I run a cybersecurity company, so tax season is peak phishing season for me and my clients. My biggest proactive move? I set up a dedicated email address just for tax correspondence with my CPA and the IRS--nothing else touches it. That way, when some "urgent IRS notice" hits my main inbox in March, I know instantly it's fake because the IRS doesn't even have that address. I learned this after helping a client recover from a W-2 scam in 2019. Attacker spoofed their payroll department right before filing deadline, requested "updated tax forms" from 40 employees, and harvested SSNs before anyone caught it. Cost them $28K in credit monitoring alone. The whole breach happened because tax emails and everyday noise lived in the same inbox--nobody could tell signal from threat. The dedicated email takes two minutes to set up and costs nothing. I check it twice a week during January through April, my CPA has the address on file, and I've enabled MFA with a hardware key so even a compromised password won't grant access. Four tax seasons running, zero successful phishing attempts.
The one proactive measure I take every tax season to protect myself from tax scams is filing my return as early as possible. Because I run an electronic filing platform, I see fraud patterns and scam tactics emerge every tax season before most people are even aware they exist. And the victims are almost always people who waited too long to file. Filing early is the simplest way to stay ahead of the threat because a scammer cannot file a fraudulent return in my name if I have already filed first. This practice has safeguarded my information by removing the window of opportunity that scammers rely on. My refund goes where it is supposed to go, and I never have to deal with the exhausting process of proving my identity to the Internal Revenue Service after someone has already done damage. Acting early means there is nothing left for a scammer to exploit.
I run full OSINT sweeps on my own digital footprint every January using tools like public search engines and people-finder sites, treating myself as the target to spot leaked tax-related data early. As CEO of McAfee Institute, where we train over 4,000 organizations in cyber investigations, including techniques from our C|OSINT certification, this mirrors how pros hunt threats proactively. Last tax season, it uncovered a dark web forum listing my email from a breached vendor--scammers were prepping phishing for fake refunds. Documenting sources per our evidence protocols let me alert affected parties and secure accounts before strikes hit, preventing any data loss. This practice has blocked three similar exposures in two years, aligning with IC3 data showing quick personal monitoring stops 60% of identity scams cold.
One proactive thing I do every tax season is lock down domain + email impersonation: I enable strict SPF + DKIM and enforce a **DMARC "reject"** policy on our company domains (and I push clients to do the same). As an IT/cybersecurity consultant (and founder of Sundance Networks), I've seen tax-season scams succeed mostly through "looks legit" emails, so I focus on stopping spoofed mail at the gate. A real example: a contractor client got hit with a payroll/W-2 request that appeared to come from the owner (classic "CEO fraud" timing in late Jan/Feb). After moving them from DMARC=none to **DMARC=reject** and tightening SPF to only Microsoft 365 senders, the same spoof attempts started failing authentication and never reached inboxes--no W-2s sent, no direct-deposit changes processed. How it safeguards my info: it prevents attackers from using my own domain to socially engineer my bookkeeper/CPA, and it cuts down on inbound "IRS/QuickBooks" lookalikes that rely on header trickery. Bonus: I pair it with a simple rule--any tax/payment change must be verified by a phone call to a known number, never the one in the email.
One proactive measure I take during tax season is something I call my "24-hour rule." If I get any message about taxes—especially one claiming to be from the Internal Revenue Service—I don't act on it immediately. I step away and give it a full day before I do anything. That pause has made a huge difference. Tax scams are designed to create urgency. They use phrases like "final notice" or "immediate action required" because they want you to react emotionally, not logically. By forcing myself to wait, I take that power away. Here's why this simple habit works so well for me: It stops panic in its tracks. No rushed clicks, no hurried replies. It forces me to verify independently. I don't use links or phone numbers in the message—I go directly to official websites and log in myself. It exposes fake deadlines. Real tax authorities don't evaporate in 24 hours. Scammers often push harder when you don't respond right away. It gives me clarity. After a day, most scam messages feel obvious. It's not a complicated system—but that's the point. That built-in pause has helped me avoid reacting emotionally and has significantly reduced the risk of handing over sensitive financial information during tax season.
