Tax preparers secure their account access through a multi-layered approach combining federal compliance requirements, multi-factor authentication, strict access controls, and continuous monitoring. The IRS mandates that all professional tax preparers create and maintain a written information security plan (WISP) covering nine core elements—from designating a security coordinator to implementing incident response procedures—making account security not just a best practice but a legal requirement. A tax preparer who fails to implement these protections risks breach liability, credential compromise, and potential IRS sanctions, as criminals specifically target Electronic Filing Identification Numbers (EFINs) to file fraudulent returns at scale.
The stakes are high because tax preparer accounts hold the crown jewels of identity theft. When a criminal gains access to an EFIN, they can file fraudulent tax returns claiming false refunds, exposing both the tax firm and its clients to massive financial and reputational damage. Unlike typical data breaches that expose customer information, a compromised tax preparer account enables active fraud in real time during filing season, when the IRS processes millions of returns daily. Securing these accounts requires moving beyond simple passwords to implement verification layers, restrict access to only those who need it, and maintain constant vigilance for unauthorized activity.
Table of Contents
- Understanding Your Legal Obligation to Protect Tax Preparer Data
- Implementing Multi-Factor Authentication for Tax Preparer Accounts
- Protecting Your EFIN and PTIN Through Access Control
- Training Staff to Recognize Sophisticated Phishing Threats
- Encrypting Data and Protecting Backups from Ransomware
- Installing Firewalls and Antivirus Protection
- Creating Tested Incident Response Plans and Looking Forward
- Conclusion
Understanding Your Legal Obligation to Protect Tax Preparer Data
Federal law does not make account security optional for tax professionals. The irs explicitly requires all professional tax preparers to create and maintain a written information security plan, as outlined in Publication 4557 “Safeguarding Taxpayer Data.” This is not a recommendation—it is a legal mandate. When applying for or renewing a Preparer Tax Identification Number (PTIN), you must acknowledge Publication 4557, cementing the government’s expectation that you understand and implement these safeguards. The WISP must address nine specific core elements: designation of a qualified security coordinator, risk assessment procedures, safeguard design and implementation, monitoring and testing, personnel training, service provider oversight, incident response protocols, regular program evaluation, and accountability mechanisms. A tax firm that can demonstrate a documented, functional WISP in case of a breach shows regulators they exercised due diligence.
A firm without one faces far greater liability, potential license suspension, and civil penalties. The burden is on the preparer to prove they took security seriously, not on regulators to prove negligence. This legal framework exists because tax preparers hold Personally Identifiable Information (PII) at industrial scale. A single compromised account could expose thousands of clients’ Social Security numbers, addresses, and financial details. The IRS has progressively tightened expectations, moving from vague guidance to specific control requirements, reflecting the rising cost and frequency of tax preparer breaches over the past decade.

Implementing Multi-Factor Authentication for Tax Preparer Accounts
Multi-factor authentication (MFA) is no longer optional guidance—Publication 4557 now strongly recommends it for accessing sensitive tax preparer information, and the IRS has signaled through its Tax Security 2.0 initiative that MFA is the baseline expectation. MFA requires you to provide at least two different forms of verification before granting access to your account. This might be a password plus a code sent to your phone, a password plus a security key, or a password plus biometric verification. The logic is simple: if a criminal steals your password, they still cannot log in without the second factor. A critical limitation of many MFA implementations, however, is user frustration leading to workarounds. Employees who find MFA tedious might disable it on less-critical accounts, reuse the same second factor across multiple systems, or write down backup codes in insecure locations.
