)
or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Hello, and thank you for joining this webinar for National Tax Security Awareness Week. Today, the Internal Revenue Service and the Federal Trade Commission are collaborating to share a wealth of information about Real-life Threats and Steps you can take to Protect Your Business and Your Clients.
My name is Jeffrey Latessa, and I’m a Stakeholder Liaison with the Internal Revenue Service. I’ll be your moderator for today’s webinar, which is slated for approximately 120 minutes. This webinar supports National Tax Security Awareness Week, which is an annual event emphasizing the importance of protecting sensitive financial information from identity theft and tax scams, especially as the holidays and the upcoming tax season approaches.
Collectively, with over 80 years of experience, today’s panel of speakers will cover how to identify real-life threats targeting tax professionals, including data breaches, phishing, ransomware, and insider threats. Understand the IRS Return Integrity and Compliance Services, or RICS, and other department roles in responding to tax-related cyber threats through the Security Summit; Coalition Against Scams and Schemes Threats or CASST; Online Fraud Detection and Prevention, and Stakeholder Liaison, and recognize common entry points for attackers and weak spots in tax practices.
They’ll also discuss how to apply practical steps to prevent, detect, and respond to security incidents, reduce identity theft risks and related fraud losses by learning to spot fraud early and steering clear of sharing personal information with a scammer, find the tools to build a written response plan in case of data breach, and where to report incidents and how to access IRS resources and support.
Now, let me introduce today’s speakers. We’re joined by Cassandra Dreyer, Mark Henderson, and Glenn Gizzi with the Internal Revenue Service, along with Kelle Slaughter with the Federal Trade Commission.
Cassandra served with the Internal Revenue Service for 22 years. She began her career in Taxpayer Services, formerly known as Wage and Investment, as a customer service representative with accounts management. Cassandra currently serves as a Senior Tax Analyst in Return, Integrity, and Compliance Services, or RICS, where she focuses on incident and data breach management, the nationwide tax forums, and leads the information sharing working group within the Security Summit. She’s also an active leader in the Coalition Against Scams and Scheme Threats, or CASST, working to strengthen public awareness and collaboration against emerging fraud threats. Cassandra earned her Bachelor of Business Administration from St. Norbert College in 2001 and is based out of the IRS Austin, Texas office.
Mark has been a Security Specialist with the Internal Revenue Service’s Online Fraud Detection and Prevention Team since 2009. Over a 20-year career in Information Security, he’s had the opportunity to speak both domestically at the Anti-Phishing Working Group, the FBI’s National Academy, the Florida Department of Law Enforcement, GFIRST, InfraGuard, the United States Secret Service, as well as internationally. He holds an M.S. in Engineering Management from George Washington University with a graduate certificate in Information Security Management. He holds an M.S. in Organizational Informatics, now Applied Analytics from Saint Louis University. He was an adjunct professor in the Computer Information Systems program within SLU’s School of Professional Studies for several years. Mark has held various security certifications, including the CISSP and various SAN certifications.
Glenn has worked for the Internal Revenue Service for 36 years. He began in Taxpayer Service as a Taxpayer Service Specialist, answering account and tax-related and tax law questions on the IRS’s toll-free phone line until becoming a Revenue Agent in 1994. During his years as an agent, Glenn worked in the Examination Problem Resolution Unit as a caseworker, a cooperating Agent for Criminal Investigations, and was a Taxpayer Advocate at the model lock-in office in Edison. Glenn is also a certified instructor for the IRS and spent 4 years training new incoming Revenue Agents. Glenn’s current assignment is working on the Data Breach team, helping tax practitioners who’ve experienced a data breach.
And last but certainly not least, we have Kelle Slaughter. Kelle is a Senior Investigator for the Federal Trade Commission, or the FDC. During her tenure with the FDC, in addition to her Law Enforcement Investigation role, she served as the Identity Theft Program Manager. Kelle’s career in public service began in the Texas office of the Attorney General Consumer Protection Division, where she served as the investigator for over a decade. Then, she was the Director of Investigations at the Better Business Bureau of North Central Texas for 3 years. During her almost 21-year investigative career, Kelle has conducted hundreds of consumer protection investigations, supported numerous enforcement actions, given countless presentations to consumers, businesses, and law enforcement, and is recognized for her engaging presentation style.
And with that, I’m going to turn it over to Cassandra to begin the presentation. Cassandra, the floor is yours.
Thank you, Jeffrey. Hi, everyone. As stated, my name is Cassandra Dreyer. I’m a Senior Tax Analyst at the IRS. I’ve been with the IRS for just over 22 years, and in that time, I’ve seen just how much our world and the world of cyber threats has changed. My portion of today’s presentation, Tax Pros and Security 3.0, is all about helping you protect what matters most, your client’s data and your business. We’re going to look at real-life threats and practical steps to prevent and respond to them, and a few tools that can make a huge difference.
So let’s dive in. Tax firms like you hold a treasure trove of sensitive data, social security numbers, addresses, banking details, basically everything in identities you’ve dreamed of. Criminals know that many small- and mid-sized tax firms don’t have the same cybersecurity resources as big corporations, and that’s why they target you. One breach can trigger thousands of dollars in refund fraud, and unfortunately, we’ve seen that story play out too many times. Cyber criminals don’t take tax season off. In fact, for them, it’s always tax season.
Now, here’s the good news. The IRS, state tax agencies, and private sector partners are working together through what we call the Security Summit. This partnership launched back in 2015, and it brings everyone in the tax ecosystem together to fight identity theft and refund fraud. We’re talking about software developers, state revenue agents, and tax professional organizations all sharing information, strategies, and security standards to strengthen defenses across the board.
But why does this matter to you? Because the Security Summit creates resources built specifically for tax pros. Every summer we have a “Protect Your Clients; Protect Yourself” campaign. We also participate in the National Tax Security Awareness Week. And we issue regular security summit alerts that flag emerging scams and offer practical prevention tips. Following these best practices helps you avoid becoming the weak link cyber criminals look for.