I observed that a lot of individuals waste their money since they think that a random phone call during tax season. It is regrettable that these criminals make people fall out of fear. According to my experience in the domain, my best principle is to verify everything in the official government portal. I do not pay any attention to any letter or writing, which states that I have to pay something to someone, but I just log into my secure account and check my balance directly. I once received a very realistic letter concerning a tax debt which did not exist. I, rather than worrying, I would have checked my online portal and found my account had no balance and this would have confirmed the letter was a fake. This single habit has helped my firm to avoid fraudsters stealing personal information or identity. You can only imagine how stress such international taxes are, and only one source of truth is the best defense that we could have.
In my line of work, I treat my personal data like a witness in a high-profile trial: I protect it aggressively, and I assume everyone trying to get close to it has bad intentions. The single most effective proactive measure I take—and one I urge every client to adopt—is obtaining an Identity Protection PIN (IP PIN) directly from the IRS. Think of your Social Security Number as your username; unfortunately, in the age of data breaches, that username is often public knowledge. The IP PIN is the password. It is a six-digit code known only to you and the IRS. Even if a cyber-criminal has your full name, address, and Social Security Number, they cannot file a fraudulent tax return in your name without this code. The IRS system will automatically reject the filing as if it were inadmissible evidence. It effectively freezes the scammer out of the system before they can even claim a refund. Furthermore, this practice has safeguarded my peace of mind regarding the phone scams that plague us all. I know—as a matter of law and procedure—that the IRS operates via the United States Postal Service, not via threatening voicemails. The IRS does not demand immediate payment in gift cards, nor do they threaten to arrest you within the hour. That is not due process; that is extortion. By locking down my return with an IP PIN, I have removed the "fear factor." If someone calls claiming there is a problem with my taxes, I know it is a scam because I hold the only key to the filing. I hang up with the confidence of a man who knows the case against him has no merit.
As a cybersecurity expert who's spoken at Nasdaq, West Point, and the Harvard Club, one proactive measure I take during tax season is filing our business taxes early after a full third-party cybersecurity risk assessment. This caught unsecured network entry points last year that could have let tax scammers impersonate us, similar to the IRS-flagged 1 million identity theft cases. We've never failed to find vulnerabilities in 16 years--patching them shrinks the scam window and blocks phishing before it hits tax portals. It safeguards our info by mapping a crisis plan, ensuring Titan stays ahead of nonstop cybercriminals.
CEO at Digital Web Solutions
Answered 2 months ago
We conduct a pre-filing data inventory to reduce what we share. Before any document leaves our environment, we remove unnecessary identifiers and replace full account numbers with partials when allowed. We also require encrypted transfer links that expire quickly and revoke access after confirmation. This proactive approach assumes something may leak and plans for minimal damage. This strategy proved effective when a vendor's mailbox was reported compromised. Since our shared files were time-limited and contained redacted details, there was no complete profile for criminals to misuse. We could also clearly show what was sent and when it expired. This clarity reduced risk and simplified incident response, reminding us that privacy is a design choice and not a hope.
I run a "tax-season lockdown" on my business credit files and only thaw them when I'm about to apply for something (I use Experian credit freeze + TransUnion freeze + Equifax freeze). I learned to do this from the transportation side--running a limo fleet and over-the-road freight taught me how fast identities get targeted when you've got lots of transactions, payroll docs, and vendor W-9s moving around. The practical rule: during January-April, nobody can open a new account in my name or my business name because the bureaus won't release my file. If a scammer gets a SSN/EIN from a fake "1099 follow-up" email or a compromised inbox, they still can't turn it into a new credit line. This has already saved me once when a "business card application" inquiry popped up right after we were collecting owner info for multiple furnished rentals across Detroit and Chicago. With the freeze on, it was automatically blocked, and I didn't have to chase down banks or wonder which document leak it came from.
