AI in Tax & Security

The IRS 2026 tax-pro security push: preparer scams and the WISP your firm needs

The IRS 2026 tax-pro security push: preparer scams and the WISP your firm needs

On July 7, 2026, the IRS and its Security Summit partners launched the 2026 “Protect Your Clients; Protect Yourself” campaign (IR-2026-81), a five-week series on protecting client data from tax-related identity theft. For a firm, two things matter in it. First, the specific scams now aimed at preparers: IRS impersonation by email, text, and phone; “new client” spear-phishing; and phishing for a preparer’s EFIN, PTIN, and CAF numbers. Second, the standing reminder that every paid preparer is required to keep a Written Information Security Plan (WISP). Here is what the series covers and what your firm should check now.

What is the IRS 2026 “Protect Your Clients; Protect Yourself” series?

It is the Security Summit’s annual summer campaign for tax professionals, now in its 11th year. The Security Summit is the partnership between the IRS, state tax agencies, and the tax industry that works to combat tax-related identity theft. The 2026 series runs for five weeks and focuses on scams aimed at tax pros, core security safeguards, and the steps to take if a data theft occurs. It runs alongside the 2026 IRS Nationwide Tax Forums, which continue in New Orleans (Aug. 4–6), New York City (Aug. 18–20), Orlando (Sept. 1–3), and San Diego (Sept. 15–17). The IRS notes that registration deadlines for several forums are approaching and that they can sell out.

Which scams are targeting tax preparers right now?

Week one of the campaign flags the schemes aimed directly at practitioners. Identity thieves keep adapting, so the IRS urges firms to review the basics, train staff, and verify unusual requests before responding. The scams to watch:

IRS impersonation. Fraudsters use email, text, direct messages, spoofed caller ID, and computer-generated calls to push preparers toward malicious links, malware attachments, or handing over sensitive information.

“New client” spear-phishing. A scammer poses as a prospective client and sends a malicious link or attachment disguised as a tax document. A firm eager for new work is exactly the target.

EFIN, PTIN, and CAF phishing. Attackers specifically hunt for the identifiers a preparer uses: the Electronic Filing Identification Number, Preparer Tax Identification Number, and Centralized Authorization File number. Those numbers let a thief file fraudulent returns under the firm’s credentials.

Misleading social-media tax advice. Viral “tax hacks” push taxpayers toward false return positions or credits they do not qualify for, which lands on the preparer as refund delays, audits, or penalties.

What is a WISP, and does my firm need one?

A Written Information Security Plan is a documented plan for how your firm keeps client and business data safe. It is not optional. Paid tax preparers are required to maintain one, and the IRS points firms to Publication 5708 as a template to build it from. Week three of the campaign is built around that publication. If your firm has never written a WISP, or has one that has not been reviewed in the last year, that is the single highest-value item to fix from this series. The plan should also fold in the Federal Trade Commission’s data-breach response requirements so the firm already knows its obligations before an incident, not during one.

What should a firm do if client data is breached?

Report it fast, because speed is what lets the IRS block fraudulent returns filed in your clients’ names. Three steps:

Contact your IRS Stakeholder Liaison. The liaison alerts the right IRS offices and walks the firm through the process. Early reporting is what makes protective action possible.

Report to the state. Notify the appropriate state tax agency through the Federation of Tax Administrators’ “Report a Data Breach” page, which routes to the states.

Follow your FTC breach-response obligations. The FTC’s data-breach response guide should already be part of the firm’s WISP, so the notification and remediation steps are defined in advance.

What should firms do now?

Treat the five-week series as a checklist rather than a newsletter. Concretely: review or write the firm’s WISP against Publication 5708; turn on multi-factor authentication everywhere client data lives; adopt the “Security Six” basic protections the IRS lists; consider IRS Identity Protection PINs for clients and set up Tax Pro Accounts; and brief every staff member on the “new client” and credential-phishing scams above, since one clicked attachment is all it takes. If forum attendance fits, register before the sessions sell out.

There is also a structural angle worth naming: every third party that touches client data widens the surface a breach can hit. Firms weighing how to add preparation capacity without shipping client files out to outside preparers can read our guide on scaling prep capacity without adding headcount, which covers keeping more of that work, and the data behind it, inside the firm.

Source: IRS news release IR-2026-81, “IRS, Security Summit launch summer series to help tax pros protect clients from identity theft” (July 7, 2026), irs.gov/newsroom; IRS Publication 5708, “Creating a Written Information Security Plan for your Tax & Accounting Practice.” Confirmed via direct IRS.gov fetch, July 7, 2026.

Get hands-on with AI-powered tax automation today.