Tax pros are particularly vulnerable during tax season when they are busy.
getty
Scammers are not just targeting taxpayers. Increasingly, they are targeting the tax professionals who hold taxpayer data.
That’s the message behind the IRS and Security Summit partners’ summer scam-prevention campaign, “Protect Your Clients; Protect Yourself,” a five-week effort aimed at helping tax pros recognize emerging threats, strengthen basic security practices, and respond quickly if client or business data is compromised. The IRS says this year’s effort will focus on new and evolving schemes targeting preparers, core security safeguards, written security plans, identity protection tools, and breach reporting.
Why Tax Pros Are Valuable Targets
Tax pros remain one of the most valuable targets for tax scammers. If a single compromised taxpayer account is useful to a criminal, imagine how much more valuable a compromised tax office could be.
Preparers may have access to names, Social Security numbers, dependent information, wage and income records, business records, bank account details, prior-year returns, driver’s license information, and IRS authorization forms. In other words, they have exactly the kind of information identity thieves need to file false returns, redirect refunds, or impersonate taxpayers and practitioners.
A Brief History Of The Security Summit
The Security Summit was created in 2015 as a public-private partnership among the IRS, state tax agencies, and the tax industry to respond to tax-related identity theft and refund fraud. The partnership includes the IRS, state tax agencies, tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations, financial institutions, and other participants in the filing system.
By 2015, tax-related identity theft had become a serious filing-season threat. Criminals were stealing personal information from many sources and using it to file fraudulent returns in victims’ names, often before the legitimate taxpayer had filed.
The Summit’s original work focused heavily on preventing bad returns before refunds were issued, but the threat has evolved over the past decade. The IRS and its partners are no longer focused only on taxpayer-facing scams. They are also focused on attacks against the tax-filing infrastructure itself, including software accounts, preparer credentials, client portals, and computer systems.
IRS Impersonation Scams
One of the most persistent threats is IRS impersonation. These scams are no longer limited to aggressive phone calls claiming that a taxpayer owes money. Scammers now use email, text messages, direct messages, spoofed caller ID, fake websites, robocalls, and computer-generated voices to pressure victims into clicking links, opening attachments, making payments, or sharing sensitive information.
While imposter schemes often target taxpayers—in 2025, the FTC received more than one million reports of imposter scams, with reported losses increasing by nearly 20% to $3.5 billion—they also take aim at tax pros. When it comes to tax pros, a fake IRS message is typically intended to steal software credentials, install malware, or gain access to client files.
The common thread for both taxpayers and tax pros is urgency. When it comes to tax props, a message may claim that an account has been suspended, that a refund has been blocked, that a filing problem must be resolved immediately, or that a preparer must verify information to avoid losing access. Scammers want the recipient to react before checking whether the request is legitimate.
Tax pros should be especially cautious about any unexpected message that asks them to click through to an IRS-looking login page, download a supposed notice, verify account information, or respond outside normal IRS channels. The IRS generally initiates contact through regular mail, not through a surprise text, social media message, or email demanding immediate action.
Misleading Tax Advice On Social Media
The IRS and Summit partners are also warning about misleading tax advice on social media. This is not always framed as a traditional scam, but the damage can be real. Viral posts may promise unusually large refunds or promote “tax hacks” involving credits, deductions, withholding, or forms that most taxpayers do not qualify to use.
For taxpayers, while these posts are presented as harmless tips or shortcuts (often billed as “the one trick your tax pro won’t show you”), following this advice can have serious consequences. Returns containing inaccurate information may delay refunds, trigger IRS audits, result in penalties, or lead to potential criminal charges if fraud is involved.
Recent examples include posts encouraging taxpayers to claim credits they do not qualify for, including the Fuel Tax Credit and the Sick and Family Leave Credit. They are often packaged as hidden refund opportunities, but the result can be refund delays, IRS correspondence, penalties, or amended returns.
For tax pros, the problem is both technical and practical. It becomes their job to explain why a viral strategy is not legitimate and to push back against clients who insist that “everyone is doing it.”
