network Use a VPN when accessing client data or tax software remotely to encrypt traffic and prevent interception.

Establish new client verification procedures

Create intake workflows that interrupt the new client scam sequence:

  • Require initial consultation: Mandate phone or video calls before accepting any documents from prospective clients
  • Independent verification: Look up prospective clients independently rather than using contact information they provide
  • Secure portals: Direct document submission through secure client portals rather than email attachments
  • Engagement agreements first: Require signed engagement letters before accepting sensitive documents
  • Standardized intake forms: Use consistent onboarding processes that would reveal inconsistencies in fraudulent inquiries

Configure email security controls

  • SPF, DKIM, and DMARC: Configure email authentication with DMARC set to "reject" to prevent domain spoofing
  • External sender warnings: Enable banner notifications on emails from outside your organization
  • Attachment scanning: Deploy email security that scans attachments for malware before delivery
  • Link protection: Use email security that rewrites and scans URLs at click time
  • File type blocking: Block high-risk attachment types (.exe, .scr, .js, .vbs) at the email gateway

Train staff continuously

  • Conduct regular phishing awareness training with accounting-specific examples
  • Run periodic simulated phishing tests to identify training needs
  • Establish clear procedures for reporting suspicious communications
  • Share current scam examples from IRS alerts and industry sources
  • Document and enforce policies for new client intake

Maintain a written information security plan

Tax professionals are legally required to maintain a Written Information Security Plan (WISP). IRS Publication 5708 provides templates and guidance. Your WISP should document:

  • Risk assessment procedures
  • Employee security training requirements
  • Technical and physical safeguards
  • Incident response procedures
  • Vendor security requirements
  • Data retention and disposal policies

How should accountants respond to a new client scam incident?

When a breach occurs or is suspected, rapid response limits damage and protects affected clients. The IRS provides specific guidance for tax professionals experiencing security incidents.

Immediate containment (First 24 Hours)

Step 1: Isolate compromised systems

  • Disconnect affected computers from the network immediately
  • Do not power off systems (preserve forensic evidence)
  • Disable compromised user accounts
  • Change passwords on all potentially affected accounts from a known-clean device

Step 2: Preserve evidence

  • Do not delete emails, logs, or files
  • Document the timeline of events
  • Screenshot any suspicious messages or activities
  • Note which systems and accounts may have been accessed

Step 3: Contact your IRS stakeholder liaison Report client data theft immediately. The IRS Stakeholder Liaison will:

  • Notify IRS Criminal Investigation
  • Alert appropriate IRS offices
  • Help block fraudulent returns in clients' names
  • Guide you through the response process

Speed is critical. The IRS states that "if reported quickly, the IRS can take steps to block fraudulent returns in clients' names."

Regulatory notification (24-72 Hours)

Step 4: Notify state tax agencies Email the Federation of Tax Administrators at StateAlert@taxadmin.org to report the breach to all affected states. Visit the FTA Report a Data Breach page for state-specific contact information.

Step 5: Contact State Attorneys General Most states require data breach notification to the attorney general. Requirements vary by state; some have notification deadlines as short as 72 hours.

Step 6: Understand FTC requirements Review the Federal Trade Commission's Data Breach Response requirements, which apply to tax professionals under the Safeguards Rule.

Professional response (first week)

Step 7: Engage expert support

  • Retain a cybersecurity forensics firm to determine breach scope and cause
  • Contact your professional liability insurance carrier
  • Consult with legal counsel on notification obligations
  • Consider engaging a breach response service for client communications

Step 8: File Law Enforcement reports

  • Submit a complaint to the FBI Internet Crime Complaint Center at ic3.gov
  • File a report with local law enforcement
  • Report to the Federal Trade Commission at IdentityTheft.gov

Client notification

Step 9: Notify affected clients Coordinate timing with law enforcement, then send individual letters to all potential victims explaining:

  • What happened and when
  • What information may have been exposed
  • Steps they should take to protect themselves
  • Resources for identity theft protection
  • Your contact information for questions

Advise clients to:

  • Apply for an IRS Identity Protection PIN at irs.gov/ippin
  • Complete Form 14039 (Identity Theft Affidavit) if they receive IRS notices or have returns rejected
  • Place fraud alerts or credit freezes with credit bureaus
  • Monitor credit reports and financial accounts
  • Report identity theft at IdentityTheft.gov

Recovery and remediation

Step 10: Implement Improvements

  • Address identified security gaps
  • Update your Written Information Security Plan
  • Conduct additional staff training
  • Consider enhanced monitoring services
  • Document lessons learned

Frequently Asked Questions

What makes the new client scam different from regular phishing?