Now, let’s talk about another powerful collaboration, CASST, or the Coalition Against Scam and Scheme Threats. CASST is a team effort between the IRS, the state tax agencies, and our tax industry leaders, all working to spot new scams before they can spread. A few recent efforts include a Fuel Tax Credit statement to help prevent false claims, we increased reviews of other withholding claims, and more outreach on ghost preparers, those who complete returns for payment but never sign them. CASST goal is to protect both taxpayers and tax pro, and that means you play an essential role. When you report scams or suspicious activity, you help the IRS identify patterns and shut down fraudulent networks faster.
Let’s move on to how criminals actually get in. The number one way, phishing and social engineering. You’ve seen them, those emails that look just like they’re from your software provider or maybe even the IRS asking you to click a link or log in to verify your account. It takes only one click on a fake link for malware to sneak in or for credentials to be stolen. A few quick reminders. Always verify the sender’s address and not just the display name. Never click on attachments or links for unknown sources. And if something feels off, it probably is. If you get an email saying your EFIN has been suspended, take a breath, call your stakeholder liaison, and verify it before you panic.
Here’s where things get scary and maybe a little bit more dramatic. Malware is like the general term for anything nasty that sneaks into your system. Viruses, Trojans, spyware, you name it. Ransomware, though, takes it a step further. It locks you out of your own data and demands payment to unlock it, usually in the form of cryptocurrency. We’ve seen small firms brought to their knees by ransomware attacks that started from a single phishing email. Remember, paying the ransom doesn’t guarantee your data will be restored or that your client’s information hasn’t already been stolen. The best defense, keep offline backup, update your software regularly, and use strong security tools with real-time protection.
Let’s talk about your legal responsibilities under the Financial Services Modernization Act of 1999, often called the Safeguards Rule. This rule requires tax professionals to have a Written Information Security Plan, or WISP, that explains how your firm protects your client’s data. The plan should include regular risk assessments, encryption of client data, multi-factor authentication, and a designated security officer, even if that person is you.
Think of your risk as your business’s security blueprint. Not something to check off once, but something to live by. That’s why the IRS Security Summit came up with the Security Six. Six key protections every tax professional should have in place. Antivirus software, make sure you keep it updated and active. Firewalls, both hardware and software, to block outside threats. Two-factor or multi-factor authentication, a must for any account handling taxpayer data. Backup software. We recommend following the 3-2-1 rule: three copies; two formats; and make sure one is stored offline. Drive encryption. If a laptop is stolen, encrypted drives keep the data safe. And finally, Virtual Private Network, or VPN. Secure your connection, especially when working remotely. If you’re missing any of these items, make it a goal to add them this month.
When we talk about data breaches in the tax professional community, the signs aren’t always dramatic, but they are almost always there if you know what to look for. Some of the earliest indicators show up as unusual account behavior, things like unexpected password resets, login attempts you don’t recognize, or strange activity inside your software or portals. Those are red flags that someone may be probing or already has access.
Another major indicator comes from your clients. If your clients start getting phishing emails that look like they came from your office or they receive fraud alerts they can’t explain, that’s a strong signal that their information may have been exposed. And if the IRS sends them a letter asking them to verify their identity, especially before you filed their return, that’s a critical warning sign. You may also see it through your EFIN activity. If multiple client returns start rejecting, because a return has already been filed or you notice more filings under your EFIN than you actually submitted, that’s often evidence that identity thieves are actively using your credentials.
On the technical side, you may discover unauthorized access to your systems, or your monitoring tools may alert you to suspicious activity. Those alerts, whether from cybersecurity software, antivirus tools, or your IT provider, should never be ignored. Once again, the bottom line is this. If something seems off, it probably is. And recognizing these signs quickly is the single most important step in minimizing the damage and protecting your clients, your business, and your reputation.
So what if, despite your best efforts, a data breach does happen? First, don’t panic, but you do need to act fast. Make sure you isolate your system. Disconnect it from the internet, but make sure you keep the computers on. Contact your IRS stakeholder liaison. They’ll help you report and coordinate with the right IRS teams. Notify law enforcement, local police, and in some cases, the FBI or Secret Service. Tell your clients. Transparency is critical. Encourage them to monitor their accounts and get an IP PIN. Review your insurance and your Written Information Security Plan to see what response steps are covered. Quick action can prevent further harm and shows clients that you’re protecting them even in the worst situations.
When a tax professional reports a data breach, the incident is referred to Return Integrity and Compliance Services, or RICS, and that’s where I work. Once we receive that referral, we’ll contact you, we’ll review the details, and if we confirm that client data was exposed, we’ll ask for a list of the affected taxpayer and business TINs, or EINs. Our analysts then monitor for fraudulent or identity theft returns, link to those TINs, and help to protect both your clients and your reputation. We also will provide access to two practitioner relief programs designed to keep legitimate returns moving even after a data breach.
Speaking of protection, let’s talk about the Identity Protection PIN, or IP PIN. The IP PIN is a 6-digit number issued by the IRS to prevent unauthorized use of a taxpayer’s SSN. Originally for identity theft victims, it’s now available to any taxpayer who verifies their identity at IRS.gov/getanIPPIN. Encourage your clients to enroll. It’s one of the simplest and most effective defenses out there. There are a lot of great tools to help you build your defenses. On IRS.gov, you can find several publications. Publication 4557, Publication 5708, and Publication 5199 are all great resources. And don’t forget about your local stakeholder liaison. They’re your first point of contact for questions, concerns, and reporting incidents.
So before we wrap up, I just want to remind you of three big takeaways I want you to remember from this portion of the presentation. Cybersecurity is everyone’s job. Whether you’re a solo preparer or a large firm, the same threats apply, and so do the defenses. Plan ahead. Have your WISP, test your backups, and know who to call. And finally, stay informed. Sign up for the IRS and CASST Alert and make security part of your business routine.
