The era of the internet revolutionized the work of tax professionals but has also brought with it new paths to cyber crime. Identity theft tax fraud expenses the taxpayers and the government billions of dollars a year and erodes public trust in the tax system. As a return, the IRS and its Security Summit partners unveiled the 2025 summer "Protect Your Clients; Protect Yourself" program, a multi-faceted program to remain one step ahead of emerging threats and protect their clients' sensitive data. This program had a fourth-year initiative.
This is an inside look at the campaign- IRS Security Summit 2025, the latest criminal behavior, and action of most urgent priority that all tax professionals must take in order to safeguard their practice. Whether you're in private practice or a big firm, what's coming next will keep you informed on the law, gain client trust, and avoid the continually evolving methods of identity thieves.
What is the IRS Security Summit
The IRS Security Summit is a public-private initiative since 2015 which involves the IRS, state tax officials, and tax industry stakeholders—like software companies, payroll providers, and banks—to fight identity theft refund fraud. The IRS Security Summit's mission is:
- To exchange intelligence and best practices
- To encourage cooperative responses to threats
- To educate the public and tax professionals about data security
The Summit accomplishes this by competent work groups discussing significant domains of tax safety and has contributed significantly towards reducing fraudulent tax returns as well as strengthening the tax system defenses.
The 2025 Summer Series: Scope and Structure
The 2025 "Protect Your Clients; Protect Yourself" five-week campaign aligns with the IRS Nationwide Tax Forums. Each successive two-weekly pair addresses a significant domain:
Week 1: New scams and threats to tax practitioners
Week 2: Phishing, spear phishing, whaling, and the "Security Six"
Week 3: Creating and maintaining a Written Information Security Plan (WISP)
Week 4: Security tools (MFA, IP PINs, secure portals)
Week 5: Identity theft detection and reporting procedures
The goal of the campaign is to provide real, timely guidance that can be immediately applied by tax professionals based on practice size and geography.
Why Tax Professionals Are Easy Targets for Identity Theft
Tax professionals possess a treasure trove of confidential data: Social Security numbers, income data, bank accounts, and so forth. They are the hacker community's top target to steal this data to perpetrate refund fraud or sell stolen identities on the dark web.
Serious vulnerabilities are:
- Huge burden of confidential data
- Process of electronic filing and online communication
- Far too many meager cybersecurity budgets, especially in small businesses
- Heavy reliance on third-party application and cloud computing services
A single breach can be apocalyptic in its impact, ranging from financial losses to reputation damage and legal exposures.
New Scams: What's Hot in 2025
Crime is smart and quick, and 2025 has seen more high-end scams aimed at tax professionals:
New Client Spear Phishing
Impersonators fake being prospective clients, with formal-looking emails and letters in an attempt to trick you. They attempt to make you:
open fraud email attachments or expose confidential information.
EFIN, PTIN, and CAF Number Scams
Thieves pilfer main practitioner credentials—Electronic Filing Identification Numbers (EFIN), Preparer Tax Identification Numbers (PTIN), and Centralized Authorization File (CAF) numbers—via phishing emails and fake forms. Pilfered credentials permit thieves to prepare fake returns for you.
AI-Generated IRS Communications
Artificial intelligence is used to produce actual-sounding phishing fakes IRS notices and letters, which typically state collections or audits. The letters or notifications may contain malicious links or request personal details.
Zero Tax Scheme
The crooks offer to waive tax payments if Social Security numbers and individual information are provided. The scam would normally be shared via calls, messages, or social media.
Social Media and Text Scams
Scammers spread false tax guidance or sell fake tax credits, getting victims to follow instructions by direct messages, tweets, or even SMS.
Most Important Defensive Measures:
- Personally review all new client queries and IRS correspondence.
- Never open unsolicited attachments or link clicks from strangers or unknown sources.
- Train employees to spot and bring to staff attention phishing schemes.
