Why Online Tax Filing Has Become a Prime Target
Online tax filing security risks are not theoretical—they are active, escalating, and tied directly to the high-value personally identifiable information (PII) that flows through tax returns every filing season. A single federal return contains your Social Security Number (SSN), employer information, bank routing details, and prior-year income data. For an attacker, that combination is the financial equivalent of a skeleton key.
The IRS reported 294,138 identity theft affidavits (Form 14039) submitted by taxpayers in FY2024, and the agency's Criminal Investigation division identified over $5.5 billion in tax fraud schemes that same year. Fraudulent returns still slip through before legitimate filers can act—the window between a data breach and a fraudulent refund claim can be as short as 48 hours.
This guide covers the specific attack vectors targeting individual filers and tax professionals in 2025 and 2026, the regulatory obligations that apply to firms handling taxpayer data, and the concrete steps you can take to protect sensitive financial records. For a broader view of the obligations tax firms carry, see our guide on cybersecurity for tax professionals.
Online Tax Fraud By The Numbers
IRS Data Book, FY2024
IBM Cost of Data Breach Report, 2024
Verizon DBIR, 2025
Tax-Season Phishing: The Most Persistent Attack Vector
Phishing remains the dominant entry point for attacks on tax filers and the firms that serve them. The IRS Dirty Dozen list—published annually—has included tax-related phishing and smishing (SMS phishing) every year since 2015. In the 2025 edition, the IRS warned specifically about a sharp increase in W-2 phishing campaigns targeting HR and payroll personnel, where attackers impersonate executives to request bulk employee wage data before the filing deadline.
From a technical standpoint, these campaigns map to MITRE ATT&CK Technique T1566 (Phishing), with sub-techniques including spearphishing attachments (T1566.001) and spearphishing via service (T1566.003). Threat actors register lookalike domains—for example, irs-refund-portal[.]com—use SSL certificates to display the padlock icon, and reference real case numbers to appear credible.
Three scenarios account for the majority of tax-season phishing incidents:
- IRS impersonation emails claiming a refund is pending or that action is required to avoid a penalty—always directing victims to credential-harvesting pages
- Tax software account takeover attempts that use stolen password lists from prior breaches to access TurboTax, H&R Block, TaxAct, and similar platforms
- Business Email Compromise (BEC) targeting payroll, where attackers pose as executives requesting W-2 data or direct deposit changes for all employees
Employees who recognize these tactics before clicking are your first and most effective line of defense. Our overview of what is phishing explains the full taxonomy of phishing sub-types and the technical indicators to watch for.
Tax Identity Theft: How Stolen Data Becomes Fraudulent Refunds
Tax identity theft follows a predictable kill chain. Attackers acquire SSNs—through data breaches, phishing, or dark web marketplaces—then file a fraudulent return early in the season before the legitimate taxpayer does. The IRS issues a refund to an attacker-controlled account (often a prepaid debit card or cryptocurrency wallet), and the legitimate filer discovers the fraud only when their return is rejected as a duplicate.
Credential stuffing is one of the primary methods attackers use to gain account access on tax platforms. In a credential stuffing attack, automated tools test username-and-password pairs leaked from unrelated breaches against tax software login pages. Because password reuse remains widespread, these attacks succeed at a measurable rate—Okta's 2024 State of Secure Identity Report found that credential stuffing accounted for 34% of authentication traffic on consumer-facing applications.
The IRS Identity Protection (IP) PIN program is the most direct countermeasure available to individual filers. Once enrolled, a six-digit IP PIN is required on every return filed under your SSN—without it, the IRS will reject the return. You can enroll at IRS.gov/IPPIN—enrollment is now open to all taxpayers, not just prior identity theft victims.
For tax professionals, the risk extends beyond individual accounts. A single compromised Electronic Filing Identification Number (EFIN) can be used to submit hundreds of fraudulent returns before detection. This is precisely why the IRS and Security Summit partners require firms to implement the technical and administrative controls detailed in IRS Publication 4557 safeguarding taxpayer data WISP requirements.
How to Secure Your Online Tax Filing in 2026
Enroll in the IRS Identity Protection PIN Program
Visit IRS.gov/IPPIN to obtain a six-digit IP PIN. This single step prevents fraudulent returns from being filed under your SSN even if your data has already been exposed in a prior breach.
Enable Multi-Factor Authentication on All Tax Accounts
Turn on MFA for your tax software, IRS Online Account, and any linked financial accounts. Use an authenticator app (TOTP) rather than SMS, which is vulnerable to SIM-swapping attacks.
