What email risks do tax preparers face?

Three patterns. Client refund redirect, where attackers impersonate clients and redirect tax refunds to attacker bank accounts. Credential phishing against the firm's email or tax-prep software, leading to access to complete client tax data including SSNs. Vendor wire fraud against the firm's AP function for software subscriptions, e-filing fees, and contractor payments.

Are tax preparers subject to specific data security regulations?

Yes. Tax preparers are subject to the FTC's Safeguards Rule under the Gramm-Leach-Bliley Act, which requires a written information security plan. IRS Publication 4557 provides specific guidance most preparers follow. State licensing regulations also apply.

What is the highest-loss email-fraud pattern at a tax prep service?

The highest-volume pattern is refund redirect. The highest-impact pattern is credential phishing against tax-prep software, which exposes complete client tax data and enables fraudulent return filing at scale. A successful credential-phishing attack against a single firm can produce hundreds of fraudulent returns claiming refunds, sometimes within a weekend.

Does tax season create specific risks?

Yes. The seasonal pressure (deadline-driven workflow, client onboarding surge, time-pressured wire flows) reduces verification on otherwise routine processes. Refund redirect attacks specifically target the late-March through early-May window when the firm is busy. Pre-season preparation (December and January) is the only practical time to harden defenses.

Does Rythm help a tax preparation service?

It helps with the volume problem. Mass cold outreach (software pitches, lead-gen vendors, marketing services) and mass impersonation campaigns become uneconomical when each recipient costs four cents. Targeted attacks against client refund redirects or tax-prep software credentials require procedural defenses including hardware-key MFA and out-of-band verification.

Email Security for Tax Preparation Services

Tax preparers handle SSNs, bank info, and seasonal client surge. Here is the realistic email defense for solo and small tax prep services.

Tax preparation services face one of the most concentrated email-fraud risks of any small professional service. The combination of seasonal time pressure, sensitive client data, large refund flows, and complex software ecosystems makes the tax preparation firm a structural target. This post is the realistic email security guide for solo and small tax preparation services.

The Threat Surface

Three patterns produce most tax-preparation-related risks.

Pattern one: client refund redirect. A client receives an email purporting to be from the tax preparer with updated bank information for refund deposit. The refund goes to the attacker. Loss is the refund amount. Volume is high during the late-March through early-May window.

Pattern two: credential phishing against tax-prep software. A preparer at the firm receives a phishing email mimicking the tax-prep software’s login page (Lacerte, Drake, ProConnect, ATX, UltraTax, ProSeries). The preparer enters credentials. The attacker now has access to the firm’s complete client database. The attack is typically followed by fraudulent return filing at scale, sometimes hundreds of returns within a weekend.

Pattern three: vendor wire fraud. Routine vendor invoices (e-filing software, professional liability insurance, IRS PTIN renewals, contractor payments) processed by the office manager during the busy season without specific verification.

The Compliance Context

Tax preparers face overlapping compliance obligations:

FTC Safeguards Rule under GLBA. Tax preparers are financial institutions under GLBA. The Safeguards Rule’s 2023 amendments require:

A written information security program (WISP).
Designated qualified individual responsible for the program.
Risk assessment, periodically updated.
Specific technical controls including access controls, encryption (in transmission and at rest), authentication (MFA increasingly framed as required), and change management.
Service provider oversight.
Incident response plan.

IRS Publication 4557. Operational guidance most tax preparers follow. Provides specific implementation detail for the Safeguards Rule.

IRS Publication 4524. Tax preparer security guide for tax season.

State licensing regulations. Vary by state. California, New York, Oregon, Maryland, and others have specific tax preparer licensing requirements that may include data-security obligations.

State data-breach notification laws. Apply to client personal information.

For solo and small tax preparation services, the practical reading is that the FTC Safeguards Rule applies fully and IRS Publication 4557 provides the operational reference. The compliance scope is meaningful even at small scale.

What Email Risks Actually Look Like

For a typical small tax preparation service, the realistic threats:

Client refund redirect. A client awaiting a refund deposit gets an email purporting to be from the tax preparer with updated bank information. The client either replies confirming or the preparer is asked to update the deposit account. The refund goes to the attacker.

Tax-prep software credential phishing. Phishing pages mimicking Lacerte, Drake, ProConnect, ATX, UltraTax, or ProSeries logins. The phishing email cites a routine reason (security update, password reset, e-filing window). The preparer enters credentials. The attacker has access.

