As tax professionals navigate an increasingly digital landscape, the stakes for data security have never been higher. With sensitive client information constantly targeted by cybercriminals, the IRS and its Security Summit partners have amplified their call to action through the Protect Your Clients; Protect Yourself campaign.
According to the last update made by the IRS on the subject, it is stated that risks attributed to identity theft are becoming stronger, with almost 300 data breaches recorded in the first 6 months of 2025 alone, which have affected over 250,000 taxpayers (IRS, 2025).
As a tax professional, the interpretation is obvious: proactive security is no longer an option, but it is a necessity.
For tax professionals, the message is clear: proactive security is no longer optional; it’s essential. This article explores the latest insights from the IRS’s Security Summit, examines why tax professionals remain prime targets for cybercriminals, and outlines practical steps you can take today to safeguard your clients and your practice.
1. Why Tax Professionals Are Prime Targets
Tax professionals are uniquely vulnerable because they hold vast amounts of sensitive data, names, Social Security numbers, income records, bank details, and more. This data is a goldmine for identity thieves looking to:
- File fraudulent tax returns to claim refunds.
- Create synthetic identities for financial crimes.
- Commit long-term financial fraud by exploiting stolen credentials.
Criminals don’t need to hack the IRS directly; instead, they infiltrate smaller firms with weaker security measures. Once inside, they can wreak havoc not only on the firm but also on every client whose data is exposed.
The IRS reports a steady rise in spear-phishing attacks, emails, or texts specifically tailored to trick tax professionals into sharing login credentials or downloading malware (IRS Security Summit, 2025).
2. What is the Security Summit?
Formed in 2015, the Security Summit is a coalition of the IRS, state tax agencies, and private-sector partners, including tax software developers and professional associations. Its mission: protect the tax system from identity theft-related refund fraud.
Through collaborative efforts, the Summit has developed initiatives like:
- Multi-Factor Authentication (MFA) standards for tax software.
- Identity Protection PIN (IP PIN) program to help taxpayers safeguard their returns.
- Annual awareness campaigns like Protect Your Clients; Protect Yourself.
This summer’s campaign emphasized practical steps for tax professionals to implement immediately.
3. Key Takeaways from the 2025 “Protect Your Clients; Protect Yourself” Campaign
a. Written Information Security Plans (WISPs)
The IRS reminds tax professionals that under the Gramm-Leach-Bliley Act, firms must have a Written Information Security Plan (WISP).
A WISP should include:
- Risk assessments identifying potential threats to data security.
- Employee training programs to prevent accidental breaches.
- Vendor management policies to ensure third parties comply with security standards.
- Incident response protocols for containing and reporting breaches.
Failure to maintain a WISP can lead to civil penalties and reputational damage (ORCPA, 2025).
b. Multi-Factor Authentication (MFA)
MFA is no longer optional; it’s a baseline requirement. The IRS strongly urges tax professionals to enable MFA on:
- Tax preparation software
- Cloud-based storage
- Email accounts handling sensitive data
The second factor is the critical element that an additional password, MFA, adds to the equation such as a code or a biometric screen. MFA can also be used to stop 99.9 percent of account compromise attacks, according to the Cybersecurity & Infrastructure Security Agency (CISA).
c. IP PINs and IRS Online Accounts
The IRS’s Identity Protection PIN (IP PIN) program gives taxpayers a unique six-digit code to verify their identity when filing returns. Tax professionals should:
- Encourage all clients to enroll in the IP PIN program.
- Assist clients in creating IRS Online Accounts, which allow them to monitor their tax activity in real time.
These steps reduce the risk of fraudulent filings using stolen data (IRS, 2025).
d. Employee & Client Awareness
Human error remains the weakest link in cybersecurity. The IRS urges firms to:
- Conduct regular training to help staff spot phishing, smishing, and phone scams.
- Provide client education materials on how to secure personal devices, recognize fraud, and report suspicious activity.
This dual approach creates a culture of security that extends beyond the office walls.
4. Real-World Consequences of Data Breaches
The impact of an identity theft-related data breach goes beyond financial loss:
- Client trust evaporates, damaging reputation and retention.
- Regulatory investigations and legal liability can result in hefty fines.
- Operational disruption restoring compromised systems can take weeks or months.
The IRS notes that many tax professionals only realize they’ve been breached when:
- Clients receive rejection notices for tax returns they never filed.
- Suspicious refunds are issued in clients’ names.
- Their E-File accounts are locked by the IRS for suspicious activity.
The cost of prevention is far less than the cost of remediation.
5. Practical Steps for Tax Professionals
Here’s a checklist to strengthen your practice immediately:
- Develop or Update Your WISP: Use IRS Publication 4557 (Safeguarding Taxpayer Data) as a template.
- Enforce MFA Across All Systems: Test regularly to ensure its active and effective.
- Encrypt All Sensitive Data: Both at rest and in transit.
- Use Strong, Distinct Passwords: Put in place a password manager and make sure that rotation rules are followed.
- Inform Customers About IP PINs: To make enrolment easier, provide detailed instructions.
- Protect Your Physical Office: Control access, shred confidential papers, and lock file cabinets.
- Create an Incident Response Plan: Specify contacts, roles, and protocols to react quickly to security breaches.
6. How TaxProNext Helps You Stay Secure
At TaxProNext, we understand that compliance and security go hand in hand. Our platform includes:
- Integrated MFA and encryption, ensuring data is protected end-to-end.
- WISP templates and audit tools, simplifying regulatory compliance.
- Automated alerts for suspicious activity within your accounts.
- Client education resources, helping you empower taxpayers to protect themselves.
TaxProNext also integrates these tools into your workflow so you can be ahead of the dangers and concentrate on what you excel at doing: client service.
Conclusion
Identity theft is a serious risk, and every tax professional is encouraged to be cautious because the instances are on the rise. With nearly 300 breaches in 2025 alone, no firm is too small to be targeted.
The good news? By implementing strong security measures, from WISPs and MFA to client education, you can dramatically reduce your risk and demonstrate a commitment to protecting your clients’ most sensitive information.
Are you ready to fortify your practice? Explore how TaxProNext can help you stay compliant, secure, and prepared for the challenges of today’s digital tax environment. Learn more here.