Tax firms implementing MFA must pair it with training that explains the why, not just the how, and with policies that enforce MFA on all accounts accessing client data—no exceptions for convenience. The 54% reduction in breach costs among organizations with tested incident response plans suggests that firms taking these steps seriously see measurable payoff. The most secure form of MFA for tax preparer accounts is hardware security keys—physical devices that authenticate you without transmitting anything over the internet. They cannot be phished, intercepted, or intercepted by malware on your computer. The tradeoff is that they cost $20-50 per key, require staff training, and create a single point of failure if you lose the key (though most support backup keys). Authenticator apps like Google Authenticator or Authy are stronger than SMS texts, which can be intercepted or redirected through SIM swapping attacks, but weaker than hardware keys. When securing your EFIN or PTIN accounts—the highest-value targets—hardware keys or security keys should be your first choice.
Protecting Your EFIN and PTIN Through Access Control
Your Electronic Filing Identification Number (EFIN) is the single highest-value target for tax identity thieves. An EFIN allows criminals to file fraudulent returns at scale, sometimes filing hundreds of returns in a single day if they have access. For this reason, EFIN access must be restricted to only the minimum necessary personnel and protected with the strongest available controls—primarily MFA. Access should follow the principle of least privilege: an employee who processes W-2s does not need EFIN access, and an employee who submits returns monthly does not need daily access to the EFIN account. Implement role-based access controls that grant permissions based on job function, then audit them quarterly to remove staff who have changed roles. The IRS and industry best practice recommend monitoring your EFIN and PTIN accounts weekly for unauthorized activity.
This means logging into the IRS systems and reviewing submission history, checking for filed returns you did not authorize, and reviewing any alerts or warnings. A weekly check takes 15 minutes but can catch a compromise in days rather than months. A significant operational challenge is the tension between security and speed during peak tax season. When your firm is filing hundreds of returns daily, you might be tempted to give more staff EFIN access to accelerate processing. This is precisely when most breaches occur—when processes are rushed and security oversight is thinnest. Instead, invest in workflow improvements that maintain security: automation tools that allow non-privileged staff to prepare returns and then submit them through a single, monitored EFIN account, or batch processing that concentrates EFIN access in a single secure workstation rather than distributing it widely.

Training Staff to Recognize Sophisticated Phishing Threats
The phishing emails and IRS-impersonation attacks targeting tax preparers have evolved beyond the obvious red flags of poor grammar and generic greetings. Criminals now use artificial intelligence to produce IRS notices, emails, and letters that are nearly indistinguishable from legitimate ones, complete with proper formatting, official-looking signatures, and contextually accurate language. An employee who has never seen a real IRS letter might accept an AI-generated fake without question, especially during the high-stress environment of filing season. For this reason, mandatory training for all employees with access to client data must go beyond a generic security awareness video. Begin training four to six weeks before peak filing season with baseline phishing simulations—send fake phishing emails to staff and measure who clicks, who submits credentials, and who reports the email. Use the results to identify vulnerable individuals and provide targeted training.
Follow up with a second round of simulations mid-season and again before year-end. The goal is to build a muscle memory of skepticism: an employee should question any unexpected request for credentials, EFIN access, or client data, even if it appears to come from a supervisor. The limitation of training alone is that it assumes a human factor of perfect vigilance. Even well-trained staff will occasionally miss a sophisticated phishing email, especially during 60-hour weeks in April. For this reason, technical controls are equally important: implement email filtering that flags external emails claiming to be from the IRS, disable email attachments from unknown senders, and use email authentication protocols (SPF, DKIM, DMARC) to prevent criminals from spoofing your firm’s domain. Training and controls together create redundancy—if one fails, the other catches the threat.
Encrypting Data and Protecting Backups from Ransomware
The IRS explicitly requires drive encryption and encrypted backups as part of your information security plan. This means client data files on your computers should be encrypted at rest, and any backups you create should be encrypted before they leave your network. However, a critical limitation of standard encryption is that ransomware can still encrypt your files and then demand payment for the decryption key—the encrypted backups do not help you recover if the attacker encrypts your production data and you restore from encrypted backups that the attacker has also compromised. For this reason, tax firms should implement write-once-read-many (WORM) backup technology, which creates backups that cannot be overwritten or deleted—not even by an administrator on the system. Once a WORM backup is written, it is immutable until an expiration date you set (usually 30 to 90 days out). If ransomware encrypts your production systems, you can restore from a WORM backup that the attacker could not touch.