The “New Client” Scam
Another scheme, the “new client” scam, is especially dangerous because it appears to be normal tax practice. A fraudster contacts a preparer, posing as a prospective client. The initial inquiry—usually by email—may sound ordinary: the person moved, changed jobs, started a business, received an IRS notice, or needs help filing quickly. (I get several of these per day.)
I get several “new client” emails every day—it’s a tool tricksters use to scam tax professionals.
Kelly Phillips Erb
After an initial exchange, the supposed client sends a link or attachment described as a W-2, 1099, prior-year return, tax organizer, notice, or set of business records. The attachment may contain malware, or the link may lead to a credential-stealing page. Once the preparer clicks, the scammer may be able to access email, tax software, firm systems, cloud storage, or client files throughout the office.
The scheme works because tax pros are used to receiving sensitive documents from people they have not yet met. And during filing season, a PDF from a prospective client may not feel suspicious. That’s exactly why the IRS has repeatedly warned tax pros to be careful with new-client emails and unsolicited attachments.
The best defense is not simply telling staff to “be careful.” Firms need a standard intake process, and prospective clients should be verified before documents are opened. Tax records should be exchanged through a secure portal, not through random email attachments. Don’t bypass those rules because someone sounds friendly—or urgent.
EFIN, PTIN, And CAF Scams
The IRS also flagged scams involving EFINs, PTINs, and CAF numbers.
An Electronic Filing Identification Number, or EFIN, is issued by the IRS to firms and individuals authorized to participate in IRS e-file. In practical terms, it is tied to a firm’s ability to file returns electronically. That makes it valuable to criminals who want to make fraudulent filings appear to come from a legitimate tax professional or firm.
A Preparer Tax Identification Number, or PTIN, identifies paid return preparers. Anyone who prepares or assists in preparing federal tax returns for compensation generally must have one. A PTIN is not the same as an EFIN, but it can still be useful to scammers trying to impersonate a preparer or make a phishing message look more credible.
A Centralized Authorized File, or CAF, number is used in connection with IRS authorizations, including powers of attorney and tax information authorizations. Tax pros use CAF numbers when representing taxpayers or requesting access to taxpayer information. In the wrong hands, that kind of information can help scammers pose as practitioners, target clients, or attempt to access taxpayer accounts improperly.
Those numbers may not look as sensitive as a Social Security number or a bank account number, but they can be valuable to criminals. Scammers may use professional identifiers to impersonate legitimate tax pros, support fraudulent filings, craft more convincing phishing messages, or improperly access taxpayer information.
A request to “verify” an EFIN, upload EFIN documentation, confirm a PTIN, or provide CAF-related information should be treated with caution, especially if the request arrives through an unsolicited email or link. (I also get several of these per day.)
That’s one reason the IRS continues to emphasize verification and secure channels. Tax pros should not provide professional identifiers, software credentials, IRS e-Services information, or client authorization details through an unexpected email, text, or phone call. When in doubt, go directly to the known provider, portal, or IRS resource rather than clicking a link in the message.
What To Do If There Is A Data Theft
The IRS also stressed that quick reporting matters after a data theft. A preparer who discovers a breach should contact the local IRS Stakeholder Liaison, who can alert the appropriate IRS offices.
The IRS says early reporting can help the agency block fraudulent returns filed in clients’ names. Tax pros should also report incidents to the appropriate state tax agency and review the Federal Trade Commission Guidance on data breach response.
What You Need To Know
Scam prevention is no longer limited to avoiding suspicious phone calls or reminding clients not to click bad links. The threat now reaches across the entire filing process.
The Security Summit was built around the idea that protecting the tax system requires coordination among the IRS, states, industry, and practitioners. Eleven years later, that remains true. For tax pros, security is no longer just about passwords and software updates. It also depends on the inbox, client portal, software login, staff training, and written security plan. A missed warning sign can expose clients, disrupt a practice, and give scammers exactly what they need to file false returns or impersonate a trusted pro.
Read the full article here