Verify Your Tax Software's Encryption Standards
Confirm that your provider uses TLS 1.3 for data in transit and AES-256 for data at rest. Authorized IRS e-file providers must meet specific technical security standards set by the IRS and the FTC Safeguards Rule.
File as Early as Possible
Filing before the April deadline closes the window for fraudulent returns filed in your name. If you cannot file early, submit an extension—this notifies the IRS that your return is still pending under your SSN.
Monitor Your Credit and SSN Exposure
Place a free security freeze at all three bureaus (Equifax, Experian, TransUnion) and review AnnualCreditReport.com. Dark web monitoring services alert you if your SSN appears in criminal breach data.
Use a Dedicated Device on a Secure Network
Never file taxes on public Wi-Fi or a shared device. Use your own machine with up-to-date security software, and connect through a trusted private network or a reputable VPN when filing remotely.
What Tax Professionals Are Required to Do Under Federal Rules
Individual filers face personal risk, but tax professionals carry legal exposure too. The Gramm-Leach-Bliley Act (GLBA) and its implementing FTC Safeguards Rule require tax preparers who qualify as "financial institutions" to maintain a written information security program. Updated in 2023, the Safeguards Rule now mandates specific technical controls: access controls, encryption, multi-factor authentication, and annual penetration testing for firms handling 5,000 or more customer records.
Separately, tax safeguard compliance 4557 under IRS Publication 4557 requires every tax preparer—regardless of size—to implement a Written Information Security Plan (WISP). The WISP must document how the firm collects, stores, accesses, and destroys taxpayer data. Practitioners who have not yet developed a WISP are out of compliance and face exposure to both IRS sanctions and state-level data privacy penalties.
Key technical controls the IRS and FTC expect practitioners to have in place include:
- Endpoint Detection and Response (EDR) on all workstations and servers that process taxpayer data
- Encrypted client portals for document exchange—email attachments containing PII are explicitly discouraged in IRS guidance. For a breakdown of what encryption standards compliant tax platforms must meet, see our guide to online tax filing strongest security encryption 2026.
- Role-based access controls so staff members can only access client files relevant to their assigned work
- Incident response procedures with defined IRS notification timelines—within 24 hours of confirmed EFIN misuse per IRS Stakeholder Liaison guidance
For firms building out their compliance program, our WISP checklist for CPA firms walks through every required element. Practices with multiple preparers should also review our ransomware protection for tax practices guidance—ransomware remains the most financially damaging threat to multi-preparer offices.
Emerging Threats Targeting Tax Filers in 2026
The environment surrounding online tax filing security risks is shifting in ways that outpace traditional defenses. Three developments deserve specific attention heading into the 2026 filing season.
AI-Generated Phishing at Scale
Large language models have eliminated the grammatical errors and awkward phrasing that once helped users spot phishing emails. Zscaler's 2025 ThreatLabz report documented a 58% year-over-year increase in AI-crafted phishing emails. Tax-themed lures rank among the most-used pretexts because the IRS filing deadline creates urgency that impairs careful judgment. Expect highly personalized emails that reference your specific filing history or the tax software platforms you use.
QR Code Phishing in Physical Mail
A newer tactic involves physical letters—designed to mimic IRS correspondence—that include QR codes directing recipients to credential-harvesting sites. The IRS has formally warned taxpayers that it does not initiate contact via QR codes. If you receive a letter with a QR code claiming to be from the IRS, treat it as fraudulent and report it to IRS Criminal Investigation.
Credential-Stealing Browser Extensions
Malicious browser extensions disguised as productivity tools or autofill assistants have emerged as a covert method for harvesting tax portal credentials. These extensions are distributed through third-party app stores and can intercept form submissions on tax platforms without triggering antivirus detection. Audit your installed browser extensions before filing season begins and remove anything you did not intentionally install from a verified developer.
Staying ahead of these tactics requires understanding what attackers can discover about you before they act. Our primer on OSINT for cybersecurity beginners explains how threat actors research targets and what you can do to reduce your digital exposure.
Security Capabilities That Protect Taxpayer Data Year-Round
Endpoint Detection & Response
Real-time detection and containment of malware, ransomware, and credential-stealing tools across every device that handles tax data.
Dark Web Monitoring
Continuous scanning for SSNs, EFINs, and employee credentials exposed in breach data sold on criminal marketplaces.
