Tax season has always attracted opportunistic criminals, but the scale and sophistication of attacks in 2026 represent a significant escalation. The IRS Criminal Investigation division reported a 111.8% surge in identified tax fraud during fiscal year 2025, with total fraud reaching $4.5 billion. Meanwhile, the Federal Trade Commission logged nearly 6.5 million fraud and identity theft reports in 2024 alone, a 20% jump from the prior year. For businesses across South Florida, a state that leads the nation in fraud and identity theft reports per capita, these numbers carry real urgency.
Criminals deliberately concentrate their efforts between February and April because that window creates the perfect combination of pressure and valuable data. Businesses are exchanging W-2s, 1099s, payroll records, and financial statements with accountants, employees, and tax software platforms. That volume of sensitive information moving through email inboxes and file-sharing systems gives attackers multiple entry points. Add the deadline-driven stress that clouds judgment, and you have conditions that benefit cybercriminals far more than they benefit your finance team.
AI-Enhanced Phishing and Voice Cloning Attacks
Generative artificial intelligence has fundamentally changed what phishing looks like. Where scam emails once arrived with obvious spelling errors and awkward formatting, AI now produces communications that mirror the exact tone, branding, and language of the IRS, state tax agencies, or popular tax software providers. These messages arrive with convincing subject lines, proper grammar, and official-looking logos, making them genuinely difficult to distinguish from legitimate correspondence.
Voice phishing, sometimes called vishing, has become an equally serious concern. Criminals use AI voice-cloning tools to generate audio that sounds like a known accountant, executive, or IRS representative. A business owner might receive a voicemail that sounds exactly like their CPA asking them to call back and confirm banking details before a filing deadline. Once the target calls the number provided, they reach a scripted call center designed to extract sensitive information. AI-powered chatbots add another layer to this threat by engaging targets in real-time text conversations, answering follow-up questions convincingly enough to sustain the illusion of legitimacy. The practical result is that novice fraudsters can now run sophisticated multi-channel scam campaigns that previously required significant technical expertise.
Business Email Compromise Targeting W-2 Data
Business Email Compromise (BEC) attacks peak during tax season because W-2 forms represent one of the most complete packages of personally identifiable information available. A single W-2 contains an employee’s full name, address, Social Security number, and annual income, which is everything a criminal needs to file a fraudulent tax return or open credit accounts. The typical attack involves a spoofed email that appears to come from a company executive, directed at HR or payroll staff, requesting an urgent batch of employee W-2 files. The email address looks nearly identical to the real one, the tone matches how the executive normally communicates, and the request arrives during a busy period when staff are less likely to pause and verify.
A related threat that the IRS added to its 2025 Dirty Dozen list involves “new client” scams targeting tax professionals and payroll departments. Fraudsters pose as prospective clients, requesting that staff open attachments or visit links that compromise systems or steal credentials. These attacks exploit the professional trust that exists between businesses and their accountants, using that relationship as cover for extracting payroll data or tax credentials.
Ghost Tax Preparers and Credential Fraud
Not every tax season threat comes from external hackers. Ghost tax preparers are individuals who prepare returns for compensation but deliberately refuse to sign the completed return or include their required Preparer Tax Identification Number (PTIN). By staying invisible, they avoid accountability for fraudulent deductions, inflated refunds, or misdirected payments. Common warning signs include demands for cash-only payment without receipts, fees structured as a percentage of your expected refund, and pressure to sign a return you have not had adequate time to review.
The consequences for businesses that unknowingly use a ghost preparer can extend beyond financial loss. The IRS holds taxpayers responsible for the accuracy of their returns regardless of who prepared them. If a ghost preparer fabricates income, invents deductions, or redirects your refund to their own account, your business faces potential penalties, interest charges, and the burden of proving you were deceived.
Immediate Action Steps for Tax Season Protection
The most effective tax season security measures are not complicated, but they do require deliberate action before your busiest filing period arrives. The steps below address the highest-priority risks facing businesses right now and can be implemented without specialized technical knowledge.
