Identity theft happens every two seconds in America. In just the first half of 2024, data breaches affecting tax professionals have already impacted 342,317 taxpayers—a number equivalent to the entire population of Tampa, Florida. And we’re only halfway through the year.
These data points come from Glenn Gizzi, a 36-year IRS veteran who now specializes in educating tax professionals about data security threats through the IRS Stakeholder Liaison program. In a recent Federal Tax Updates podcast episode hosted by Roger Harris, EA, and Annie Schwab, CPA, Gizzi shared insights every tax professional needs to hear, whether you’re a sole practitioner or part of a large firm.
Tax professionals are targets of a sophisticated criminal enterprise that generates billions annually. While many practitioners still believe they’re “too small to be targeted,” every firm sits on a goldmine of sensitive information that makes them prime targets.
This isn’t amateur hour anymore. As Gizzi explains, “This isn’t somebody just sitting in their basement, you know, in a hoodie, sitting in front of a laptop. This is organized. People go into office buildings.” Understanding this threat and implementing essential defense strategies is critical for survival.
The Criminal Enterprise: Understanding the Modern Threat Landscape
The notion that cybercriminals are just amateur hackers working alone is dangerously naive. Tax scams and data breaches are a multi-billion-dollar industry. These criminals rent office space, maintain professional operations, and spend entire workdays developing new ways to exploit tax professionals. Gizzi references the opening scene from the movie The Beekeeper as an accurate portrayal of how these operations work.
In 2024 alone, the IRS recorded 327 reported incidents affecting 830 tax professionals, and these are just the breaches that have been discovered and reported. Many more likely remain hidden, while others go unreported due to embarrassment.
Smaller practices are easier targets because they typically lack sophisticated security infrastructure. Whether you have 50 clients or 5,000, you have exactly what these criminals want: Social Security numbers, dates of birth, financial records, and driver’s license information.
Attack Vectors: How Criminals Get Into Your System
Criminals often strike during the chaotic filing season, when practitioners are drowning in phone calls and emails. The most common entry point? Phishing emails disguised as legitimate client referrals.
“You get these emails that say, ‘Hey, I’ve been referred to you. I’ve been told that Annie is the best accountant in the area.’” The flattery works because it appeals to professional pride, while the timing exploits the natural urgency of tax season.
These emails often contain subtle red flags like misspellings, awkward grammar, or email addresses that use “typosquatting”—changing a single letter in a legitimate domain. In one case, a payroll company sent 9,500 W-2s to scammers because the fraudulent email was missing just one double letter from the real name.
Employee vulnerabilities are another key vector. One employee using the company computer to access personal email or websites can compromise the entire firm’s security. Read up on this real busy season, data breach experience.
Once inside, criminals monitor workflow patterns and wait for the perfect moment—often just before filing—to alter returns, change bank account information, or inflate refunds. In one case, a scammer simply moved a decimal point to turn a $9,400 refund into $94,000.
Defense and Response: Essential Protection Strategies
The Written Information Security Plan (WISP)
The WISP became mandatory on June 9, 2023. It identifies vulnerabilities, sets protocols, and details breach response steps. “This is an evergreen document. This isn’t something you just put on the shelf after you do it.”
Multi-Factor Authentication (MFA)
MFA is critical, yet adoption is incomplete. In one case, skipping MFA led to 55 hacked client returns, months-long refund delays, and severe reputational damage.
The Identity Protection PIN (IP PIN) Program
The IP PIN adds a six-digit code to returns, making fraud nearly impossible without it. Some firms hire college students in summer to help clients, especially seniors, through the ID.me process.
When Breaches Occur
Call your IRS Stakeholder Liaison, cancel your compromised EFIN, and get a new one the same day. Then bring in IT to ensure the hacker is out of your systems.
The Financial Reality of Cyber Insurance
Coverage of $750,000 to $1 million is recommended. Breach costs can exceed $1 million when including required credit monitoring for clients.
Warning Signs: How to Spot a Breach
- Return counts in your IRS e-services account don’t match what you filed
- Clients’ returns rejected because their SSN was already used
- Clients receive unexpected transcripts or ID verification letters
- Software companies flag unusual filing patterns
The New Reality: Cybersecurity as Core Business Practice
The threat of data breaches is now a systematic assault on the profession. Small firms face the same risks as large ones but often with fewer defenses.
Effective protection includes MFA, IP PINs, a current WISP, and robust cyber insurance. Equally important is a mindset shift that treats every interaction as a potential security decision.
And, for help with security and the many other challenges of running a firm, learn more about having your firm join the Padgett network.
Listen to the full Federal Tax Updates episode to hear more of Glenn Gizzi’s advice for protecting your practice and clients from growing cybersecurity threats.