Thank you for your time, and I’ll return it to you, Jeffrey.
Thanks, Cassandra, and a great job starting us off. Mark, I’ll let you take the floor to discuss Online Fraud Detection and Prevention.
Great. Thanks, Jeff. So good morning, good afternoon, good evening, everyone. My name is Mark Henderson. I’m going to talk to you about what types of scams are out there and how to detect them. Today, I’m going to be talking to you about a few topics. The first topic will be examples of malware campaigns that phishing@IRS.gov observes that target tax professionals. The second topic will discuss spear phishing scams that target tax professionals or that their clients might receive. These spear phishing scams are more commonly known as business email compromise, or BEC; business email spoofing, or BES scams.
The first malware campaign I’m going to show you is the ConnectWise malware campaign. The email is being sent from a compromised email account at mit.edu. The URL highlighted downloads a malicious executable. LinodeObjects.com provides an online storage capability, which is often abused by threat actors to host phishing and malicious content. ConnectWise offers a tool called ScreenConnect that allows for secure remote management. There are multiple vulnerabilities linked to ConnectWise ScreenConnect, and it’s been under active exploitation since 2024. The takeaway here is that text and emails may contain URLs that download malicious files. The malicious file was analyzed using VirusTotal. You can analyze a malicious file on a variety of different platforms, such as Joe Sandbox or Triage. And it shows that multiple antivirus engines identified this file as malicious.
This slide shows another malware campaign, which often references IRS tax forms. The 8879 form is a legitimate form from the IRS. It is the declaration document and signature authorization for an e-filed return followed by an electronic return originator, or ERO. The string 8879 has been observed in various malware campaigns for close to a decade. The email itself or LOR may change, but in most cases it will contain a malicious attachment at our URL. The sender is likely a compromised email account.
The threat actor is using their email to send malicious emails. This is why it’s important for you to use two-factor or multi-factor authentication to secure your email account. You can avoid becoming a victim of an email account compromise. The subject uses RE, signifying that this is a reply to a message. This is actually the first email that was sent. If an email contains RE, that doesn’t mean that it is an actual reply. Notice the generic greeting, good morning, phishing. Every recipient likely received a similar greeting that was created from their email address. The malicious URL is linked to signed Form 8879.pdf image. The image that appears in the body is 810 kilobytes. The actual file when you download it is 158 megabytes.
This slide shows what you would see in your browser if you clicked on the link in the email from the previous slide. We aren’t recommending clicking on URLs to see where they go. You should check with the original sender to verify any requests. After you click the URL, you would still need to click again to download the file where it says Download Archive. In this case, the malicious URL is hosted on DocSend. As we observed previously, trusted sites can host phishing and or malicious files. Some sites, like DocSend, have a little flag or an ellipsis that allows you to report the phishing or malicious URL, which is what we would suggest doing here. The file that will be downloaded is over 100 megabytes.
The zip file is also password protected, so you would still need to enter in the password to open the file. What you can’t see from this screenshot is the emails being sent using Amazon Simple Email Service, or SES. This is why it’s important to send full email headers to phishing@IRS.gov. Without full email headers, phishing@IRS.gov can’t identify other potential service providers that were used to deliver the actual email.
If you downloaded the file and then unzipped it with the password, you would actually have several files. One of these files is an executable, which if you scanned it using a tool like VirusTotal, as I did previously, the file would not appear to be malicious. The other files are very large, over 100-meg. Most antivirus engines won’t let you scan a file over 10-meg. Someone who opened the original email might have done so because the email appeared to be a reply. They might have clicked on the initial URL because they saw it was hosted on a trusted site. Since the file was password protected, they might have thought someone would only do that to protect files, so they must be legitimate files. The recipient might even scan the file just to be sure and feel that if it’s scanned clean, that signified that the files appeared safe to open. Unfortunately, they would be wrong on all accounts.
New client scams are going to incorporate a variety of these techniques to target tax professionals. This is a new client scam from 2018. The new client scam is the most prevalent spear phishing scam that we see that targets tax professionals. The threat actor wants the tax professional to reply back to them, so that they know that the email account is valid. The threat actor will reply with a malicious attachment or URL to the tax professional. This malicious attachment or URL is usually a commodity Remote Access Trojan or RAT, which will give the threat actor the ability to connect to the tax professional’s computer and browse and download any files of interest like tax documents and/or capture passwords to email accounts, tax software portals, et cetera.
There is essential that the email address in the From is a compromised email account. The email begins with a generic and strange double greeting and includes some odd phrasing like requisites and I request a response at your time. And there’s some spelling mistakes. Calendar is misspelled. This is an example of a new client scam from 2021. This individual is apparently receiving inquiries for other people looking for an accountant and once known if the tax professional is available to take on more clients. The email has a generic greeting and salutation.
I often reference the Verizon Data Breach Investigations Report, or DBIR. This report is released every year and covers a wide range of attacks that result in data breaches. At the end of my presentation, I’ll provide various websites and have included a link to download the full report or just the executive summary. According to the Verizon DBIR, there’s been a slight increase over the last several years of threat actors using artificial intelligence to craft their phishing emails. From 5% in 2022 to 10% in 2025, which is roughly double over a 3-year period, there’s certainly the potential that spear phishing emails become more prevalent using AI-generated content if that trend continues.
This is a new client scam from 2025. This email does not appear to have spelling or grammatical mistakes. The email does contain seemingly random letters under numbers added throughout the email at the end of each sentence. The sender’s email, which appears to have been generated programmatically, the email address follows a pattern of repeating letters that are vowels, consonants, spells, and then they end with a 2- or 3-digit string of characters. The email has some odd phrasing and it’s overly verbose. Several em dashes appear in the email. Depending on what you read, sometimes that is a reliable or unreliable signature of AI-generated content having the presence of an em dash.
Similar to other new client emails discussed previously, there’s no attachment or URL in the original email itself. Threat Actor relies on tax professionals replying to the initial email, because when they send the next email, that will contain the malicious attachment or URL. And there’s a potential also that since they’re replying, it will not be flagged because it will be part of an email threat that already exists.