The new client scam is a form of spear phishing specifically designed to exploit accounting practice workflows. Unlike generic phishing that casts wide nets with obvious scam indicators, new client attacks target individual firms with contextually relevant messages that mimic legitimate business inquiries. The attack succeeds because receiving tax documents from prospective clients represents normal operations. The IRS identifies this scheme as particularly dangerous because "a successful spear phishing attack can ultimately steal client data and the tax pro's identity, allowing the thief to file fraudulent returns."

How can I verify if a new client inquiry is legitimate?

Never rely solely on information provided in the initial email. Search independently for the prospective client's name, business, and contact information. Call them using a phone number you locate yourself, not one they provided. Request an initial phone or video consultation before accepting any documents. Legitimate prospective clients will not object to standard verification procedures. If someone refuses verification or creates urgency to bypass your intake process, treat this as a red flag.

What should I do if I already opened a suspicious attachment?

Immediately disconnect the computer from your network to prevent lateral spread. Do not continue using the device. From a separate, known-clean device, change passwords for all accounts that may have been accessed, prioritizing email and tax software. Contact your IRS Stakeholder Liaison to report potential client data exposure. Engage a cybersecurity professional to assess the compromise scope and remove any malware. Run anti-virus scans on all networked devices.

Are there specific times when new client scams increase?

New client scams peak during tax filing season from January through April when accountants are most likely to receive legitimate new client inquiries and are working under time pressure that may reduce scrutiny. The IRS specifically warns that "this scam peaks during the busy tax filing season." However, attacks occur year-round, and accountants should maintain vigilance regardless of season.

What credentials do attackers specifically target in these attacks?

Attackers specifically seek Electronic Filing Identification Numbers (EFINs) that enable electronic tax return submission, Preparer Tax Identification Numbers (PTINs) required on all prepared returns, and Centralized Authorization File (CAF) numbers used to access client tax information from the IRS. These credentials, combined with stolen client data, enable criminals to file fraudulent returns that appear legitimate because they come from valid tax professional accounts and contain accurate taxpayer information.

Executive summary (TL;DR)

The new client scam is a targeted spear phishing attack where cybercriminals impersonate prospective clients to steal credentials and taxpayer data from accountants, CPAs, and tax preparers.

The threat: Attackers send professional-looking emails requesting tax preparation services. When accountants respond, criminals deliver malware-laden attachments or credential-harvesting links disguised as tax documents. The IRS 2025 Dirty Dozen identifies this as a pervasive threat.

Scale of impact: The IRS Security Summit reports nearly 300 data breaches in the first half of 2025, affecting up to 250,000 clients. FBI IC3 documented $16.6 billion in total 2024 cybercrime losses, with $2.77 billion from Business Email Compromise schemes.

Attack sequence: Initial inquiry → trust building → malicious document delivery → credential theft or malware installation → client data exfiltration → fraudulent return filing.

Detection priorities: Verify new clients independently. Watch for awkward phrasing, resistance to phone contact, and urgency to share documents before engagement. Never open attachments without verification.

Prevention essentials: Implement the IRS "Security Six" (anti-virus, firewall, MFA, backups, encryption, VPN). Establish verification procedures requiring phone contact before accepting documents. Configure email security with DMARC reject policies.

Incident response: Report immediately to your IRS Stakeholder Liaison, state tax agencies via Federation of Tax Administrators, and law enforcement. Notify affected clients with guidance on Identity Protection PINs and credit monitoring.

Legal requirements: FTC mandates multi-factor authentication and Written Information Security Plans for all tax professionals. Breaches trigger mandatory reporting to multiple agencies.

Additional resources

IRS Publications

  • Publication 4557: Safeguarding Taxpayer Data
  • Publication 5293: Data Security Resource Guide for Tax Professionals
  • Publication 5708: Creating a Written Information Security Plan
  • Publication 5709: How to Create a Written Information Security Plan for Data Safety

IRS Online resources

  • Identity Theft Central: irs.gov/identity-theft-central
  • Data Theft Information for Tax Professionals: irs.gov/individuals/data-theft-information-for-tax-professionals
  • Security Summit: irs.gov/tax-professionals/security-summit
  • Report Phishing: phishing@irs.gov

Federal resources

  • FBI IC3: ic3.gov
  • FTC Identity Theft: IdentityTheft.gov
  • NIST Small Business Cybersecurity: nist.gov/itl/smallbusinesscyber

State resources

  • Federation of Tax Administrators Data Breach Reporting: taxadmin.org
  • State breach notification email: StateAlert@taxadmin.org

This article was prepared by Ṣọ Email Security based on official guidance from the Internal Revenue Service, FBI Internet Crime Complaint Center, National Institute of Standards and Technology, and the IRS Security Summit. Information is current as of February 2026. Accounting professionals should consult current IRS guidance and legal counsel for compliance requirements specific to their practice.