Equally important: store backup copies offline or air-gapped from your production network, meaning they are physically disconnected or on a network segment that cannot be reached by internet-connected systems. Test restoration from these backups monthly to confirm they are actually usable—many firms discover during a crisis that their backups are corrupted or incomplete. The operational overhead of WORM backups and offline storage is non-trivial. You need physical infrastructure to house the backups, staff time to manage them, and procedures to retrieve and restore from them in an emergency. Many smaller tax firms outsource this to a managed backup provider that handles the technical complexity. The tradeoff is cost—good backup solutions add $50-200 per month depending on data volume—but the alternative is catastrophic: a ransomware attack with no working backup could cost a tax firm tens of thousands of dollars in downtime, lost client data, and recovery costs. The 73% faster containment time for organizations with tested incident response plans shows that firms making these investments see real benefits.

Installing Firewalls and Antivirus Protection
Your network perimeter must be defended with both hardware and software firewalls. A hardware firewall sits between your office network and the internet, inspecting all incoming and outgoing traffic and blocking unwanted connections. A software firewall runs on each individual computer and provides an additional layer of protection specific to that machine. Neither one alone is sufficient; together they create a layered defense that blocks a significant portion of automated attacks.
Antivirus software should be part of your comprehensive security strategy, though it is important to understand its limitations. Antivirus is primarily effective against known threats—software signatures in the database. Newer, zero-day exploits (unknown vulnerabilities) often slip past traditional antivirus until the vendor updates its signatures. For this reason, antivirus should be paired with endpoint detection and response (EDR) tools that use behavioral analysis and machine learning to catch suspicious activity even if the specific malware is unknown. Many tax firms combine both a major antivirus vendor (Norton, McAfee, Windows Defender) with an EDR solution for defense-in-depth.
Creating Tested Incident Response Plans and Looking Forward
An incident response plan is a documented procedure describing who does what when a security breach is suspected. It includes notification chains, isolation procedures, forensic investigation steps, and communication protocols with the IRS and affected clients. Organizations with tested incident response plans reduce breach costs by 54% and containment time by 73% compared to firms that respond ad-hoc. This is not theoretical—the data is clear that having a plan, testing it annually, and updating it based on what you learn delivers measurable outcomes.
The future of tax preparer security will likely involve mandatory integration with IRS systems and the broader adoption of zero-trust architecture, where every device, user, and connection is verified regardless of network location. The IRS has already begun rolling out enhanced authentication for Tax Pro accounts and is signaling toward tighter coupling between EFIN systems and preparer security postures. Tax firms that implement these protections today—MFA, WISP documentation, employee training, encryption, backups, and incident response testing—will adapt more smoothly to future requirements. Those that continue operating with minimal security will face increasing regulatory pressure and liability.
Conclusion
Securing your tax preparer account access is not a one-time effort but a continuous program involving legal compliance, technical controls, personnel training, and regular testing. Federal law requires you to maintain a written information security plan; publication 4557 and the IRS’s Tax Security 2.0 checklist define the baseline expectations. The specific controls—multi-factor authentication, least-privilege access, phishing training, data encryption, firewalls, and antivirus protection—are all required components that must work together to protect your EFIN, PTIN, and client data from criminals who are increasingly sophisticated and motivated.
Begin by conducting a risk assessment to identify which systems and data require the strongest protections, designate a security coordinator to oversee the program, and allocate budget for both tools and training. Document your security practices in writing so you can demonstrate compliance to regulators if needed. The cost of implementing these controls is far lower than the cost of responding to a breach—financial penalties, client lawsuits, reputational damage, and the operational disruption of recovery. Your account security is your firm’s security, and your firm’s security is your clients’ protection.