These are excerpts from the Verizon Data Breach Investigation Report. The FBI has recorded over $50 billion in losses tied to BEC/BES scams. There are certain techniques that are common to BEC/BES scams. Impersonation is common for business email spoofing, where threat actors might impersonate a legitimate domain by creating a similar looking domain, which is known as Typosquatting. Using stolen email accounts, which is known as email account compromise, is associated with business email compromise, or threat actors might use those compromised email accounts to craft more believable spear phishing emails.
BEC/BES scams can be very elaborate with multiple moving pieces, or the techniques can be very simple and straightforward. For example, the BEC/BES fake invoice scam will include a fake invoice with bank account information and a fake W-9, while the BEC/BES gift card scam might just request if someone can purchase Amazon gift cards.
This image represents the quantity of email addresses tied to different types of BEC/BES scams recorded and reported by phishing@IRS.gov. These email addresses are a combination of email addresses that can be created by the threat actor, compromised by the threat actor, and are domains created and used explicitly to send and receive email by the threat actor. If you look at the left side of the graph, you can see that phishing@IRS.gov have had numerous reports of BEC/BES W-2 scam reports, where a threat actor asked a business for their W-2s back in 2016. In 2017, the volume dramatically increased. You can observe a characteristic J-shape in the two columns, which often represents exponential growth.
Looking at the right side of the graph, you can see that the BEC/BES tax professional reports starting in 2020 and continuing through 2025 have steadily grown in volume. If you look at calendar year 2023 and then calendar year 2024, you can once again see a similar J-shape again. In early 2024, the IRS issued a press release on the surge of new client scams. This is the press release the IRS issued related to that surge of new client scams, which was observed early in January 2024.
Tax professionals are likely to encounter certain BEC/BES scams over others, but should remain aware of the different variants since their clients might receive these scams and report them to you. BEC/BES scams that are sent to phishing@IRS.gov can be tax related or not. The gift card variant is very common. It’s observed daily. It’s often sent from a compromised email account with a request to purchase prepaid debit cards. The fake invoice variant, this is a request that includes a fake invoice for goods or services, and that may include a W-9. The W-2 variant, this is a request that’s typically sent to an HR professional requesting the W-2s for the organization. Businesses that are victims of that scam should notify data loss at IRS.gov and then copy phishing@IRS.gov.
The tax software preparation impersonation, this is often a request to call back or provide information such as the EFIN summary statement. And the direct deposit variant, or sometimes referred to as payroll diversion, this is a request to change direct deposit information to an account the threat actor controls. Tax professionals might see this in the form of a client requesting a change to their banking account used for their refund. The IRS issued a press release almost a decade ago called the “Last Minute Scam”.
This bear phishing email is a BEC/BES fake invoice scam, while this might not be received by a tax professional, their business clients might receive something similar. The FBI reported that BEC/BES fake invoice scams, on average, resulted in a loss of over $120,000. While not as prevalent as other BEC/BES scams, the losses are often higher. The scam itself also will have a variety of pieces, making some people falsely believe that the request is more legitimate. The original email here came from kyle@viz-centricconsulting.com, which was a fraudulent domain that was created by the threat actor.
The highlighted email address was likely a compromised email account that was used to send the spree phishing email. The highlighted section in the email references an email threat, not included in the slide, that is made to look like the owner of the company had exchanged emails related to the fake invoice that is known as a reply chain. Included in this spear phishing email is a W-9 and a fake invoice with wire instructions for a bank account that the threat actor controls.
This slide shows an example of a BEC/BES gift card scam. In this case, the sender was a tax professional who had had their email account compromised. Their information has been removed. The reply to email address looks similar to that compromised email address, but it’s with a different email provider. The threat actor would receive responses to their email, to that address.
This is why setting up two-factor authentication or multi-factor authentication is so important. The From email address for the sender is the email address of the compromised email account. The threat actor often set up a rule to filter any emails to be sent to that folder, which the email account owner wouldn’t be aware of. For this reason, a victim of an email account compromise might not even realize that their email account is being used until friends, family, or colleagues notify them.
These are the links to various resources discussed in my presentation if you’re interested. Kelle, I will hand the mic over to you now.
Thank you, Mark. Hello, everyone, and thank you, again, for joining us for this National Tax Security Awareness Week event. You’ve already heard who I am, so let me just take a moment to tell you a little bit about the Federal Trade Commission. As the nation’s consumer protection agency, the FTC works to stop unfair, deceptive, or fraudulent practices in the marketplace by conducting investigations and bringing enforcement actions against companies and individuals who break the law, like those that fail to keep their promises to you or those that might fail to protect your personal information. And we try to get money back to consumers whenever possible.
We couple this with education and outreach to consumers and businesses, where we get to tell people about their rights and businesses, about their responsibilities. But the FTC can’t do it alone. The FTC works to amplify its messages and reach a broader audience by building partnerships with trusted sources such as other federal agencies like the IRS, your state agencies, and other organizations throughout your communities. Now that you know who we are.
Let’s take a look at what I’ll be sharing with you during our time together. I’ll start by briefly going over data regarding the most reported frauds to the Federal Trade Commission with a more in-depth focus on imposter scams, including how to spot and avoid them. Then, I’ll share the data regarding identity theft and discuss how to spot, avoid, report, and recover from those instances. Lastly, I’ll wrap up by sharing ideas with you on how we can work together.
Let’s begin with what the Federal Trade Commission has learned about fraud based on reported data. You see, people report fraud to the Federal Trade Commission, and that information goes into the Consumer Sentinel Network database. This database also includes reports that people filed with other federal and state agencies, BBBs, and other contributors. We use this data to build our cases and create our consumer education, as well as we make this database available to other law enforcement to aid them in building their own cases.
