CPA and Accounting Firms Face Post-Tax-Season Phishing Blitz — Client Financial Data and IRS Credentials Targeted
Cybercriminals are launching a targeted phishing campaign against CPA and accounting firms in the weeks following tax season, when firms are processing extensions, amended returns, and client follow-ups. Attackers are impersonating the IRS, state tax agencies, and tax software vendors to steal client financial data and practitioner credentials.
The Post-Tax-Season Threat Window
The weeks immediately following the April 15 tax deadline represent a high-risk period for CPA and accounting firms. Staff are processing extensions, responding to client inquiries, and handling amended returns — all of which involve significant email communication about sensitive financial matters. Attackers exploit this busy period, knowing that staff are more likely to click on a link or open an attachment when they are overwhelmed with post-season work. The IRS Criminal Investigation division has issued an alert specifically warning tax professionals about the surge in phishing activity targeting practitioners in April and May.
IRS Impersonation Attacks
The most common attack vector targeting CPA firms is IRS impersonation phishing. Attackers send emails that appear to come from the IRS, claiming that there is an issue with a client’s return, that the firm’s EFIN (Electronic Filing Identification Number) has been suspended, or that the practitioner must verify their identity to continue e-filing. These emails contain links to convincing fake IRS login pages that steal the practitioner’s IRS e-Services credentials. With stolen EFIN credentials, attackers can file fraudulent returns, access client tax data, and potentially redirect refunds. The IRS has been clear: they will never initiate contact with tax professionals via email. Any email claiming to be from the IRS is a phishing attempt.
Tax Software Vendor Impersonation
A second wave of attacks targets CPA firms by impersonating tax software vendors including Drake, UltraTax, ProSeries, and Lacerte. These emails claim that the firm’s software license has expired, that a critical security update is required, or that the firm must re-authenticate to continue using the software. The links in these emails lead to credential harvesting pages that steal the practitioner’s software login credentials. With access to tax software accounts, attackers can access all client tax data stored in the platform. Verify any software update or account notification by going directly to the vendor’s website — never click links in emails claiming to be from software vendors.
IRS WISP Requirements and Your Obligations
The IRS requires all tax preparers — including sole practitioners and small CPA firms — to have a Written Information Security Plan (WISP) that documents how they protect client data. The WISP must address data inventory, access controls, employee training, incident response, and vendor management. The IRS has increased scrutiny of WISP compliance and has made it a condition of EFIN maintenance. If your firm does not have a current WISP, creating one is now urgent. Segler.Net can assist CPA firms with WISP development, implementation of required security controls, and employee security awareness training tailored to the accounting profession.
- Enable MFA on all IRS e-Services, EFIN portal, and tax software accounts immediately
- The IRS will never initiate contact via email — any email claiming to be from the IRS is a phishing attempt
- Implement a client data security policy and ensure all client financial data is encrypted at rest
- Train all staff on IRS impersonation phishing — these attacks are highly convincing and target CPAs specifically
- Review your WISP (Written Information Security Plan) — the IRS requires all tax preparers to have one
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.