Your client relationships and practice reputation rest on a foundation of trust built over the years. But in an instant, sophisticated scammers posing as potential clients can shatter that foundation, leaving both your data and your clients’ exposed.
JP Morgan’s 2023 Financial Crime Report shows tax-related identity theft caused $7 billion in losses in the prior year. Understanding criminal tactics and spotting warning signs early can protect your practice from devastating attacks.
Let’s examine the most common tax scams targeting accounting firms today.
The “New Client” Email Scam
Scammers target tax professionals with fake new client emails asking about services. These innocent-looking messages lead to a second email with dangerous links or files. Clicking these gives criminals access to all client data in your system.
The most dangerous part? Scammers now use real email addresses stolen from colleagues and clients. This makes the fake emails look entirely legitimate to busy tax professionals during peak season.
How to Protect Yourself
Use tax client portal software for sharing sensitive documents and data. Basic email works for initial contact but considering moving all tax-related file sharing to your secure portal. This keeps client data safe while maintaining easy communication.
IRS Audit Notice Scam
Your inbox blinks with an “IRS Audit Notice” marked urgent. The email claims your client’s return has serious discrepancies requiring immediate action. These scammers know tax pros fear audits above all else and will act quickly to protect clients.
The fake notices carry official IRS logos and reference real tax returns. They want you to download “audit documents” or click verification links. Each click installs malware that hunts for client financial data.
How to Protect Yourself
Remember, the IRS never initiates audits through email. Log into your IRS e-services account directly to verify notices. Always inform clients that audit communications come through official mail.
Spearphishing Attacks
Spearphishing hits tax pros with highly targeted fake emails that include real details about you and your practice, unlike random spam. Scammers study their targets to make messages look authentic.
They often mention specific tax services or reference local business details. Their goal is to get you to share private data or download harmful files that can steal client information.
How to Protect Yourself
Verify new clients through LinkedIn or phone before sharing any tax details. Stay cautious with attachments and only open them after confirming the sender. You can also set up email filters to block common scam keywords and suspicious sender patterns.
The Remote Access Trap
“Hi, we’re from your tax software support. We noticed unusual login attempts—can we do a quick screen share to secure your account?”
This scam plays on every tax pro’s worst fear: a security breach during the busy season. Instead of stealing from one client, they want access to your entire practice.
How to Protect Yourself
Never give remote access to anyone who contacts you first. Call your software provider’s official number for any security concerns. Post this rule in your office—it could save your practice one hectic tax season day.
Phone Number Spoofing Scam
The caller ID shows your client’s number. They mention last year’s tax return and need urgent wire transfer changes. They call during lunch hours when staff handle peak workloads and might skip verification.
These scammers research their targets thoroughly. They’ll mention past tax returns, business details, and even personal conversations. Once they gain trust, they request immediate banking changes that drain accounts within hours.
How to Protect Yourself
Create a verification code system with clients for phone requests. Always call back on their registered number, even if the caller ID seems legitimate. One extra minute can save countless headaches.
Cloud Storage Link Scam
A dangerous scam targeting tax firms involves fraudulent cloud storage links. Scammers send what looks like a Google Drive or Dropbox link with tax documents. Behind these links hide fake storage login pages to steal your credentials.
The risk grows as firms handle client documents across multiple platforms. This gives scammers more entry points. Once they capture your login details, they gain access to every client file in your cloud accounts.
How to Protect Yourself
Use an encrypted document management system for accountants to manage all client files. Make it a firm policy to only accept documents through this secure platform. The extra layer of protection keeps your clients’ sensitive information safe and reduces the risk of falling victim to phishing scams. By centralizing document management within a secure platform, you also streamline your workflow, ensuring both efficiency and peace of mind for you and your clients.
What To Do If You’re Scammed
If you’ve already fallen victim to a tax scam, there are steps you can take to minimize damage and protect your clients. Most firms hesitate to act, but quick response can save both data and reputation. Here’s what you need to do:
- Report immediately: Contact the Treasury Inspector General (800-366-4484). They can help block fraudulent returns and protect client identities.
- Lock down systems: Change all passwords, revoke access credentials, and disconnect compromised devices from your network.
- Alert your clients: Send an email explaining the breach, potential risks, and specific steps to protect themselves.
- Document Everything: Keep detailed records of the incident, including screenshots, emails, and the timeline. This documentation supports your insurance claim and helps authorities track criminal activity.
Conclusion
Tax scams evolve constantly, and so should your defense approach. Review your verification steps, upgrade your document systems, and train your staff on emerging threats. With these practices in place, you’ll safeguard your accounting firm and stay vigilant against new threats.