As you can see here, last year there were 2.6 million fraud reports, which is roughly the same as in 2023. But more people lost a lot more money to fraud in 2024. One in three people who reported fraud last year said they lost money. That’s up for one in four in 2023. The total reported losses last year added up to $12.5 billion, which is $2.5 billion more than 2023. The five most reported frauds last year were very similar to 2023, with imposter scams still at number one.
Imposter scams happen when someone pretends to be somebody they’re not, like a family member or a love interest, the government, a business, or another well-known organization. The scammer’s goal is to convince you to send money or to share personal information. Online shopping scams were number two, which often involved people not getting what they ordered or being billed for something they didn’t order. Business and job opportunities were third, and they’re usually involved job scams and scams around job employment agencies. While investment scams and internet services round out the list, nearly 80% of people who reported an investment-related scam lost money with a median of over $9,000. The $5.7 billion total losses in this category were up by $1 billion from the year before.
Now, while all of these categories are very important, in the interest of time, let’s focus on imposter scams, which has actually landed in the top three reported products year-after-year. When it comes down to how imposters are reaching out, email was the number one method reported last year. For years, it’s been the phone. But note that the highest losses overall were to scams that started on social media to the tune of $1.9 billion lost. And the highest reported losses per person were to scams that started on the phone with a median loss of $1,500. Understanding the scams and knowing how to respond to each of these methods of contact is important for your bank account, your reputation, and your peace of mind.
Now, Mark has already explained how scams are started via email. So, let me give you an overview on how impostors might reach out to you by phone and social media. Now, I know you’ve most likely encountered or heard about scammers pretending to be a family member with an emergency or a computer tech or they may even pretend to be from the government. They use convincing stories to steal your money or personal information.
Now, they’re taking a new approach. It’s layered. And here’s some clues on how to spot it. The scammers call. And first they say “They’re with the company and they’re contacting you about a routine problem like suspicious charges on your Amazon account or a virus on your computer or an account breach.” The story quickly escalates. They lie and say your name is involved in serious crimes. And they claim the court is about to seize the money in your bank account or your retirement savings, which is a lie.
Next, they switch from being the bearer of bad news to acting like the hero. How? By supposedly connecting you to someone with the government to help you fix the problem. But the person they transfer you to doesn’t work for the government and they don’t help. They want to trick you into taking cash out of your bank or your retirement account and giving it to someone.
So, here’s how you know about how scammers are trying to deceive you. Scammers will attempt to trigger your emotions and sense of urgency. Scammers might give you an employee ID or a badge number or use the name of a real government employee, so that they can sound official. Scammers send official looking letters with seals and make up government agency names that sound real, but they’re not. Remember, someone who works for the government won’t tell you to get cash or gold and give it to someone. Yes, gold, it has happened. They won’t tell you to pay with a gift card, wire transfer, payment app, or cryptocurrency immediately in order to avoid execution of threats like deportation or license suspension. They won’t tell you to keep your conversation a secret or lie to someone. Government agents will not tell you to transfer your money from accounts to protect it or for any reason. Only scammers will do that.
Now, someone in this virtual room just thought, well, I don’t answer phone calls, so the scammers can’t get me. But you’re not exactly in the clear. Over the years, we’ve had been inundated with those threatening phone calls from imposters pretending to be from such places as the IRS, but imposters switch up their tricks to catch us off guard. So instead of contacting you by phone about a tax debt and making threats to get you to pay up, in more recent trends, scammers may send you a text message about a tax rebate or a tax refund or benefit, which is really enticing. The text messages may look legit, but no matter what the text says, it’s a scammer phishing for your information. And if you click on the link to claim your refund, you’re exposing yourself to identity theft or malware that the scammer could install on your phone. Go to the IRS wheres-my-refund.gov website to verify the legitimacy of money that you believe you may be owed.
Another opportunity that scammers are using to steal your money and possibly your personal information is when you’re searching for jobs online or even when a business owner is looking to fill positions online. You see, job scams sometimes start with ads for jobs that don’t really exist or they say you must pay to get the job. Scammers post these phony job opportunities on the same platforms legitimate employers do in online ads, on social media, and well-known job sites. Be aware, scammers will use the name of legitimate businesses to advertise these fake jobs, so it can be tricky to tell sometimes if the job is real or if it’s a scam. But here’s some clues to help you know.
Scammers ask you for your personal and financial information, like your Social Security number or your bank account, before you even apply for the job. Scammers send messages about a job you didn’t apply for. Scammers send you a check and ask you to send part of the money back to them or to someone else. You’ll lose that money if you send it. Or scammers say that they can help you get a job, but you have to pay to get it. Well, in real job placement, the employer pays the agency, not the person applying for the job. You can learn a lot more information and get more examples about these types of scams at ftc.gov/job-scams.
But I want to wrap up our discussion on this topic by talking to you about a new FTC rule regarding imposter scams. After years of fighting back against scammers who impersonate government agencies and businesses, the FTC has successfully implemented a trade regulation rule that allows the FTC to file federal court cases seeking to get money back to injured consumers and civil penalties against the rule violators. Now, just to be clear, government and business impersonation of this sort has always violated the FTC Act, but now there’s a rule in place. The FTC can seek consumer redress and civil penalties, powerful tools that hit scammers where it hurts most in the wallet.
Now, I’m sure business owners listening today are celebrating this development because the rule doesn’t just prohibit false claims of government affiliation. It also makes it illegal to misrepresent an affiliation with, including endorsement or sponsorship by a business, a provision that addresses those scammers who use your company name to rip off consumers. Now that we have stronger tools to combat impersonation scams, we need your help. Please report if you spot an imposter scam, report it at ReportFraud.ftc.gov.
Now, reporting fraud is really important in the fight against scams. Scammers don’t just scam one person. So, if you see an experience of fraud, scam, or a bad business practice, help your community, help protect your friends, your family by reporting it to the Federal Trade Commission. Every time you file a report with the FTC, you give us a piece of the puzzle that helps us to build cases to stop scammers and also alert others about current trends. It takes just a few short steps to make a report.
