By: Oscar Hernandez-Gutierrez, Security Operations Analyst, Drake Software
In my current role as a Security Operations Analyst, I’ve seen firsthand how threat actors exploit this critical period to launch sophisticated phishing campaigns aimed at tax professionals. These attacks are often well-crafted, highly targeted, and capable of inflicting serious damage on both firms and their clients.
In an effort not to become a victim, here are three common phishing scams that tax preparers should watch for this season:
1. New Client Phishing Scams
How it works:
Attackers impersonate prospective clients seeking tax preparation services. These emails often appear completely legitimate, using professional language and even referencing real locations or client types. Once the preparer responds, the attacker sends a follow-up message containing a malicious file or link, typically disguised as a W-2, 1099, or prior return.
Red Flags to Watch:
- Urgent requests to review documents immediately
- Files hosted on file-sharing platforms like Dropbox or Google Drive that the attackers control
- Slight misspellings in email addresses or domain names
Why it’s dangerous:
These attachments often contain credential-stealing malware or ransomware that can compromise your entire system.
Protective Steps:
- Require secure document upload through your client portal
- Verify all new client identities before opening any attachments
- Use antivirus software to scan documents such as:
2. EFIN Documentation & Credential Scams
How it works:
Cybercriminals impersonate tax software providers, the IRS, or even state agencies to request documentation “verifying” your Electronic Filing Identification Number (EFIN). These emails may use branding from legitimate companies and request uploads of your IRS-issued documents or login credentials.
Why it’s dangerous:
If scammers obtain your EFIN, they can impersonate your firm and file fraudulent tax returns — potentially leading to refund fraud, IRS scrutiny, and reputational damage.
Social Engineering at Play:
Unlike technical exploits, this scam depends on manipulating trust. Victims often believe they are complying with IRS or vendor policies.
Protective Steps:
- Never share EFIN documentation via email
- Verify sender addresses and contact vendors directly
- Educate staff on what legitimate EFIN requests look like (see: Protect Your EFIN)
3. TOAD Attacks (Telephone-Oriented Attack Delivery)
How it works:
This blended threat starts with a phishing email, often warning of suspicious activity or expired software licenses. Victims are urged to call a phone number for help. On the call, attackers impersonate the IRS, software support teams, or IT providers.
Once trust is established, they persuade the victim to:
- Share account credentials
- Disable security software
- Install remote access tools like AnyDesk or TeamViewer
Why it’s dangerous:
This form of phishing leverages emotional manipulation and urgency. It’s especially effective against firms with limited IT support or non-technical staff.
Protective Steps:
- Train staff to spot suspicious emails
- Require internal verification before acting on “urgent” IT issues
- Use multi-factor authentication (MFA) to protect login credentials
Phishing Prevention Is a Year-Round Responsibility
While phishing scams persist throughout the year, they tend to spike during tax season. Tax preparers must stay vigilant, regularly update their cybersecurity training, and invest in secure client communication platforms.
To stay protected:
- Bookmark the IRS Dirty Dozen list of current scams
- Monitor Drake Software’s Security Resources
- Consider a cybersecurity checklist before each filing season
Disclaimer: This article is for informational purposes only and not legal or financial advice.
