The Top 3 Cyber Risks Facing Tax Firms This Season — and What to Do First

Tax season brings tight deadlines, long hours, and constant communication with clients. It also brings something else: increased cyberattacks.

Criminals know tax offices are moving quickly and handling sensitive financial data. That combination makes firms especially attractive targets. The reality is that most successful attacks don’t start with sophisticated hacking — they start with a stolen login, a rushed click, or an unverified request.

The encouraging news? You don’t need to be an IT specialist to dramatically lower your risk. Below are the most common threats facing tax firms right now — along with practical steps you can take immediately.

 

1. Compromised Logins (Especially Email)

For many small and mid-sized firms, cybersecurity incidents begin with a single stolen credential. Once attackers gain access to one account — particularly email — they can quickly expand their reach.

How credentials get stolen

  • Phishing emails that direct users to fake login pages designed to capture passwords
  • MFA fatigue attacks, where repeated authentication prompts are sent until someone clicks “approve” out of frustration
  • Password-stealing malware that captures saved browser credentials

If someone gains access to your email account, they may be able to reset passwords to other platforms. If IRS e-Services or e-file credentials are exposed, the consequences can escalate quickly.

Warning signs

  • Password reset notifications you did not initiate
  • Multi-factor authentication prompts you did not request
  • Clients reporting unusual or unexpected emails from your firm

 

2. IRS and “Tax Pro” Impersonation Scams

Attackers frequently pose as the IRS, financial institutions, vendors, or even internal IT support. Their goal is simple: create urgency so you act before verifying.

You might see messages claiming:

  • “Your EFIN requires immediate verification.”
  • “Your PTIN is about to be suspended.”
  • “We must confirm your account details today.”

These messages are designed to provoke anxiety and bypass normal caution. Once someone clicks a malicious link or shares a verification code, attackers gain an entry point.

Red flags to look for

  • Unexpected demands for immediate action
  • Requests to “verify” credentials or payment information
  • Emails urging you to click links to prevent suspension or penalties

When something feels rushed or threatening, pause. Scammers rely on pressure.

 

3. Vendor and Third-Party Risk

Your firm likely depends on multiple external services — cloud storage providers, tax software platforms, document portals, IT partners, and payment systems.

Even if your internal controls are strong, a compromised vendor can disrupt operations or expose client data.

What this can look like

  • A vendor account is breached and used to access shared information
  • A convincing phishing email appears to come from a trusted provider
  • A service outage halts operations during peak filing weeks

Warning signs

  • “Support” messages asking you to install software or reset passwords unexpectedly
  • Sudden changes in payment instructions
  • Vague or unclear notices describing a vendor “incident”

 

Three Immediate Actions to Reduce Risk

You don’t have to overhaul your entire IT environment overnight. Start with these foundational steps.

 

Step 1: Treat Login Credentials Like Cash

Your email account is often the master key to your firm’s systems. Protect it accordingly.

Strengthen authentication

  • Enable multi-factor authentication (MFA) on email, remote access, portals, and any system containing taxpayer data
  • Whenever possible, use phishing-resistant MFA (such as passkeys or authenticator apps) instead of basic text messages

Basic MFA typically involves a text code or “approve” prompt.

Phishing-resistant MFA relies on authentication methods that are significantly harder to intercept or trick.

Improve password hygiene

  • Use long, unique passwords for every system
  • Implement a password manager to securely generate and store credentials

A password manager helps create strong passwords and automatically fills them in securely — so staff don’t reuse or simplify credentials.

If you receive an authentication prompt you did not initiate, deny it immediately and notify your IT support.

 

Step 2: Secure the Systems You Use Daily

Prevention is easier before peak workloads make it harder to slow down and verify requests.

For email

  • Strengthen spam and phishing filtering
  • Disable automatic forwarding to external accounts unless absolutely necessary
  • Add a verification step for urgent requests involving payments, account changes, or login credentials — confirm by calling a trusted number

For office devices

  • Enable automatic updates for operating systems, browsers, and Microsoft 365
  • Install reputable business-grade antivirus or endpoint protection
  • Avoid giving everyday users administrator privileges

For critical vendors

Identify vendors whose systems store taxpayer data or whose downtime would halt your operations.

For each key vendor, confirm:

  • MFA is required
  • Data is encrypted
  • Backup and recovery options are available

Ask vendors clear questions:

  • How quickly will you notify us of a breach?
  • Who is our emergency contact after business hours?

 

Step 3: Ensure Your Backups Actually Work

Backups only help if they can be restored quickly.

Before filing season:

  • Maintain backups that cannot be modified or encrypted by ransomware (such as offline or protected storage)
  • Test restoration procedures to confirm data can be recovered
  • Restrict access to backup systems to authorized personnel only

The worst time to discover a backup failure is during a deadline.

 

A Simple Rule to Remember

  • Never share passwords or verification codes
  • Do not install software based on unsolicited emails or calls
  • When uncertain, hang up and call back using a known, trusted number

Cybercriminals count on distraction, urgency, and fatigue. Awareness and a few disciplined practices significantly reduce your exposure.

Taking these steps now can help protect your firm, your clients, and your reputation during the busiest time of the year.

Disclaimer: This article is for informational purposes only and not legal or financial advice.