Now, let’s take a look at identity theft. As people also report identity theft to the Federal Trade Commission, and from those reports, one of the many things we do is analyze the trends. An interesting picture of identity theft emerges when we look at reports by age. This chart shows that identity theft is universal, but also affects age groups differently. There’s often this focus on older adults as targets of fraud and identity theft. But, here, you can see that folks of all ages are affected, not just older people. Take a look, for example, at the bars at the top of the screen showing the 30 to 39 year olds. Your key takeaway here is that identity theft is universal, so it’s important to share what you learn here with family and friends and colleagues.
Identity crimes are not limited to individuals. Businesses are increasingly targeted by criminals who see value in stealing corporate data and credentials. From fraudulent loans to fake vendor invoices, the impact of business identity theft can be devastating. And unfortunately, many business owners don’t realize how much information about their organization is publicly available or how vulnerable their employees and systems may be until after a crime has occurred.
Well, here’s a tip. Scammers will often use the same tactics to steal your identity as they use to steal your money. They will call, text, and email you to get you to share sensitive information. For example, that job seeker might fall for paying for a job, but they also might share their personal information with the thief during that application process.
Let’s take a look about what to do in order to report and recover from identity theft. Because chances are very likely that you or someone you know has or will experience identity theft. The Federal Trade Commission has a website that will help you to both report and recover from identity theft. It is IdentityTheft.gov. IdentityTheft.gov is the government’s one-stop shop and offers customized recovery plans for more than 30 types of identity theft. IdentityTheft.gov is an interactive website available in multiple languages that gives you a plan for resolving your identity theft issues along with the step-by-step online guidance for carrying out that plan based on the personal or financial information that was compromised.
Let’s look at a few features of IdentityTheft.gov. It’s really easy to report. Simply follow the prompts. You’ll put in details of how your identity was stolen or misused, and the site will use that information to create the customized tools you need to recover. Let’s say you’ve experienced tax-related identity theft. As you can see here, by the end of six quick steps, you will have created one, your identity theft report, a very important piece to your recovery. It’s a sworn statement that can be used in place of a police report in most cases to clear your credit records of transactions that resulted from the identity theft. Like fraud reports, FTC makes identity theft reports available to law enforcement agencies investigating identity theft crimes.
Two, you’ll also have created your IRS Form 14039. IdentityTheft.gov streamlines the reporting process if you experience tax identity theft. Thanks to a joint initiative between the IRS and the FTC, you can use IdentityTheft.gov to report tax identity theft directly to the IRS. In fact, it is the only way to file an IRS Identity Theft Affidavit online. And more importantly, submitting that affidavit to the IRS electronically ensures that it gets to the IRS quickly and securely. Therefore, it speeds up the process for the IRS to start resolving your tax identity theft case.
And lastly, after you have your identity theft report and submit your IRS Identity Theft Affidavit electronically, you also get a recovery plan. Let’s take a look at a tax-related identity theft recovery plan. This recovery plan has step-by-step instructions for carrying out the plan. Each line in orange accordions out to offer detailed advice about how to carry out the step, including links to the credit bureaus and others that you may need to contact. You can create a secure personal account, so that you can return to the website at any time to update your plan, track your recovery progress with a checklist, and get follow-up reminders and customize pre-filled letters that you can send to credit agencies, debt collectors, and businesses to help resolve the identity theft.
As you can see on the right hand side of the screen, the system even reminds you that you submitted your IRS Identity Theft Affidavit, and it gives you the date that it was submitted. Of course, you can get a recovery plan without creating an account, but you get the full benefit of the website when you do create an account. Because identity theft is universal, we also provide the tools that you need in order to report in other languages. To report identity theft in other languages, simply call us at 1-877-438-4338 and select Option 3 to talk with an interpreter who will help you report your experiences. Operators will also provide you with next steps to recover from your identity theft incident.
I want to give you access to some free printed advice and electronic resources that will help you stay in the know. Because sharing what you learned here today can help someone you know, so we do not copyright our material. We want you to download our resources from our website and put your logo on it to share it with others. Feel free to copy the information into your community newsletters and your email. Our available publications include these brief identity theft guides pictured on the right side of the screen that let people know about what to do right away if they experience identity theft and lets them know about IdentityTheft.gov.
There are also materials especially designed to help small businesses with protecting personal information, avoiding scams, targeting small businesses, and what employers can do to raise awareness with their staff to help them spot and avoid scams. The photos on the screen are just a few of the resources that are available, just go to ftc.gov/bulkorder. You’ll find that we offer our printed materials in multiple languages such as simplified Chinese, Korean, Vietnamese, Spanish, and English. The publications and the shipping are both free. Just allow yourself 3 to 4 weeks to receive the order. If you’re in a hurry, just download it from the website.
You can also stay in the know by using FTC online resources. Please make note of these sites and be sure to share them with your family, your friends, your customers, throughout your community. Because at consumer.ftc.gov, you can learn more about things like getting and checking your credit report. There’s also information about scams and identity theft. Then, you can sign up for our blog to receive up-to-date consumer alerts regarding new trends in our casework at ftc.gov/consumeralerts.
Now, I want to thank you in advance for sharing this information with others. If you have additional questions for the Federal Trade Commission, please reach out to us at FTC at 1-877-FTC-HELP.
I’ll turn you back over to Jeff.
Thank you, Kelle. It was great hearing about fraud and identity theft from the FTC side of things. Now, we have Glenn Gizzi, Senior Tax Analyst in Communication and Liaison, who works on data breaches that have occurred against tax professionals. Glenn is going to discuss what happens in a data breach and how the IRS can help you, the tax professional, and what resources there are. So take it away, Glenn.
