As a professional tax preparer, you handle large volumes of sensitive taxpayer data, making you an attractive target for identity thieves. The IRS urges all tax professionals to take identity theft and data security seriously, as today’s threats can come from phishing emails, sophisticated spear-phishing attacks, and stolen taxpayer information used to commit fraud.
Beyond delivering accurate returns and maximum refunds, protecting your clients’ identities is an essential part of your service.
In this article, we’ll explain how tax identity theft happens and outline six practical steps you can take to reduce risk: creating a data security plan, following proven data-protection best practices, learning to recognize phishing scams, using multifactor authentication, EFIN and PTIN monitoring, and considering identity theft protection services for clients. Together, these strategies can help safeguard your firm, your reputation, and the people who trust you with their most sensitive financial information.
1. Create a data security plan
A written data security plan, or Written Information Security Plan (WISP), is the foundation of protecting taxpayer security. The IRS recommends that tax preparation businesses work with a cybersecurity professional, either in-house or a consultant, to develop and maintain a formal data security plan to protect clients.
Hiring a professional may not be in the budget for small or new offices, but having a documented plan is still a must.
If you’re building a plan on your own, IRS Publication 4557, Safeguarding Taxpayer Data provides step-by-step guidance for tax professionals on creating a data security plan. Your plan should address how taxpayer data is collected, stored, accessed, and shared. These processes should be reviewed and updated regularly.
Just as important, employee security awareness training should be a core component of your plan. Phishing and spear‑phishing attacks remain one of the most common causes of taxpayer data breaches, often succeeding because an employee unknowingly clicks a malicious link or shares credentials. Training staff to recognize suspicious emails, requests for sensitive information, and other social engineering tactics can significantly reduce your firm’s risk.
2. Follow best practices for tax identity protection
Following established data protection best practices is critical to reducing your firm’s risk of a breach. At a minimum, this includes using strong, unique passwords on all devices and systems, installing and maintaining anti-malware software, encrypting sensitive files and emails, and securely wiping and disposing of old computers or devices that contain client information.
It’s also important to implement secure access controls within your firm. Limit employee access to sensitive taxpayer information based on their role and regularly review user permissions to ensure only authorized individuals can access critical data. This helps reduce the risk of both internal mistakes and external threats gaining access to client information.
As a tax preparer, you handle highly sensitive personal and financial data every day, so staying informed about emerging threats is a must. Be proactive about recognizing the sign and understand what action to take during a tax data breach to minimize the impact and respond quickly.
3. Train your employees to recognize a phishing scam
Phishing emails remain one of the most common causes of data breaches. So, it’s vital that you and your employees know how to spot fraud and phishing email scams. These attacks are designed to trick users into clicking malicious links, downloading harmful files, or sharing sensitive information. It’s important to understand the difference between phishing and spear phishing.
Phishing attacks are typically broad and sent to a large group of recipients, while spear phishing attacks are highly targeted and customized to appear as though they come from a trusted source, such as the IRS, a tax software provider, a client, or even a colleague. Because spear phishing emails are often personalized and convincing, they can be much harder to detect.
To reduce your risk, train employees to carefully evaluate every email before acting. Key best practices include:
- Verify email domains: Always check the sender’s email address closely for subtle misspellings or spoofed domains. Even small changes can signal a fraudulent message.
- Review links before clicking: Hover over links to confirm they direct to a legitimate website and avoid clicking if anything looks suspicious.
- Be cautious of sensitive requests: Legitimate organizations will not ask for passwords, login credentials, or taxpayer and financial information via email. When in doubt, contact the sender through a known, trusted method to verify the request.
- Watch for red flags in messaging: Phishing emails often create a false sense of urgency like threats of account suspension or legal action, or use unusual wording, tone, or requests that seem out of character for the sender.
4. Use multi-factor authentication
The IRS recommends that all tax professionals use multi-factor authentication (MFA) for their tax preparation software and systems that store or access taxpayer data. MFA adds an extra layer of protection by requiring users to verify their identity using more than just a username and password.
This is especially important because phishing attacks can compromise login credentials. Even if a cybercriminal obtains a password through a phishing or spear‑phishing email, multi‑factor authentication can prevent unauthorized access by requiring an additional verification step that the attacker does not have, such as a code generated by an authentication app, a physical security token, or a biometric identifier like a fingerprint or facial scan.
TaxSlayer Pro offers multi-factor authentication on all its products, making it easier for tax professionals to secure accounts and protect sensitive client information. Enabling MFA significantly reduces the risk of unauthorized access and is one of the most effective steps you can take to strengthen your overall data security practices.
5. Watch your EFIN & PTIN activity, especially during tax season
Identity thefts might target your EFIN or PTIN numbers and use them to file fraudulent returns. You can catch this type of fraud early by monitoring activity happening under your EFIN or PTIN. You should receive daily acknowledgements each time you file a return, and the IRS will post the numbers of returns that were filed using your EFIN each week. You can access the weekly reports by logging into your EFIN application. The IRS also issues weekly reports for PTINs for annual filing season program participants who file more than 50 returns per year. If the numbers in these reports ever differ from the number of returns your practice has actually filed, contact the IRS e-help desk immediately.
6. Consider offering identity theft protection to your clients
Although the IRS does not specifically endorse identity theft protection products, identity monitoring from a trusted provider can help reduce their risk of tax identity theft and detect issues early. Filing early can help prevent fraudulent returns from being submitted first and clients should remain alert to IRS impersonation scams requesting personal information.
Identity monitoring can flag suspicious activity sooner, while identity restoration services can help clients recover more quickly if fraud does occur. TaxSlayer Pro partners with Securely ID ,powered by Experian, to offer advanced identity monitoring and restoration services. . This protection will give many of your clients peace of mind, and the fee can be deducted directly from their refund.
By taking appropriate steps, you can avoid most data breaches and protect your clients from tax identity theft. Because some attacks are highly sophisticated, you may consider protecting your business with cyber insurance in case a breach does occur. Cyber insurance will help you recoup revenue lost due to a breach, recover stolen data, and get your tax practice back to normal as quickly as possible.