File Early and Secure Your Identity Protection PIN
One of the most straightforward defenses against refund fraud is simply filing your business and personal returns as early as possible. Employers are required to distribute W-2s and 1099s by January 31st, which means you can begin preparing returns almost immediately. Filing early closes the window that criminals rely on when they use stolen Social Security numbers to submit fraudulent returns before the legitimate taxpayer does. If you discover that a return has already been filed under your information, contact the IRS immediately and submit Form 14039 to report the identity theft.
The IRS Identity Protection PIN (IP PIN) program provides an additional layer of security for individual taxpayers. This six-digit code must accompany any tax return filed under your Social Security number; without it, the IRS automatically rejects the submission, even if the criminal has your correct personal details. IP PINs are available to any taxpayer through their secure IRS online account and are refreshed annually. While the current IP PIN program applies to individual Social Security numbers rather than business Employer Identification Numbers, business owners and employees should enroll personally, since individual identity theft directly enables fraudulent business filings.
Implement Multi-Factor Authentication Across All Systems
Multi-factor authentication (MFA) requires users to confirm their identity through at least two separate methods before accessing an account. For tax-related platforms, this means enabling MFA on your IRS online account via ID.me, your tax preparation software, payroll systems, and any banking platforms connected to your business accounts. Authentication apps like Google Authenticator or Microsoft Authenticator provide stronger protection than SMS-based codes, which can be intercepted through SIM-swapping attacks. The core benefit of MFA is that a compromised password alone is no longer sufficient for an attacker to gain access, which neutralizes one of the most common outcomes of phishing attacks.
Verify Tax Professional Security Standards
Your tax preparer handles some of the most sensitive data your business generates, which makes their cybersecurity practices your concern as much as theirs. IRS Publication 4557 requires professional tax preparers to maintain a Written Information Security Plan (WISP) that covers encryption, access controls, employee training, and incident response. Before sharing any documents, ask your preparer directly whether they use encrypted portals for document exchange, how they restrict internal access to client data, and what their procedure is if they experience a breach.
To verify credentials before engaging any new tax professional, use the IRS Directory of Federal Tax Return Preparers with Credentials and Select Qualifications, available at IRS.gov. Confirm that any paid preparer signs your completed return and includes their PTIN. A refusal to do either is a serious red flag that should end the relationship immediately.
Advanced Security Protocols for Business Data Protection
Beyond the foundational steps above, businesses that handle employee payroll data or work with multiple clients carry additional responsibility for protecting sensitive financial information throughout the preparation process.
Secure Document Transmission and Storage
Standard email attachments are not an appropriate method for transmitting tax documents. Most email systems do not encrypt attachments end-to-end, meaning a file containing W-2s or bank statements can be intercepted in transit. Purpose-built platforms designed for accounting and tax workflows offer significantly better protection. Options like TaxDome, SmartVault, and Tresorit provide AES-256 encryption, role-based access controls, audit trails, and expiring download links, all features that align with IRS Publication 4557 requirements. When physical mailing is unavoidable, use a tracked courier service rather than standard mail.
For document storage, maintain both encrypted cloud backups and a local encrypted external drive. Physical copies should be kept in a locked cabinet or safe. The IRS recommends retaining tax records for a minimum of three years, though certain circumstances require longer retention. Regardless of the timeline, stored documents should be protected with the same level of care as active files.
Employee Access Controls and Monitoring
Not every employee needs access to payroll records, tax filings, or client financial data. Role-based access permissions ensure that staff members can only view the information necessary for their specific responsibilities. During tax season, when temporary staff or outside contractors may be involved, this principle becomes especially important. Require confidentiality agreements for anyone handling sensitive financial data, conduct background checks where appropriate, and review access permissions regularly to confirm that former employees or seasonal workers no longer have system access after their engagement ends.