To prevent being defrauded by homework tax, I only ever respond to legitimate mail from the Internal Revenue Service (IRS). They are the government agency that is responsible for the collection of taxes. My company Dancing Numbers deals with large amounts of information daily and knows that the IRS will only send out original correspondence via official mail. We had a partner firm near lose $4500 because of a fraudulent wire request, which appeared to be completely legitimate, but we waited for a hard copy of the correspondence, after receiving a high-pressure telephone call from someone claiming to represent the IRS so, in reviewing the documents, we were able to point out three small logical errors in the fraudulent request. Think of your tax data as a vault where you have the only key, however, tax fraudsters will do everything possible to get you to unlock the vault using fear and/or by using false titles on their screens to get you to release your private data. Using only legitimate paper mail will have your key securely in your pocket. By following this practice, we lowered the amount of security breaches within our organization by 92% since we removed the element of panic when dealing with the IRS.
Relying on human vigilance to detect modern phishing is a fundamental engineering failure. With the commoditization of Large Language Models (LLMs), the era of spotting scams via typos or awkward syntax is over; AI generates perfect, context-aware lures that bypass biological detection. Instead of training myself to be a better detective, I architect a system that renders the quality of the phish irrelevant through Channel Isolation. I treat my tax communications like a secure, isolated microservice. I provision a unique, dedicated email alias, something cryptographically random, used exclusively for government portals and my filing software. This address is never exposed to the public web, never used for newsletters, and never entered into third-party forms. It is a "dark" endpoint known only to the necessary authorities. The security mechanism here is routing, not content analysis. If a "URGENT: IRS Notification" arrives in my general inbox, I don't need to inspect the headers or hover over links. It is malicious by default because it hit the wrong endpoint. This binary validation removes cognitive load and eliminates the risk of a sophisticated deepfake fooling me. In architecting secure SaaS infrastructure, we operate on Zero Trust principles: never trust the user to spot the threat; build a topology where the threat cannot reach them. I apply that same architectural rigor to my personal compliance.
As President of Alliance InfoSystems, I've managed the 400% surge in cybercrime where scammers use tax season urgency to deploy malware via "fake invoices." We rely on concrete data from Symantec showing that 1 in 131 emails contains malware to justify a "zero-trust" attachment protocol for all incoming external files. I recommend implementing **Microsoft Outlook's Advanced Threat Protection** to sandbox attachments, which recently stopped a Dridex banking trojan from infecting a client's network. This technical layer prevents malicious JavaScript from executing even if an employee is pressured by an "Urgent Notice" subject line. We complement this with simulated phishing attacks to ensure our team knows the IRS will never use generic greetings like "Dear Customer." This practice has successfully transformed our staff into a human firewall, safeguarding sensitive credentials for Google Drive and Microsoft 365 from being harvested during the tax rush.
I treat my physical mail the same way I'd secure a site perimeter--full containment and eyes-on. During tax season I use an off-site locked mailbox service instead of a street-side box, so W-2s, 1099s, and notices from the IRS never sit exposed where someone can walk up and grab them. I learned this from seven years in corporate security: control the access point, you control the breach. The moment tax docs hit that box, I scan them into an encrypted cloud vault and shred the originals that same day. I've seen too many dumpster-dive thefts on job sites to trust recycling bins or "later this week" piles. One year I caught a vendor phishing email asking me to "confirm my EIN for updated 1099 filing"--because I'd already uploaded everything and knew the IRS timeline, I recognized it instantly as fake and reported it. The lockbox costs me $15/month, but it's paid for itself. No stolen mail, no second-guessing whether something arrived, and I can grant my CPA temporary retrieval access without handing over keys to my house or office.
Every year, around tax time, I make sure to complete domain verification before reviewing any financial requests for our organization. A couple of years ago, we got an email that appeared to be a legitimate tax notification with actual information about our company; however, the sender's domain was off by just one letter. As a result, we now require all tax-related correspondence to come through verifiable channels only. No exceptions. That single policy has saved us from several potential instances of fraud. Scammers use urgency and authority to create emotional responses. By taking the time to confirm the source, you can avoid responding emotionally to fake demands.
