Tax professionals: Watch out for “new client” email scam

IRS Tax Tip 2024-06, Feb. 13, 2024

Tax professionals should watch out for a “new client” scam – an email scheme where cybercriminals pose as potential clients. This scam peaks during the busy tax filing season.

How the new client scam works

The scammer emails a tax professional to ask for help with their taxes. This phishing email has a malicious link or attachment that the scammer claims is their tax information. When the tax professional clicks the link or opens the attachment, the scammer gets access to the preparer's email address, password and possibly other information. Some scammers may also load malware onto the tax pro's computer to gain to gain access to their system – and their clients’ data. Scammers may also use that tax professional’s hacked email account to target clients.

Where to report phishing emails and other scams

People should report unsolicited email that claims to be from the IRS to phishing@irs.gov. For those experiencing any money loss due to an IRS-related scam incident, report it to:

People can also forward the email to their internet service provider's abuse department.

Data breaches: What to do if a tax professional is victimized

If reported quickly, the IRS can block fraudulent returns in clients' names and take other steps to protect the tax professional and their clients.

For tax professionals who are victims, the IRS recommends immediately reporting data theft to the local IRS Stakeholder Liaison representative immediately. Liaisons notify IRS Criminal Investigation and others within the agency on the tax professional's behalf.

Tax professionals should also report fraud incidents to the local offices of the Federal Bureau of Investigation and Secret Service and to their local police.

To report data breaches to the state in which they prepare state returns, tax professionals can contact these organization:

  • Federation of Tax Administrators – Tax professionals can use this special "report a data breach" web page to get state guidance on reporting scam victims.
  • State attorneys general – Most states require that the state attorney general receive notification of data breaches.

Create a written security plan

A key component to responding to a data breach is to have an effective action plan and know who to contact. Under Federal Trade Commission rules, tax professionals must have a Written Information Security Plan PDF. As part of the Security Summit effort, the group's Tax Professional team developed a special document that allows practitioners to quickly develop one.

Subscribe to IRS Tax Tips