The "Security Six": Fundamental Defenses All Tax Preparers Must Utilize
IRS and Security Summit adopt the "Security Six" and six building blocks that can help protect your practice:
|
Security Measure |
Description & Best Practices |
|
Antivirus Software |
Use reputable, auto-updating antivirus programs to detect and block malware. |
|
Firewalls |
Install and maintain firewalls to control incoming and outgoing network traffic. |
|
Multi-Factor Authentication |
Require MFA for all logins, especially for tax software and email accounts. |
|
Backup Solutions |
Regularly back up sensitive data to secure, offline locations; test restoration procedures. |
|
Drive Encryption |
Encrypt all devices (laptops, desktops, external drives) to protect data if devices are lost or stolen. |
|
Virtual Private Network |
Use a VPN, especially when working remotely or on public Wi-Fi, to secure data transmissions. |
Other Recommendations:
- Automatically update all software (operating systems) to the latest versions.
- Enforce robust, disparate passwords on every account.
- Educate employees frequently in security procedures and emerging threats.
Creating a Written Information Security Plan (WISP)
A Written Information Security Plan (WISP) is not just good practice—but is a regulatory necessity for most tax professionals under Gramm-Leach-Bliley Act and FTC rules. The IRS and Security Summit have made compliance easier by issuing an accepted 28-page WISP template (Publication 5708) for small practices.
Essential Elements of a WISP:
Risk Assessment: Identify and evaluate possible threats to client information.
Policies and Procedures: Retention, storage, access, and destruction of data.
Physical, Technical, and Administrative Safeguards: Stack security controls to secure best.
Employee Training: Make sure that all employees receive training on and install security procedures.
Incident Response Plan: Document who does what in the case of a breach, e.g., when to notify.
Maintenance Tips:
- Periodically update and renew your WISP at least annually, or with any major business or regulatory changes.
- Practice testing your incident response plan using mock drills.
- Store your WISP in an accessible location and make everyone aware of where it is.
Advanced Security Tools and Best Practices
On top of the fundamentals, tax professionals must have advanced tools and best practices in place:
Multi-Factor Authentication (MFA): Almost all tax software applications use MFA today. Enable it on all high-priority accounts.
Identity Protection PIN (IP PIN): Have clients obtain an IP PIN—a six-digit number which can't be utilized without their permission. Tax practitioners also do this.
IRS Online Account: Use secure IRS websites to interact and gain access to all client data.
Regular Security Audits: Review your procedures and systems routinely.
Vendor Management: Ensure that all third-party vendors (i.e., IT firms, cloud computing providers) have strong security controls in place.
- Physical Security
- Limit access to server and office areas.
- Lockbox paper documents.
- Shred sensitive material prior to sending to landfill.
Notification and Response to Data Breaches
Fender benders occur in spite of caution. Detection needs to be timely, response rapid.
Signs of a Breach
- Customers get IRS notice for returns they never prepared.
- E-filed returns denied for duplicate SS numbers.
- Unanticipated updates to tax software or client accounts
Rapid Response
- Call the IRS Stakeholder Liaison: Report and seek guidance on the breach.
- Notify State Tax Agencies: Use the Federation of Tax Administrators' "Report a Data Breach" web page.
- Meet FTC Requirements: Remain in compliance with federal and state data breach notification statutes.
- Notify Affected Clients: Be clear, timely in information and support.
Preventive Measures:
- Develop and rehearse your incident response plan.
- Maintain emergency contact lists up to date.
- Document all activity in case of and after a breach.
Role of IRS Nationwide Tax Forums
IRS Nationwide Tax Forums are annual conferences in major cities, offering tax professionals the most current information about tax law, cybersecurity, and best practices. This year, 2025, will take place in Chicago, New Orleans, Orlando, Baltimore, and San Diego.
What's on the Fora:
- Security-themed sessions from IRS officials and industry experts
- Practical workshops for designing and upgrading WISPs
- Interaction with fellow practitioners and IRS officials
- Continuing education credits
Keynote: Pre-registration is required and seating is limited—register in advance.
Helpful Links
- Extension Filers: IRS Suggests Filing Early with Free File
- How Accountant Services Help U.S. Businesses Navigate IRS Regulations
- IRS 2025 - New Rules for Multimillionaires’ Tax Audits
Through education, awareness, and adherence to laws, tax practitioners can be an effective force for preserving the integrity of the U.S. tax system and their clients from the prevalent threat of identity theft. The IRS Security Summit 2025 summer series is an excellent source for any practitioner dedicated to security and client trust.