I place an IRS IP PIN on my file every year and treat it like a second factor for my tax identity. In real estate/private investments and family-office work, I'm constantly protecting high-value data flows, and this is the cleanest "identity lock" the IRS offers. I started doing it after seeing identity-driven fraud attempts creep into routine workflows--vendor ACH-change emails, spoofed "K-1 resend" requests, etc.--the same playbook scammers use for tax filings. The IP PIN forces any return filed under my SSN to include that code, so a thief can't successfully e-file even if they have my W-2/1099 data. It's directly prevented damage: one year a CPA we oversee for a portfolio entity flagged a rejected filing that "should've gone through," and the rejection was the missing IP PIN. That early signal let us tighten access to tax docs and rotate credentials before anything turned into a refund theft or a longer identity mess.
Criminals ramp up activity during tax season because they know personal data is moving quickly and deadlines create pressure. A proactive measure acts as a barrier stopping fraud attempts before they ever reach your bank account or IRS record. I use multi-factor authentication (MFA) as my primary security protection method for all my tax accounts but I especially use it to protect my IRS Online Account which I use to access my IP PIN and transcripts and return status. MFA adds a second layer of identity verification beyond a password. Even if someone obtains your login credentials through a data breach or phishing attack must complete another verification step to gain access to your account. The additional security measure makes it much harder for criminals to hijack your tax records or attempt a fraudulent filing using your identity. For example, when I set up my IRS Online Account in last year, I linked both my mobile number and an authenticator app. A few weeks later the system flagged an attempted login from an unfamiliar location. Because MFA was enabled the access request was blocked automatically and I received an alert immediately. That simple setup prevented unauthorized entry into an account that contains sensitive tax and financial data. For stronger account security, choose an authenticator app rather than SMS verification which is more exposed to SIM-swap vulnerabilities.
I've guided thousands of beginners to secure their first Bitcoin buys on Coinbase since 2023, so platform security is my expertise. During tax season, my proactive measure is enabling app-based 2FA (like Google Authenticator) on Coinbase and confirming no SMS fallback. This blocked a phishing attempt last year mimicking Coinbase "tax export" support--attackers couldn't access my account or transaction history despite stealing my password, keeping all info safe. Start with $25 buys only after 2FA setup; it builds habits that protect beyond crypto.
Attorney and Chief Executive Officer at Cummings & Cummings Law
Answered 2 months ago
I am a tax attorney, CPA, and chief executive officer of the law firm Cummings & Cummings Law (https://www.cummings.law) with offices in Dallas, Texas and Naples, Florida. I also teach business and tax law at Florida Gulf Coast University in Estero, Florida. I require all tax documents through a secure client portal that uses two factor authentication and end to end encryption. I refuse to accept W 2s, 1099s, K-1s, driver licenses, or bank statements by email or text. I also prohibit staff from downloading client data to local devices. Clients who insist on email create a record that criminals can exploit through mailbox compromise. One breached inbox can expose Social Security numbers, EINs, prior year returns, and routing numbers in a single thread. That data supports fraudulent refunds, business identity theft, and unauthorized payroll filings. A single fraudulent Form 941 can freeze an operating account for weeks. We are working through one of these right now. I also pull IRS account transcripts before filing any return. I confirm wage and income data, prior year AGI, and filing history. If the IRS transcript reflects a return already filed, I stop. That practice has prevented duplicate filings and refund diversion. In one case, a client's Form 1040 had been filed with a direct deposit to a prepaid debit card. We detected it before submitting our return and initiated Form 14039 immediately. Tax scams do not end with the refund. That's an important point. Criminals use stolen data to open merchant accounts, obtain SBA loans, and file fraudulent sales tax registrations. That exposure triggers audits and bank compliance reviews. A secure intake system and transcript verification create a control point. Without those controls, a firm can transmit a client's identity to a criminal with one click. My profile and credentials can be viewed on my Featured profile and on my website above. Should you have any follow up questions or wish to schedule a Zoom conference to discuss, please email me at chad@cummings.law.
As founder of Midwest Pain and Wellness, handling HIPAA-protected patient data alongside financial records, I proactively deploy Acronis endpoint protection across all practice devices during tax season. This scans for malware and phishing mimicking IRS demands for W-9s or EIN details, blocking threats before they reach inboxes. Last year, it quarantined a ransomware variant targeting our billing server after a fake tax refund email, averting a potential $50K data recovery cost and keeping our opioid-free treatment records secure. Our Microsoft-certified partnership ensures layered defenses, with zero successful breaches in five years.