close
Log in Sign Up Now
menu

How do tax professionals protect clients against scams in 2025?

by | Nov 22, 2025 | AI Tax Answer Library

Here’s what HIVE AI had to say about “How do tax professionals protect clients against scams in 2025?”:

2025 playbook for tax pros to protect clients from scams

The 2025 threat landscape tax pros must expect

  • New client spear‑phishing remains a top vector: scammers pose as a prospective client, then send a link or attachment that installs malware or harvests credentials, enabling data theft and fraudulent filings.
  • Phishing/ransomware campaigns, fake charities, bad social‑media “tax tips” and false credit claims continue to surge; businesses should harden systems now. 1

Client education that shuts down most attacks

  • Tell clients the IRS will not request sensitive data via unsolicited email, text, or calls; instruct them to forward suspicious messages to phishing@irs.gov, not click links/attachments, and then delete the message.
  • Provide an annual “how we communicate” one‑pager, and include warnings about amended‑refund pitches, fake IRS contacts, and impostors. 2

Core security controls and Written Information Security Plan (WISP)

  • Enforce MFA/2FA on all tax apps, portals, and storage; enable automatic anti‑malware updates; use full‑disk encryption; and test offline backups to mitigate ransomware.
  • Implement the Tax Security 2.0 checklist (recognize data‑theft indicators, phishing awareness, and a documented recovery plan) aligned to Pub. 4557 and Pub. 5293.
  • Your WISP should include incident‑reporting triggers: notify the FTC within 30 days if a breach affects 500+ people; also use the FTA “Report a Data Breach” channel to reach state agencies. 3

Incident response and rapid reporting

  • If you suspect data theft, immediately contact your local IRS Stakeholder Liaison; they can help block fraudulent returns, coordinate across IRS functions, and guide cleanup.
  • Report IRS‑impersonation emails to TIGTA and forward scam emails as attachments to phishing@irs.gov; be alert to phishing that seeks your EFIN, PTIN, or e‑Services credentials.
  • Do not refer clients to a TAC office solely due to an -E freeze; check for TPP markers/letters and work the identity‑verification path. 4

Identity‑theft safeguards for affected clients

  • When the IRS determines an identity misuse risk, it must notify victims, provide steps to file police reports, share protective actions, and offer identity protection measures such as IP PINs; build these steps into your client incident playbook. 5

Protecting authorizations and e‑signatures

  • Use IRS‑accepted e‑signature standards for POAs and 6103(c) consents; standardize identity‑proofing before accepting any electronic authorization to deter forged 2848s/disclosure consents. 6

Professional standards that prevent becoming a conduit for scams

  • Follow Circular 230 best practices: clarify scope, establish and validate facts, relate law to facts, and advise clients on risks (including penalty defenses); apply standards on positions taken and never ignore red flags—make reasonable inquiries when client data looks inconsistent or incomplete. 7

Guard your PTIN/EFIN and reduce “ghost preparer” exposure

  • Expect 2025 IRS actions targeting ghost preparers; educate clients to avoid unsigned returns and monitor for unauthorized use of your EFIN/PTIN. 8

Intelligence sharing and ecosystem protections

  • Leverage Security Summit material and events; share and learn current indicators of compromise and scams.
  • The IRS can disclose certain return info to specified ISAC participants to combat ID‑theft refund fraud and cybersecurity threats; align your practice with industry sharing where appropriate. 9

Technical controls tax pros should require in 2025

  • Require MFA on all cloud email and tax software, auto‑update anti‑virus, encrypt drives, and conduct regular offline backups; enroll clients who qualify in IP PINs to stop refund fraud on their SSNs. 10

How to spot and stop data theft early

  • Watch for abnormal spikes in returns filed under your EFIN, unrequested client transcripts, or IRS letters to clients about suspicious filings; adopt the Security 2.0 checklist and pre‑written recovery plan. 11

Compliance and ethics guardrails that also deter scams

  • Do not facilitate dubious schemes or aggressive refund plays; Circular 230 prohibits misconduct such as misappropriating client funds, promising special IRS treatment, or counseling evasion.
  • Maintain competence through training or consulting experts when needed. 12

Penalties and enforcement you should cite to dissuade fraudsters and protect your firm

  • Scheme promoters face penalties for false statements/gross valuation overstatements tied to arrangements or plans; preparers face penalties for willful/reckless understatements, and firms can be penalized if they lack adequate review procedures. 13

Client communications scripts you can reuse

  • “We will never ask for your SSN, bank info, or portal password by email or text. If you get such a request, forward it to phishing@irs.gov and to us, then delete it.” 2

Coordination with IRS/state initiatives

  • Track the 2025 “Protect Your Clients; Protect Yourself” series and Security Summit updates; align your seasonal client alerts with their release cadence. 14

Privilege, confidentiality, and scam triage

  • Communications with a federally authorized tax practitioner about tax advice can be protected by the §7525 privilege (non‑criminal matters only and not for tax shelter promotion); set expectations with clients and document advice pathways in incident responses. 15

Quick checklist for 2025

  • Enable MFA on all systems; rotate admin passwords quarterly. 10
  • Train staff on “new client” spear‑phishing and rehearse your breach‑response runbook. 1
  • Confirm WISP breach‑notification triggers and contacts (IRS Stakeholder Liaison, TIGTA, state FTA portal, FTC timelines). 3
  • Validate e‑signature and identity‑proofing workflows for 2848/6103(c) authorizations. 6
  • Remind clients post‑April 15 to beware of W‑2 phishing and refund‑related scams; push a mid‑year awareness email. 16
  • Audit EFIN/PTIN use logs; watch for anomalies and ghost‑preparer indicators. 8

Where to send what (at a glance)

  • IRS impersonation/phishing: phishing@irs.gov; also report to TIGTA. 4
  • Suspected client ID theft/data breach: IRS Stakeholder Liaison; notify states via FTA “Report a Data Breach”; follow FTC 30‑day rule if ≥500 affected. 3
  • TPP/identity verification cases: follow TPP workflow; do not send clients to TAC solely due to -E freezes. 17

Sources

1 – IRS Newsroom – IR-2025-26 📄 Summarize
2 – IRS IRM 21.1.3 Operational Guidelines Overview 📄 Summarize
3 – IRS Newsroom – IR-2024-183 📄 Summarize
4 – IRS Newsroom – IR-2024-36 📄 Summarize
5 – IRC § 7529(a) 📄 Summarize
6 – IRC § 6061(b) 📄 Summarize
7 – Treas. Circular 230 § 10.33 Best practices for tax advisors. 📄 Summarize
8 – IRS Newsroom – IR-2025-12 📄 Summarize
9 – IRS Newsroom – IR-2025-73 📄 Summarize
10 – IRS Newsroom – IR-2022-143 📄 Summarize
11 – IRS.gov – Tax Security 2.0 The Taxes-Security-Together Checklist 📄 Summarize
12 – Treas. Circular 230 § 10.51 Incompetence and disreputable conduct. 📄 Summarize
13 – Treasury Regulation 1.6694-3 📄 Summarize
14 – IRS.gov – Protect your clients; protect yourself 📄 Summarize
15 – IRS IRM 33.3.8 Whistleblower Taint Review Procedures 📄 Summarize
16 – IRS Newsroom – IR-2025-57 📄 Summarize
17 – IRS IRM 25.25.6 Taxpayer Protection Program 📄 Summarize

Try Your AI Tax Assistant for Free!

Ready to transform your practice with agentic AI in tax? See firsthand how our cutting-edge AI tax tools can revolutionize your approach to tax research and planning.

Create Your Free Account