Tax season is peak season — and cybercriminals know it. When your office is moving fast, a bad email or fake “urgent” request can lead to stolen logins, client data exposure, or days of lost productivity.
The good news: you don’t need to be a tech expert to reduce your risk. Here are the threats hitting tax offices right now and the first steps to take.
1) Stolen logins for email and portal accounts
Most cyber incidents at small firms start the same way: a login belonging to a tax pro or staff gets stolen. Once a criminal gets one tax pro or staff credential, they move fast.
How does it happen?
- Phishing: A fake email is sent to the recipient. That email tricks someone into typing a password on a look‑alike login page.
- MFA Push Spam: A criminal keeps sending MFA “approve” popups until someone clicks yes
- Info stealers: Malware steals saved passwords from a browser
If a cybercriminal gains access to your email, they can often use it to reset passwords for your other systems. And if they get into your IRS e-Services or e-file accounts, they can cause serious damage in a very short amount of time.
Red flags to watch for:
- Password reset emails you didn’t request
- Multi-factor authentication (MFA) prompts you didn’t initiate
- Clients receiving unusual messages that appear to come from you
2) Fake “tax pro” requests such as EFIN/PTIN and IRS‑style impersonation
Criminals often pretend to be the IRS, a bank, vendor, or IT support. Their goal is to create panic so someone clicks, pays, or shares a code before thinking.
Red flags to watch out for:
The message will typically read something like this:
- “Your EFIN needs immediate validation”
- “Your PTIN is being suspended — click here”
- “We need to verify your account right now”
3) Third‑party vendors: your partners can become your risk
Even careful firms can get hit because of a tool or service they rely on — cloud storage, IT support, document sharing, email security, payment tools, etc. A single compromised vendor can expose client data or stop work during peak weeks.
How does this happen?
A vendor account:
- Is compromised and used to access client data
- Sends a fake email that is convincing
- Has an outage or an incident disrupts your ability to work during peak weeks
Red flag to watch for:
- “Support” emails asking you to log in, reset a password, or install a tool
- Unexpected invoices or changes to payment instructions
- Vendor notices that are vague or confusing when describing an incident or outage
Three simple things to do now
Step 1: Protect logins like cash, especially email login
How?
- Turn on multi‑factor authentication (MFA) for email, remote access, and any portal with taxpayer data. Use Phishing-Resistant MFA factors whenever possible.
- What is basic MFA: a text or a phone “approve” prompt.
- What is phishing‑resistant MFA? A passkey or authenticator application that’s much harder to trick.
- Use unique and complex passwords everywhere, a password manager helps.
- What is a password manager? A password manager is a secure tool that stores, generates, and autofills strong, unique passwords for your accounts so you don’t have to remember them yourself.
- If you see an MFA prompt you didn’t start: hit “deny” and tell your administrator or IT support.
Step 2: Secure the tools you use every day — including your vendors
How?
Protect the systems you depend on before a busy day makes it harder to slow down and verify.
For email (your #1 risk area):
- Tighten spam/phishing filtering and be cautious with unexpected attachments
- Turn off automatic forwarding to outside email addresses unless you truly need it
- Add a “pause step” to your processes: any urgent request to log in or change payment or banking details gets verified by calling a known number
For office computers and laptops:
- Turn on automatic updates for Windows/Mac, browsers, and Microsoft 365
- Use reputable business antivirus and/or security software on every PC and laptop
- Avoid using everyday accounts with “computer administrator” rights
For third‑party vendors (cloud apps, IT providers, payment tools, portals):
- Make a short list of critical vendors (touch taxpayer data or would stop your business if down)
- For each vendor, confirm three basics:
- MFA is required
- Data is encrypted
- You can get your data back (export/recovery plan)
- Ask vendors:
- “How fast will you notify us if you’re breached?”
- “Who do we contact after hours?”
Simple rule that keeps you safe:
- Never share logins or verification codes
- Don’t install software because of an unsolicited email or call
- When in doubt, hang up and call back using a trusted number you already have
Step 3: Prepare for Emergencies with Backups You Can Actually Restore
How?
Backups only matter if they work—and you don’t want to find out they don’t when you’re on a deadline.
- Keep backups of your data that can’t be altered or encrypted by ransomware (for example, copies stored offline or in a secure, locked-down environment).
- Test your backups ahead of filing season to make sure you can quickly restore your data if something goes wrong.
- Limit access to your backup systems so only trusted team members can view or manage them.
Attackers count on urgency and distraction. Be aware.
Taking the steps shown above right now may significantly reduce the chance your firm becomes a target — or a headline.
For more information, please review (link to two other posts). Contact (support) for more information on Drake cybersecurity measures.
Disclaimer: This article is for informational purposes only and not legal or financial advice.
Sources (Selected)
- IRS: tax‑season scam warnings for taxpayers and professionals
- IBM Security and Ponemon Institute: breach research highlighting common entry paths such as phishing and credential compromise
- Verizon DBIR: real‑world breach patterns showing credentials and phishing remain dominant attack methods
- CISA: #StopRansomware guidance and phishing‑resistant MFA recommendations
- IANS Research: security trend analysis
- Sophos: ransomware impact and prevalence reporting
