Back to Blog
Practice Operations

Phishing Attacks Aimed at Tax Firms

The four phishing scams accountants see most often: fake IRS notices, fake W-9 requests, vendor invoice spoofs, and wire fraud impersonating the owner. Five red flags every staff member should know.

March 5, 2025
·
8
min read

Phishing Attacks Aimed at Tax Firms

Phishing is the entry point in 90 percent of attacks against accounting firms. These are the four scams accountants see most often, and the five red flags every staff member should know.

Why tax firms get phished more

Accounting firms see disproportionate phishing volume for two reasons. The data is high-value (Social Security numbers, bank accounts, full financial pictures), and the workflow involves frequent legitimate communications with strangers (new clients, vendors, the IRS, state tax agencies, payroll providers). That mix of high value and high external email volume is exactly what phishing operators look for.

The good news: phishing campaigns against accounting firms tend to recycle the same four scams year after year. If your staff can recognize these four patterns, they will catch the vast majority of attempts before any damage is done.

Scam 1: Fake IRS notices

An email purporting to be from the IRS, often with realistic logos and language, claiming a return was rejected, an EFIN issue requires attention, or a Practitioner Priority Service callback is being scheduled. The email asks the recipient to click a link or log in to a portal to "verify" something.

The dead giveaway: the IRS does not initiate contact with tax professionals by email. Period. No "your client's return was rejected" email, no "your e-Services account needs verification" email, no "your EFIN is being reviewed" email. If an IRS email asks you to click or log in, it is a phishing attempt every single time.

Trained staff response: forward the email to [email protected] and to the firm's qualified individual, then delete it.

Scam 2: Fake W-9 requests from "clients"

A new "client" reaches out asking to engage the firm. They send what appears to be a W-9 or other tax document as an attachment, often a PDF or DOCX. The attachment contains malware that installs the moment it is opened.

The variant most commonly seen against tax firms appears in late January and February, riding the volume of legitimate new-client onboarding. The "W-9" looks plausible. The malware is designed to harvest credentials and persist on the workstation.

The defense is procedural: every new-client onboarding goes through the firm's secure portal, never through email. If a prospective client sends an attachment to a generic firm address, the staff response is "please upload through our secure portal at [URL]." If the prospect resists, that resistance is itself a red flag.

Scam 3: Vendor invoice spoofs

An email arrives appearing to be from a vendor your firm actually uses (your tax software vendor, your portal provider, your office supply vendor) attaching an invoice and requesting payment to a "new" bank account.

The spoof is sophisticated. The sender domain is similar to the real one (a single-letter swap, an extra hyphen). The invoice formatting matches the vendor's real templates. The amount is plausible. The only thing that is wrong is the bank account.

The defense: any change to a vendor's payment information triggers a phone call to the vendor at a number from your records, not the number on the email or invoice. Any vendor invoice involving wire instructions gets a phone-call confirmation regardless of source.

Scam 4: Owner-impersonation wire fraud

An email appearing to come from the firm's owner instructs a staff member to wire funds, change a payroll routing, or send sensitive client data. The email is timed for moments when the owner is unreachable (during a flight, during a meeting, in another time zone).

This scam is the most expensive when it succeeds. Wire transfers are typically irreversible after a short window. Firms have lost six-figure amounts to a single email of this type.

The defense: any wire request, any change to a payment routing, and any release of sensitive client data outside normal channels requires verification through a second, out-of-band channel (a phone call, a text, a verification phrase). Train every staff member that no urgency justifies skipping verification. The owner will not be upset that their staff verified a request.

5 red flags every staff member should know

Train every staff member that any one of these flags requires a pause and a verification:

  1. Urgency. The email claims something must be done immediately, in the next hour, before close of business. Legitimate requests rarely arrive that way.
  2. Unusual sender. The email is "from" someone you know, but the address is slightly different from their normal address.
  3. Mismatch between display name and email address. The display name says "Watch Cloud Security," the underlying email is [email protected] or a misspelled domain.
  4. Unexpected attachments or links. A document you were not expecting, especially one asking to enable macros or to click a link to "verify."
  5. Pressure to bypass normal procedure. "Just this once," "I am traveling," "do not tell anyone," "skip the usual approval." Any attempt to bypass procedure is a red flag regardless of who appears to be asking.

Print this list. Tape it to every monitor. Reference it in every quarterly training session. Familiarity is what makes red flags work in practice.

Training as a real control

Annual security training is the floor. It is not enough on its own. The firms with the lowest phishing-induced incident rates run a layered program:

  • Annual structured security awareness training for every employee, with documented completion.
  • Quarterly simulated phishing campaigns using realistic scenarios (IRS impersonation, vendor invoice, owner spoof).
  • Immediate 5-minute remediation training for anyone who fails a simulation.
  • Repeat-failure escalation: a one-on-one with the qualified individual or owner.
  • Documented results stored in the WISP evidence folder for IRS or FTC review.

A staff member who has been through this loop three or four times is functionally hardened against the four scams above. The training works because it is concrete, immediate, and tied to the actual threats the firm faces.

What to do this week

If your firm has never run a phishing simulation, schedule one for the next 30 days. Do not announce it; the value is in catching baseline susceptibility. The first round usually surfaces 15 to 30 percent of staff failing. After three rounds with remediation, that number typically drops below 5 percent.

If you want a one-page red-flag handout for every staff member's monitor, plus the quarterly training schedule we use with our managed-security clients, we will send both.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Practice Operations

Password Manager Rollout for a 5-Person Tax Firm

July 21, 2026
Practice Operations

Replacing Email Attachments With a Secure Client Portal

July 7, 2026
Practice Operations

Building a Phishing Awareness Program in 30 Days

June 23, 2026