Tax Byte

IRS Security Recommendations for Tax Professionals: Essential Protection Strategies for 2025

Sharon Kreider, CPA & Mark Seid, EA, CPA, USTCP

The cybersecurity landscape for tax professionals has fundamentally shifted, with sophisticated threats now targeting practices of all sizes throughout the year.

Recent IRS guidance makes clear that tax-related cybercrime has evolved beyond seasonal phishing attempts into year-round, highly targeted campaigns against accounting firms, tax preparers, and their clients. The agency’s latest security recommendations reflect an urgent need for comprehensive protection strategies.

Federal Compliance Framework: Legal Requirements

The Gramm-Leach-Bliley Act mandates that professional tax preparers implement written information security plans (WISP) to protect client data. This requirement is enforced through the FTC Safeguards Rule, with violations potentially resulting in FTC investigations and suspension of IRS e-file provider status under Revenue Procedure 2007-40. Compliance isn’t optional.

ARTICLE CONTINUES BELOW

Core Security Infrastructure

Authentication and Access Controls

The IRS emphasizes implementing multi-factor authentication across all systems handling taxpayer data. Password protocols should require minimum eight-character complexity with alphanumeric and symbol combinations. Password management solutions help maintain unique credentials across multiple platforms while reducing security vulnerabilities.

Data Transmission Security

All sensitive data entry must occur exclusively on HTTPS-secured websites. This protocol ensures encrypted data transmission and prevents unauthorized interception during client communications and tax software interactions.

Endpoint Protection

Deploy enterprise-grade anti-malware solutions with automatic updates across all devices accessing client information. This includes workstations, mobile devices, and any equipment used for remote work arrangements.

Current Threat Landscape

Targeted Spear Phishing Campaigns

Tax professionals face increasingly sophisticated “new client” scams where criminals impersonate prospective clients to deliver malicious attachments or credential-harvesting links. These attacks specifically target the client acquisition process, exploiting professional courtesy and business development instincts.

Warning indicators include unusual grammar patterns, urgent timelines inconsistent with typical client needs, and requests for immediate document downloads or system access.

Credential Theft Operations

Organized efforts are underway to steal Electronic Filing Identification Numbers (EFINs), Preparer Tax Identification Numbers (PTINs), and Centralized Authorized File (CAF) numbers. These campaigns utilize sophisticated website spoofing to mimic legitimate IRS portals and authentication systems.

Compromised credentials enable fraudulent return preparation that appears legitimate within IRS systems, creating significant liability exposure for affected practitioners.

Third-Party Account Exploitation

Criminals are targeting clients through fraudulent offers to assist with IRS Online Account setup. These schemes capture personal identifying information for identity theft and fraudulent return filing, potentially implicating the client’s regular tax preparer in subsequent investigations.

Business Protection Protocols

EIN Security Management – Form 8822-B

Employer Identification Numbers (EINs) require the same protection protocols as Social Security numbers. Maintain current information through timely Form 8822-B submissions to prevent security gaps that could facilitate identity theft or business impersonation.

Staff Security Training

Employee education represents a critical point of control in data protection strategies. Implement regular training covering phishing recognition, secure communication protocols, and incident reporting procedures. Mandate training for all employees that have access to client data. The IRS Identity Theft Central provides comprehensive training resources specifically designed for tax practice environments.

W-2 Request Verification

Post-filing season W-2 requests should trigger enhanced verification procedures. Criminals continue targeting payroll data through email impersonation, requiring independent verification of any employee information requests through established communication channels.

Disaster Response Considerations

Natural disaster seasons create additional vulnerability windows as scammers exploit emergency situations. Fraudulent IRS impersonation targeting disaster victims requires clear client communication about legitimate assistance channels. The official IRS disaster assistance line (866-562-5227) represents the only authorized contact point for disaster-related tax relief.

Written Information Security Plan Requirements

All tax preparers must have a written information security plan (WISP). Federal compliance mandates specific plan components:

Administrative Safeguards

Designated security program coordinator
Comprehensive risk assessment documentation
Employee management procedures including background verification
Data access controls based on business necessity

Technical Safeguards

Secure data storage and transmission protocols
System monitoring and intrusion detection capabilities
Regular security assessments and updates

Physical Safeguards

Secure facility access controls
Equipment and media disposal procedures
Environmental protection for data storage areas

Professional Resources

IRS Publication 4557: Safeguarding Taxpayer Data

This comprehensive guide provides detailed implementation guidance for FTC Safeguards Rule compliance, including security plan templates and assessment checklists specifically designed for tax preparation environments.

IRS Publication 5961: Protect Your Business from Tax Scams

IRS 5961 is focused guidance for small and medium practices on recognizing and preventing common fraud schemes targeting tax professionals and their clients.

IRS Publication 5293: Data Security Resource Guide

Consolidated resource compilation providing current information on data theft prevention and response protocols for tax professionals.

Incident Reporting Protocols

The IRS maintains dedicated reporting channels for security incidents:

Tax-related phishing schemes: phishing@irs.gov
W-2 data compromises: dataloss@irs.gov
State notification requirements: statealert@taxadmin.org

Prompt reporting enables pattern analysis and helps protect the broader professional community from emerging threats.

Ongoing Security Awareness

Stay current with evolving threats through @IRStaxsecurity on X and the comprehensive scam information portal at IRS.gov/scams. Regular monitoring of these channels provides early warning of new attack vectors and defensive strategies.

Strategic Implementation

Effective cybersecurity for tax practices requires viewing data protection as a core professional competency rather than an administrative burden. The regulatory environment will continue evolving toward stricter requirements, making proactive compliance both a risk management strategy and a competitive advantage.

The investment in comprehensive security infrastructure consistently proves less costly than data breach remediation, regulatory penalties, and professional reputation damage. Forward-thinking practices are positioning security capabilities as client service differentiators in an increasingly risk-aware marketplace.

Consider engaging qualified IT security professionals for implementation guidance, particularly for complex compliance requirements or multi-location practices. The specialized nature of tax practice security often benefits from expert consultation to ensure both technical effectiveness and regulatory compliance.

This guidance reflects current IRS recommendations and should be integrated with existing practice management and risk assessment protocols. Regular review and updates ensure continued effectiveness as threat landscapes evolve.