Estimated tax payment redirect. A client preparing to make an estimated tax payment receives an email purporting to be from the preparer with updated payment instructions. The payment goes to the attacker rather than the IRS. The client is then non-compliant with their tax obligation.

W-2 harvesting against the firm itself. During tax season, an HR or admin function at the firm receives an email purporting to be from the firm owner asking for all employee W-2 forms.

Client-targeted phishing using tax-context data. A breach at an adjacent service feeds attacker datasets used to target the firm’s clients. The phishing email mentions tax season, specific deductions, or tax filing details.

Vendor wire fraud against the firm’s AP function. Routine vendor invoices processed during the busy season without specific verification.

What Standard Defenses Do and Do Not Do

A typical small tax preparation service has Microsoft 365 or Workspace, possibly Defender for Office 365, possibly nothing more. What each layer does:

Native filtering. Catches mass-volume mechanical phishing.

Defender or Workspace Advanced Protection. Adds URL rewriting, attachment sandboxing, and impersonation detection.

Tax-prep software MFA. Lacerte, Drake, ProConnect, ATX, UltraTax, and ProSeries all support MFA in 2026. If the firm has not enabled it, do so before season starts.

Inbox-layer filtering. Reduces volume of unsolicited mail and mass impersonation attempts.

The honest summary: technical email defenses catch the mass-volume cases. The targeted attacks (refund redirect, tax-software credential phishing) require procedural defenses including out-of-band verification and hardware-key MFA.

The Defense Stack

For a tax preparation service in 2026, the realistic defense stack:

Hardware-key MFA on the firm’s primary email and tax-prep software. YubiKey or similar on the principals’ email accounts and the tax-prep software accounts. App-based MFA on all secondary accounts. Password-only access in 2026 is not reasonable for a tax preparer.

Out-of-band verification protocols. Documented and enforced for client banking changes, vendor wire changes, and W-2 / 1099 requests. The verification is by phone to a number the firm already had.

Standardized refund-deposit protocol. When the firm prepares a return, the refund deposit information is captured at engagement and confirmed verbally. Any subsequent change request is treated as fraud and verified by phone before action.

Client communication protocol established at engagement. When the client engagement starts, the firm’s communication patterns are explained. Clients are told (in writing and verbally) the firm’s protocol: any email purporting to update banking or payment information is treated as fraud and should be verified by phone.

Encrypted document delivery. Tax returns, W-2 forms, 1099s, and client tax documents are transmitted via a secure-portal system, not by direct email. Most tax-prep platforms have integrated encrypted delivery.

Pre-season hardening. December and January are the only practical windows for strengthening defenses. Hardening during March or April is too late.

Annual training plus pre-season refresher. Generic annual training is required. A short specific refresher on tax-season-specific patterns is more valuable than another video module.

Cyber insurance with tax-preparer-specific coverage. A cyber rider that covers wire fraud, breach response, FTC Safeguards Rule obligations, and the regulatory and reputational costs of a fraudulent-return-filing incident.

What Rythm Does and Does Not Do for a Tax Preparation Service

Rythm sits at the inbox layer on top of Gmail or Outlook. What it does for a tax preparation service:

Reduces volume of cold outreach during the busiest season. Software vendors, conference invitations, “tax-software upgrades,” and various adjacent solicitation patterns spike in early Q1. Rythm collapses the mass version of this volume.

Reduces mass-volume lookalike-domain attacks. Mass-volume “we are your tax software vendor” attacks become uneconomical.

Does not stop targeted refund-redirect fraud. When the attack comes from a sender on the firm’s guest list (the actual client) or impersonates one closely, Rythm sees the sender as known. The defense is procedural verification.

Does not replace MFA, encryption, BAA, or verification protocols. Rythm is a structural filter on the volume side. It does not replace the FTC Safeguards Rule controls or IRS Publication 4557 requirements.

The pattern: Rythm reduces unsolicited mail competing for partner attention during the busy season. Hardware-key MFA, encrypted document delivery, and verification protocols handle the targeted attacks.

A Specific Honest Note

Tax preparation services face concentrated risk during a short busy season. The targeted versions of these attacks defeat most defenses except hardware-key MFA and out-of-band verification. Pre-season hardening (December and January) is the only practical preparation window.

What Rythm does is reduce the volume of unsolicited mail competing for preparer attention, which is one of several controls that meaningfully reduce risk during the high-pressure season. The combination of FTC-Safeguards-Rule compliance, hardware-key MFA, verification protocols, structural inbox filtering, encrypted document delivery, and cyber insurance covers the realistic threat surface.