In an increasingly digital tax environment, the risk of data security is on the rise. According to IRS insights shared during the April session of the Washington Tax Brief, breaches affecting tax professionals are not only increasing — they’re accelerating year over year.
For CPAs, tax practitioners, and firm leaders, the takeaway is clear: a basic security setup is no longer enough. Cybercriminals are becoming more sophisticated and targeting firms that handle sensitive client data. When a breach occurs, the impact rarely stays contained and can affect hundreds or even thousands of clients.
This makes cybersecurity not just an IT concern, but a critical part of protecting your practice, your clients, and your reputation.
Why tax professionals are prime targets
Tax professionals handle a lot of highly sensitive financial information. From Social Security numbers to bank account details, the data handled daily is incredibly attractive to cybercriminals.
Because of this, even firms that believe they are well protected remain at risk. The IRS emphasizes that attackers are increasingly exploiting human behavior, rather than simply trying to break through technical defenses.
In practice, this means a breach often begins with something deceptively simple. A phishing email that appears legitimate, a link that looks trustworthy, or a message that aligns with everyday workflows — these are the entry points attackers rely on.
A single click can be enough to install malware, providing attackers with access to client data and system credentials. By the time the issue becomes visible, the damage may already be significant.
The evolving threat landscape
Today’s cyber threats are more subtle, more targeted and harder to detect than in the past.
Phishing emails, for instance, are no longer easy to spot. They often replicate official IRS communications, complete with logos and professional formatting. At a glance, they appear legitimate. It’s only when you inspect the sender’s address or hover over a link that irregularities emerge — sometimes revealing overseas domains that have no connection to the IRS.
Another evolving tactic is the use of legitimate platforms to host malicious files. Attackers may direct users to trusted services — such as document-sharing or cloud platforms — before prompting them to download infected files. Because the initial interaction appears safe, both users and security tools may miss the threat.
These methods are particularly effective because they mimic the way tax professionals already work. Requests to review documents, onboard new clients or join virtual meetings all feel familiar, making it easier for attackers to bypass suspicion.
The real impact: Beyond the initial breach
One of the most important insights from the IRS is that data breaches are rarely short-term events.
Virtually every state has been affected, and no type of practice is immune. Importantly, the consequences go far beyond the firm itself. A single breach can expose the personal information of thousands of taxpayers, creating long-term risks of identity theft and financial fraud.
In some cases, stolen data continues to be used years after the initial breach. Once information is compromised and circulated, it can remain active on the dark web for an extended period, affecting clients long after the original incident.
This highlights a fundamental shift from preventing cybersecurity disruptions today to protecting client trust over the long term.
IRS recommendations: Strengthening your defenses
To help address these risks, there are several practical steps that can significantly reduce exposure when applied consistently. The CPA cybersecurity checklist is a place to start when looking at your firm’s defenses.
One of the most effective safeguards is multi-factor authentication (MFA). However, the IRS stresses that configuration matters. Receiving authentication codes via mobile phone provides stronger protection than email-based codes, which can be intercepted if systems are compromised. Best practice guidance for data security can help you ensure criminals can’t get away with MFA bombardment of MFA abuse.
Another critical measure is the use of Identity Protection PINs (IP PINs) for clients. These provide an additional layer of protection against fraudulent filings. Timing is key when using these. Sensitive data such as IP PINs and banking information should only be entered into systems when preparing to submit a return. Storing this information unnecessarily increases risk.
Firms are also encouraged to actively monitor their EFIN activity, comparing the number of returns submitted with those processed by the IRS. Small discrepancies can serve as early warning signs of unauthorized activity.
Remember, a written security plan is required by the Federal Trade Commission’s (FTC) Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA).
Everyday behaviors that increase risk
While advanced technology plays an important role in security, everyday behaviors often determine how vulnerable a firm really is.
A common risk comes from mixing personal and professional activities on the same device. Opening personal email accounts on work-designated computers increases exposure to phishing attempts and malicious links. The IRS advises keeping a clear boundary between business and personal use to reduce this risk.
Another frequent issue is outdated security systems. Many practitioners underestimate the importance of keeping antivirus software, phishing protection and system updates fully up to date. Outdated systems remain one of the easiest entry points for attackers.
As firms increasingly rely on remote access and flexible working, maintaining secure connections — such as through virtual private networks — becomes even more important.
Recognizing the warning signs and acting quickly
Even with strong safeguards in place, it’s essential to recognize the early signs of a potential breach.
These may include unexpected rejections of tax returns you know you have already filed, unusual system behavior or performance issues, or signs of unauthorized activity. In some cases, clients may receive identity verification letters from the IRS despite not yet filing returns—another indicator that something may be wrong.
Recognizing these signs early allows firms to act quickly, reducing the scope and impact of a breach.
If a breach does occur, the IRS stresses that acting quickly is critical.
The first step is to contact the IRS and report the incident. From there, firms should follow their Written Information Security Plan, notify relevant partners such as insurers, and engage IT professionals to assess systems and identify vulnerabilities.
One of the most important steps is securing the firm’s EFIN. The IRS can deactivate a compromised EFIN and issue a new one, helping prevent further fraudulent filings.
Timely action can significantly limit the damage, both for the firm and for affected clients, and resources from the Tax Identify Theft Toolkit can help you prepare for the consequences of stolen identities.
A stronger security culture starts now
Ultimately, the most effective defense against data breaches is a proactive, consistent security culture.
This means regularly reviewing your written information security plan, keeping systems updated, and reinforcing key behaviors across your team. For smaller firms or sole practitioners, this responsibility becomes even more critical, as there are fewer layers of protection.
Cybersecurity is not a one-time effort. It requires ongoing attention, awareness and adaptation as threats continue to evolve.
Keeping up with cybersecurity risks — and broader tax developments — is essential in today’s environment. The Washington Tax Brief webcast series, free for AICPA members, helps tax professionals stay ahead with timely updates, expert insights, and practical guidance on the issues shaping the profession.
The next session takes place on June 24 and will cover the latest legislative and regulatory developments impacting tax professionals and their clients.
Register today to stay proactive and informed.