Multi-Factor Authentication
Authenticator-app-based MFA on all tax platforms, IRS accounts, and email systems to block credential stuffing attacks.
Encrypted Client Portal
Secure document exchange with full audit trails that satisfy IRS Publication 4557 and FTC Safeguards Rule requirements.
Security Awareness Training
Seasonal phishing simulations and training modules that prepare staff to recognize tax-themed social engineering attempts.
Incident Response Planning
Documented response procedures with IRS notification timelines built in, tested at least once annually before tax season.
Never File Taxes on Public Wi-Fi
Using a coffee shop, hotel, or airport network to file your return exposes your SSN and financial data to man-in-the-middle attacks. Always use a trusted private network or a VPN. If you use a tax professional, confirm they use an encrypted client portal—unprotected PDF attachments sent by email are one of the most common data exposure vectors for tax clients.
Get a Free Tax Cybersecurity Assessment
Bellator Cyber Guard's tax security specialists will evaluate your current defenses against the top online tax filing security risks and deliver a prioritized action plan—at no cost.
Frequently Asked Questions
The top risks include IRS impersonation phishing (email and SMS), credential stuffing attacks on tax software accounts, tax identity theft using stolen SSNs to file fraudulent refund claims, Business Email Compromise (BEC) targeting payroll teams for W-2 data, and malicious browser extensions that intercept login credentials on tax platforms. QR code phishing embedded in fake IRS letters has also increased significantly heading into the 2026 filing season.
The IRS does not initiate contact with taxpayers via email, text message, or social media. Any unsolicited message claiming to be from the IRS is fraudulent. The IRS also does not request PINs, passwords, or payment card numbers by email, and it does not include QR codes in its correspondence. If you receive a suspicious email claiming to be from the IRS, forward it to phishing@irs.gov and delete it without clicking any links or downloading attachments.
An IRS Identity Protection (IP) PIN is a six-digit number that must accompany any federal return filed under your SSN. It prevents fraudulent returns from being processed in your name even if an attacker has your Social Security Number. All U.S. taxpayers can enroll at IRS.gov/IPPIN. A new PIN is issued each January. You will need to verify your identity online using ID.me or in person at an IRS Taxpayer Assistance Center.
Yes. Authorized IRS e-file providers must comply with IRS e-file security requirements under Revenue Procedure 2007-40, which mandates encryption, access controls, and incident response capabilities. Providers that qualify as financial institutions under GLBA are also subject to the FTC Safeguards Rule. When selecting tax software, look for TLS 1.3 encryption, MFA support, and SOC 2 Type II compliance as indicators of a mature security program.
Take these steps immediately: (1) File IRS Form 14039 (Identity Theft Affidavit) at IRS.gov or by mail; (2) Contact one of the three credit bureaus to place a fraud alert or security freeze; (3) File a report with the FTC at IdentityTheft.gov; (4) Notify your state tax agency, since many fraud schemes also target state-level returns; (5) If you are a tax professional, report the breach to your IRS Stakeholder Liaison within 24 hours of confirming any EFIN misuse.
Yes. Every tax preparer handling federal taxpayer data is required by the IRS to maintain a Written Information Security Plan (WISP) per IRS Publication 4557. This requirement applies regardless of firm size—solo practitioners and large CPA firms alike. The WISP must address data collection, storage, access controls, employee responsibilities, and incident response. IRS Publication 5708 provides a sample WISP template. Our WISP checklist for CPA firms offers a practical implementation walkthrough.
When a fraudulent return is filed using your SSN, the IRS rejects any subsequent return for the same SSN as a duplicate. Filing your legitimate return first removes the window for fraud to succeed. If you are not ready to file by early February, submitting a filing extension signals to the IRS that a return is pending under your SSN. The IP PIN program adds a second layer of protection that works regardless of when you file.
Credential stuffing is an automated attack in which threat actors test large volumes of username-and-password pairs—sourced from prior data breaches—against login pages. Because many people reuse passwords across accounts, a credential exposed in one breach can unlock a completely different account. Tax software platforms are a frequent target because account access yields enough PII to commit identity theft and fraud. Using a unique password for every account and enabling MFA completely neutralizes credential stuffing.
For individual filers, MFA is strongly advised but not legally mandated. For tax professionals, the FTC Safeguards Rule—updated in 2023—requires MFA for any personnel accessing customer financial information, which includes client tax data. IRS Publication 4557 similarly identifies MFA as a required element of a compliant security program. Our detailed guide on two factor authentication tax software walks through setup for the most common platforms used by preparers.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
