Why Hackers Target Tax Preparers and How to Fight Back

If you are a tax preparer, you are a target. This is not speculation or fearmongering. It is a reality confirmed by the IRS, the FBI, and every major cybersecurity organization that tracks threats to the financial services industry. Tax professionals occupy a unique and incredibly attractive position in the criminal ecosystem, and understanding why you are targeted is essential to understanding how to protect yourself.

Why Tax Data Is So Valuable to Criminals

Tax preparer systems contain the most complete personal and financial profiles available anywhere. A single client record in your tax software likely contains their full legal name, Social Security number, date of birth, current and prior addresses, employer information and EIN, bank account and routing numbers for direct deposit, income from all sources, spouse and dependent information, and prior-year tax data. This is not just one piece of personal information. It is the entire identity package.

On the dark web, a complete tax identity profile sells for significantly more than a simple credit card number. While a stolen credit card might sell for $5 to $20, a complete identity package suitable for tax fraud can command $50 to $200 or more per record. A tax preparer with 500 clients represents a potential payday of $25,000 to $100,000 for a cybercriminal, and that is just from selling the data. The actual fraudulent returns filed using that data can generate far more.

Tax data is also uniquely actionable. Unlike credit card numbers that can be quickly cancelled, stolen tax identities can be exploited for years. Criminals can file fraudulent tax returns, open new credit accounts, apply for loans, commit employment fraud, claim government benefits, and commit medical identity theft, all using the information from a single tax client's file.

How Hackers Target Tax Preparers

Cybercriminals employ both broad and targeted strategies to compromise tax preparers. Understanding their methods reveals just how deliberate and organized these attacks are.

Reconnaissance

Before launching an attack, criminals research their targets. They search for tax preparers' websites, social media profiles, state licensing databases, and IRS directories. They identify which software you use, how many employees you have, and what your security posture likely looks like. Small and solo practices are particularly attractive because they typically have fewer security resources and less technical expertise than larger firms.

Seasonal Timing

Attacks against tax professionals peak during tax season, from January through April. Criminals know that during this period, tax preparers are working long hours, processing high volumes of sensitive documents, and more likely to rush through email without careful examination. The pressure to meet client deadlines and filing deadlines creates conditions where security mistakes are most likely to happen.

Credential Harvesting

Many attacks begin with stealing your login credentials. Criminals search databases of credentials exposed in prior data breaches, knowing that many people reuse passwords across multiple sites. If your personal email password from a 2019 data breach matches your tax software password, an attacker already has access to your client data.

Common Attack Vectors Used Against Tax Practices

• Phishing emails — The most common entry point. Emails impersonating the IRS, clients, or software vendors trick preparers into clicking malicious links or opening infected attachments.

• Remote Desktop Protocol exploitation — Tax practices that expose RDP to the internet for remote access are frequent targets for brute force credential attacks.

• Compromised tax software credentials — Stolen or purchased credentials are used to log directly into tax preparation software and extract client data.

• Malware delivered through documents — Infected files disguised as tax documents (W-2s, 1099s) install keyloggers or remote access tools when opened.

• Social engineering phone calls — Callers posing as IRS representatives, software support staff, or even other tax professionals attempt to extract sensitive information or gain remote access to your systems.

• Watering hole attacks — Compromising websites frequently visited by tax professionals, such as tax news sites or professional forums, to deliver malware to visitors.

• Physical break-ins — Especially targeting offices during off-hours to steal computers, hard drives, or documents containing client information.

The Scale of the Problem

The IRS Criminal Investigation division has reported thousands of cases involving stolen preparer credentials and fraudulent filings. The agency has issued numerous alerts specifically warning tax professionals about the threats they face. In recent years, the IRS has seen an alarming increase in the number of data theft reports from tax professionals, with some individual breaches affecting thousands of taxpayers.

The consequences extend far beyond the immediate breach. Affected clients spend years dealing with identity theft, filing identity theft affidavits, and monitoring their credit. Tax professionals face IRS investigations, potential loss of their EFIN and PTIN, malpractice lawsuits, regulatory penalties, and devastating reputational damage. Some practices never recover from a significant data breach.

Protection Strategies for Tax Professionals

Defending against these targeted attacks requires a comprehensive, layered approach to security.

• Implement all IRS Security Six measures — Antivirus, firewall, two-factor authentication, backup, drive encryption, and VPN. These are the minimum baseline, not the ceiling of your security program.

• Develop and maintain a WISP — A Written Information Security Plan documents your security policies, procedures, and practices. It is required by both the IRS and the FTC.

• Invest in employee training — Your staff is both your greatest vulnerability and your strongest defense. Regular security awareness training dramatically reduces the success rate of phishing and social engineering attacks.

• Use a password manager — Eliminate password reuse by generating and storing unique, complex passwords for every account.

• Deploy EDR, not just antivirus — Modern Endpoint Detection and Response solutions detect the advanced threats that basic antivirus misses.

• Encrypt everything — Full-disk encryption on all devices, encrypted email for client communications, and encrypted backups.

• Establish verification procedures — Require verbal confirmation for any changes to client financial information, refund routing, or sensitive data requests.

• Monitor the dark web — Services that scan dark web marketplaces and forums can alert you if your credentials or client data appear in criminal channels.

• Create an incident response plan — Know exactly what you will do if a breach occurs, because preparation dramatically reduces the impact.

Get Expert Protection for Your Practice

You became a tax professional to help clients navigate the tax code, not to become a cybersecurity expert. But the reality is that your practice faces the same threats as financial institutions and healthcare organizations, often with a fraction of their security resources. Bellator Cyber Guard bridges that gap, providing the specialized cybersecurity expertise, tools, and monitoring that tax practices need to defend against the criminals actively targeting them. Contact us at guard@bellatorit.com to learn how we protect practices like yours.