Thank you very much, Jeff. As you said, my name is Glenn Gizzi, and I’m a Senior Tax Analyst working on the data breach team, helping tax professionals like yourself. Folks, there are several ways that you can tell if you are the victim of a data breach. Many times when you e-file a return and it gets rejected because the Social Security number has been used already and when you check with your client, they haven’t filed behind your back, so who filed the return? Answer, a fraudster. You then decide to check the number of returns you filed against the number reported under your EFIN, and they don’t match. There are more returns under your EFIN than you filed. Sometimes, hackers will use your EFIN to file returns of taxpayers who are not your clients. In fact, they are taxpayers whose information they have stolen from other sources, such as another tax firm or a doctor’s office, school district, et cetera.
Additionally, your clients start calling you, because they received an identity verification letter from IRS, commonly known as Letter 5071C. They have received this letter, because IRS has begun processing a return that doesn’t seem quite correct to us, because it may have tripped several filters that we have to identify fraudulent returns. In fact, we have over 200 filters to attempt to stop bad returns from going through the filing system.
Continuing, many tax professionals receive emails from their tax software company on Monday morning asking if they file the returns in the early morning hours of Saturday or Sunday, like at 2 a.m. “Hey, I get it. During the filing season, you work long hours, but I don’t think you’re filing returns that late.” The tax software companies have great algorithms that catch these potentially fraudulent returns to notify you of them. This way, you can contact the IRS quickly, and we can work to stop the bad returns.
Always keep a watch on your unprocessed returns that are on extension, because hacker look for those returns you may have forgotten about for now and file them for you. And it can be weeks or months before you realize they’ve been filed fraudulently. In October of 2025, we received an increase in data breach incidents under this very reason, so keep a lookout. In that same vein, review returns for different bank account information than your client gave you, because data thieves will change routing and bank account numbers to redirect refunds elsewhere and you may not realize at first. Make sure the information you are about to e-file is correct.
And finally, we still have taxpayers reporting to their tax professionals that they receive tax transcripts that they did not request. This could be a phishing expedition by the hacker to see what information they can steal and exploit.
So, what do you do if you experience a data breach? Well, like Cassandra said before, you contact your local Stakeholder Liaison. By going to IRS.gov and searching Stakeholder Liaison, you will find our landing page and you can Click on the area that your state is listed under and you either send us an email or you can call the phone number listed. Stakeholder liaisons are standing by. We will take the information from you and get the ball rolling on the IRS side of the data breach. Then, you should refer to your WISP, your Written Information Security Plan, and look at next steps such as contacting your insurance company to go over your cyber insurance procedures.
Also, review your PTIN account to see how many returns are filed against your EFIN to see if there are more returns that may or may not be your clients. You will also need the services of your IT department or person or a vendor contractor to come and inspect your hardware and software looking for intrusions and malicious programs that may be in your files. You will need to disconnect from the internet and allow IT to do its work before you can safely connect back to the digital world. You need to make sure your computer is clean before resuming work. Otherwise, the threat actor will continue to steal from you. These are all important steps in reactively protecting your clients currently not affected.
Now, you must remember that communication is the key going forward. You must work not only with the IRS and your insurance company, but also with your clients. You need to keep them informed of what’s going on so they can take steps to protect their Personally Identifiable Information, also known as PII, such as social security numbers, bank accounts, dependents’ PII, and others.
Regulations require that you offer credit monitoring service to all your clients, which means every TIN you have in your system, that includes spouses, dependents, and businesses. Some states require 1-year and others 2 years of credit monitoring. Your insurance company should handle this for you. Now, some tax professionals will call our e-help desk listed on the screen and cancel their EFIN and get a new one before calling Stakeholder Liaison. And that’s okay.
Now, when you’re on with Stakeholder Liaison, we will tell you about our RICS department. Our Return Integrity and Compliance Services can offer you different programs during the filing season to help ensure your remaining clients are e-filed properly to the IRS and process. But don’t forget, you must still plug the leak, meaning that before you can continue e-filing returns, the threat actor needs to be removed from your system and blocked from coming back in. And that is accomplished through your IT person, department, or vendor.
Now, onto the WISP that I mentioned before. This really shouldn’t be anything unknown to tax professionals in the audience. WISP have been around in one form or another since 2007. That’s 18 years ago. Stakeholder Liaison has spoken about them as data security plans in the past, and on June 9, 2023, it became law. Remember, the Federal Trade Commission requires the WISP and can shut down your business and fine you daily for not having one.
Now, the WISP is a blueprint for what to do in the event of a data breach, sort of like a one-stop shopping list of the steps to take, steps that we’ve already mentioned in this presentation. If you are a sole practitioner, you can find a sample WISP in IRS Publication 5708, and additional information on WISP can also be found in Publication 5709.
Now, your WISP should identify the risk factors in your business, such as who handles client information and how it is handled and stored. In a multi-person firm, weak points could be discovered when your WISP is developed. But remember, the plan should include employee management and training, the types of information systems you use and who has access to them, and detecting and managing any system failures. When you fail to plan, you plan for failure.
Now, another part of having a WISP is to designate one or more employees to coordinate it and keep it evergreen, meaning it’s not a one-and-done task. You keep monitoring and revising the plan as needed. Everyone involved in planning and writing the WISP takes ownership of it. They identify and assess risks to customer information in all companies’ operations and evaluate current safeguards for effectiveness. This means that these safeguards should be regularly monitored and tested, and if needed, change operation based on the testing results.
So, after developing the WISP, you should be able to see where your risk factors are and correct them. So then what? Well, as this is an evergreen document, meaning you should be reviewing it on a regular basis, as new employees come in, others leave, and/or new systems are added or old ones removed, you make changes to it and you inform all of your employees. The document should be in an easily readable PDF or Word format and given to all employees. Make sure a copy is kept off-site in the event of collapse of any sort of your office operations. Remember, part of your WISP is the data theft response plan. What happens if data is stolen, held for ransom, or your business suffers a catastrophe, and your physical equipment is destroyed? Having a WISP allows you to be ready.