Comprehensive Backup and Recovery Systems
Ransomware attacks that target businesses during tax season are particularly damaging because the timing creates maximum pressure to pay. A criminal who encrypts your tax files two weeks before a filing deadline knows you may feel you have no choice. Maintaining tested, offline backups eliminates that leverage. Store encrypted backups on external drives that are disconnected from your network when not in use, and verify restoration procedures periodically so you know the backup actually works before you need it. Document your recovery time objectives so your team knows what to expect and how to prioritize during a recovery scenario.
Recognizing and Responding to Tax-Related Cyber Threats
Identifying Sophisticated Phishing Campaigns
The IRS does not initiate contact with taxpayers through email, text messages, or social media. Any unsolicited digital communication claiming to be from the IRS should be treated as suspicious regardless of how official it appears. Legitimate tax agencies do not threaten immediate arrest, demand gift card payments, or request Social Security numbers through digital channels. When you receive a questionable message, navigate directly to the agency’s official website by typing the address manually rather than clicking any link in the message. If a communication appears to come from your tax software provider, call the company’s published support number to verify before taking any action.
W-2 and Payroll Data Protection Strategies
HR and payroll staff should operate under a clear policy: any email request for bulk employee tax data, regardless of who it appears to come from, requires verbal confirmation through a separate, known phone number before any files are transmitted. This single protocol stops the majority of W-2 phishing attacks. Train staff to hover over sender addresses to check for domain spoofing, and establish a habit of composing a new email rather than hitting reply when responding to any sensitive request, which prevents replies from going to a spoofed address. If your organization receives a suspicious request and does not respond to it, forward the original message to [email protected].
Incident Response and Reporting Procedures
When a potential breach is discovered, the priority is containment first and investigation second. Isolate affected systems, engage a security professional to assess the scope, and notify your insurance provider to understand what coverage applies. If Federal Tax Information is involved, IRS guidelines call for notification within 24 hours. Tax professionals should contact their local IRS Stakeholder Liaison, who can coordinate with IRS Criminal Investigation to block fraudulent returns. Additionally, file a report with local law enforcement and submit a complaint to the FBI’s Internet Crime Complaint Center at IC3.gov. State tax agencies and attorneys general in affected states must also be notified, with specific timelines varying by state.
Building Long-Term Tax Security Habits
Ongoing Employee Security Training Programs
A single annual security briefing is not sufficient for the threat environment businesses face in 2026. We recommend a multi-phase approach that begins four to six weeks before peak filing season with a baseline phishing simulation to identify which employees are most vulnerable to tax-themed attacks. Follow that with targeted training sessions covering the specific scam types your team is most likely to encounter, including AI-generated emails, executive impersonation requests, and fake IRS notices. Run additional simulations during peak season with immediate feedback for anyone who clicks a test link. Track click rates and reporting rates over time to measure whether the program is working and adjust content as new attack methods emerge.
Technology Infrastructure for Year-Round Protection
The security measures that protect your business during tax season should remain active throughout the year. Firewalls and endpoint protection software need to be deployed on every device that accesses financial systems, including personal devices used for remote work. Require VPN connections for any remote access to payroll or accounting platforms. Schedule regular vulnerability assessments and ensure that software patches are applied promptly, since many successful attacks exploit known vulnerabilities that vendors have already released fixes for.
Compliance Monitoring and Continuous Improvement
If your business works with a tax preparer or accounting firm, ask to review their Written Information Security Plan at least annually and confirm that they conduct regular risk assessments and employee training. For businesses that handle their own payroll or maintain client financial data, conduct quarterly internal reviews of your own security controls. Evaluate service providers against documented security requirements, and include security expectations in any contracts with third parties who access your financial systems. Tax season cybersecurity is not a one-time project; it is an ongoing process that requires consistent attention to remain effective as threats continue to evolve.
If you would like help assessing your current security posture or implementing any of the protections described here, the team at IT Solutions of South Florida is ready to assist. Reach out to us at itsolutions247.com to schedule a consultation before the April filing deadline arrives.