Now, we’ve talked about some of the things you can do, but what should you tell your client? Well, first thing goes back to what Cassandra said earlier, was that all your clients should have an IP PIN, because having one prevents a fraudster from filing their federal tax return. If a taxpayer has an IP PIN on their account, then the IRS won’t accept an e-filed return into the system without the proper 6-digit number.
Why is this important? Well, for a couple of reasons. First, it ensures the fraudster doesn’t get a tax refund that doesn’t belong to them. And second, once a return is accepted electronically, we cannot accept another original return electronically. That means your client or clients will have to file by paper along with Form 14039 Identity Theft Affidavit. And, unfortunately, the current processing time is up to 500 days for fraudulently filed returns. Yes, you heard me, up to 500 days processing. Let that sink in.
Now, since January 2021, nearly 5 years ago, almost any taxpayer can voluntarily verify their identity and get an IP PIN. IRS uses the vendor ID.me for this verification process. It is the same vendor that Social Security Administration, other federal and state agencies, and large corporations use. IP PINs are changed every January and can be downloaded from the secure account created by your client, the taxpayer, to get the IP PIN. Go to www.IRS.gov/IPPIN for more information. Folks, having an IP PIN is the single easiest way for a taxpayer or your client to protect themselves from fraudsters. I’m not sure why you don’t encourage all of your clients to get one. Lead by example and get one yourself.
Now, let’s jump back to you, the Tax Pro, and see what else you can do to protect your clients’ information. Using multi-factor authentication, or MFA, is a great way to make it harder on fraudsters. Having a second password causes the threat actor to expend more time trying to hack into your system. The harder you make it to the hacker, the more likely they will move on to someone who doesn’t have better protection. So not having it means no extra layer of security.
Also, just like you tell taxpayers to keep their personal and business lives separate, such as on Schedule C, you need to do the same with your email accounts. Don’t open personal email on your work computer, because that personal email you are reading may be enticing you to open a link or a document that could have a virus or malware attached to it. Threat actors will often target individual email accounts, hoping you’ll open it on your business computer, so they can install a key logger program to copy usernames and passwords. They also bank on the fact that if you’re opening personal email on your business computer, then you’re probably doing the same thing with your banking, credit card account, and more as well. Think about that.
Now, I can’t tell you the number of tax professionals that tell us they haven’t updated their anti-anything at all. You should regularly update your antivirus, phishing, malware, et cetera. Remember, data thieves are always working to find fault in programs to exploit them, and the companies are always updating their programs to stop this when vulnerabilities are discovered. And don’t forget to use a Virtual Private Network, known as a VPN, when possible, to connect your laptop to the office when working remotely. It prevents hackers from getting into the connection between your work laptop and your office to prevent cyberjacking of your client’s information.
So, we are now at the numbers, and what we need to understand is how this affects everyone. As you can see on the screen, we now have over 546 incidents reported to us that affects over 1,467 tax professionals, which in turn directly affects over 400,000 taxpayers. Better put, the number of data breach victims, the taxpayers, your clients, is the size of a small city like Tulsa or Wichita or Minneapolis, and it only continues to grow. Not unexpectedly, you see large population states listed in the top 10, such as California, Florida, Texas, and New York. But some smaller population states also made the top 10 list of data breach incidents in 2025, such as Ohio and Arizona.
Remember, data thieves look for weak links in security to steal information and sell it on the dark web. IRS looks at these trends and does education in these affected areas, such as the pop-up data breach campaigns that Mark and I did in July, August, and November. To date, every state in the USA has had a reported data breach except one.
Now, our next slide shows us what reasons we’re given on how data breaches occur. Most of the time, the Tax Pro doesn’t know what happened at first, and it’s marked under unknown or to be determined. But when it is determined, inevitably, it turns out it was a phishing email scam, such as the new client scam that Mark mentioned earlier, which so far accounts for about one-sixth of the incidents and is rising. Sometimes it takes weeks or months before a tax professional knows what happened, but when they do, they can contact us and tell us, and we can update the reason on our system. Also, for the Tax Pros, if they wish, you can supply us with the forensic report, if any, from your IT person. The report helps IRS look at trends and target education in those areas.
So, here are some resources that are available to you, the tax professional, regarding data breaches. Click on the links to get more information. You will see at the bottom Publication 4557, which is very important to you because it discusses data security. This page has a link to help any clients suffering through an identity theft, such as a stolen Social Security number, and it is appropriately named www.IdentityTheft.gov, which Kelle mentioned in her Federal Trade Commission presentation. Other links on here are also helpful to both the Tax Pro and the Taxpayer.
Now, let me turn this back to you, Jeff.
Thanks, Glenn. Now, before we close, I want to thank everyone for joining this presentation for National Tax Security Awareness Week on Real-Life Threats and Steps to Protect Your Business and Your Clients. I also want to thank our presenters, Cassandra Dreyer, Mark Henderson, Glenn Gizzi, and Kelle Slaughter for sharing their knowledge and expertise.
A lot of great information was shared, but here are a few takeaways to remember. Protect yourself and your client information. Check emails and attachments before responding or opening them. Regularly check your number of filed returns against your EFIN. Use multi-factor authentication. Promote having an IP PIN to all clients, which helps to prevent refund fraud. Unsolicited contact, words that trigger emotions, urgency to act, and unconventional payment methods are indicators that it may be a scam. Recognizing the indicators is key to avoiding the scammer’s trap. Go to the source to verify before sharing information or sending money or sharing personal information. And, finally, while there are many resources available, the first step is doing your part, which includes updating your antivirus, spam, phishing, malware, and other precautions regularly.
Again, thank you. We’re planning additional webinars for the upcoming year. To register for future webinars, please visit IRS.gov keyword search Webinars and select “The Webinars for Tax Practitioners or Webinars for Small Businesses.” When appropriate, we will offer certificates and CE credit for upcoming webinars. We also invite you to visit the IRS YouTube page at www.YouTube.com/IRSvideos. There you can view available recorded versions of our webinars and other key video messaging.
We hope you found today’s session to be helpful. Have a great day.