Tax season creates a surge of activity for small and medium-sized businesses, including gathering W-2s and 1099s, coordinating with accountants, processing payroll updates, and meeting filing deadlines. This period is busy, stressful, and often requires sharing sensitive financial and employee data under tight deadlines.
Cybercriminals know this. They plan for tax season the same way you do.
Every year, the IRS publishes its “Dirty Dozen” list of the most dangerous tax-related scams, and the pattern is consistent: attacks spike between January and April, targeting individuals and businesses rushing to meet deadlines and more likely to click before they think. The FBI’s 2024 Internet Crime Report found that cybercrime losses hit a record $16.6 billion, a 33% increase over 2023, with phishing and business email compromise (BEC) among the top contributors.
Fortunately, most of these threats can be avoided with proper defenses. Below are key risks to watch for this season and recommended actions.
1. IRS Impersonation Phishing and Smishing
This is the most common tax-season attack and remains effective because it continually evolves. Cybercriminals send phishing emails and smishing texts impersonating the IRS, claiming your business owes back taxes, has a pending refund, or is under audit. These messages create urgency, prompting recipients to act without verifying.
In 2024, the Federal Trade Commission (FTC) reported $789 million in losses to government impersonator scams, including IRS impostor attacks. The IRS states it does not initiate contact by email, text, or social media to request personal or financial information. If you receive such a message, do not click any links. Forward suspicious emails to phishing@irs.gov and delete them.
What to Watch For
- Emails or texts claiming to be from the IRS demanding immediate payment
- Messages threatening legal action or license suspension
- Links to websites that are not official .gov addresses
- Requests for Social Security Numbers, EINs, or banking details via email
2. Business Email Compromise (BEC) and W-2 Fraud
Business email compromise is among the most financially damaging cyber threats to small businesses, and the risk rises significantly during tax season. In 2024, BEC attacks caused $2.77 billion in losses across 21,442 reported incidents, making it the second-most costly cybercrime category tracked by the FBI’s IC3.
During tax season, BEC attacks often take specific forms that directly target business owners:
- W-2 Phishing: An attacker impersonates a company executive or HR leader and emails the payroll or accounting team to request copies of all employee W-2 forms. These forms contain names, SSNs, addresses, and income data, providing all the information needed to file fraudulent tax returns.
- Payroll Redirect Fraud: An attacker poses as an employee and requests that their direct deposit information be updated to an account the attacker controls, just before a payroll run.
- Vendor Invoice Fraud: A spoofed email from a vendor or accountant requests a change in payment details ahead of a tax-related payment.
What makes BEC so effective is that the emails often look completely legitimate, with the right logo, name, and tone. They exploit trust and the time pressure of tax season to get employees to act quickly and skip the usual verification steps.
3. Spear Phishing Targeting Tax Professionals and Their Clients
If your business uses an external accountant, bookkeeper, or tax preparer, you face an additional security risk. The IRS has warned about the “new client” scam, a spear-phishing scheme in which criminals pose as potential clients to access a tax professional’s computer system and the sensitive data of all their clients.
The IRS reports that the new client scam accounted for about two-thirds of the 400 BEC and email spoofing complaints received at phishing@irs.gov during one filing season. If an attacker gains access to a tax professional’s system, they can obtain your business’s financial records, EIN, and filing history.
A breach at your accountant’s office can compromise your own data. Discuss security measures with all third-party financial service providers.
4. Ransomware Attacks Timed to Deadline Pressure
Ransomware, which encrypts files and demands payment for their release, is a year-round threat. However, tax season increases vulnerability, as attackers know businesses face significant pressure to restore access to accounting or payroll systems before filing deadlines.
The FBI’s 2024 IC3 report noted a 9% year-over-year increase in ransomware complaints, identifying ransomware as “the most pervasive threat to critical infrastructure.” For small businesses, the impact often includes recovery costs, employee downtime, data exposure, and reputational harm. Many do not fully recover.
- Key defense: Regular, tested, off-site backups are your single most effective safeguard against ransomware.
If your data is backed up and recoverable, attackers lose their leverage. KT Connections helps clients implement this safeguard as part of their cybersecurity posture from the outset.
5. Tax Identity Theft: Business Edition
Most people think of identity theft as an individual problem, but businesses are increasingly targeted as well. In 2024, the IRS Criminal Investigation unit uncovered $9.1 billion in tax fraud and financial crimes, with nearly 2 million tax returns flagged for identity theft and fraud totaling $16.5 billion in fraudulent filings.
For a small business, this may result in someone filing a fraudulent return under your Employer Identification Number (EIN) before you do, claiming refunds or credits your business did not earn. Resolving the IRS fraud can take months and delay your legitimate filings.
These attacks often begin before tax season, as your EIN and business data may be obtained through phishing, vendor data breaches, or public business filings. Tax season is when fraud is most often committed.
6. Social Engineering and Deepfake Scams
This threat category is evolving rapidly and requires attention. In addition to traditional phishing emails, attackers now use AI-generated audio and deepfake video to impersonate executives, IRS officials, and financial advisors during phone calls and virtual meetings. The IRS has specifically warned about deepfake video calls using realistic computer-generated images of government officials to demand payment for fabricated tax debt.
For business owners, the most immediate risk is a call that appears to come from a CFO, accountant, or trusted vendor, requesting a wire transfer or password reset. The urgency is fabricated, the voice is artificial, and funds sent are rarely recovered.
The most effective defense is to establish a protocol for in-person or verbal verification of all financial transactions or sensitive data requests, regardless of how familiar the requester appears.
What Small Businesses Should Do Right Now
These threats are real and affect businesses of all sizes and industries. Below are immediate steps every SMB should take before and during tax season:
- Train Your Team: Ensure employees handling payroll, accounting, or tax documents can recognize phishing attempts, especially W-2 requests and payment redirect emails. A brief discussion before tax season can prevent significant losses.
- Enable Multi-Factor Authentication (MFA): Require MFA on all email accounts, accounting software, payroll systems, and cloud storage. This is the most effective way to prevent credential theft from leading to a breach.
- Verify Before You Act: Any request involving financial data, employee records, or payment changes should be verbally confirmed using a known phone number, not one provided in the request.
- Back Up Your Data: Maintain secure, off-site backups and test them regularly. This is your primary recovery option if ransomware strikes.
- Monitor Your EIN: File business taxes as early as possible to reduce the risk of fraudulent filings under your EIN.
- Engage a Cybersecurity Partner: Ongoing monitoring, threat detection, and a proactive security posture are the most effective long-term defenses against these threats.
KT Connections Can Help You Stay a Step Ahead
Regardless of the season, your business data requires continuous protection. At KT Connections, our cybersecurity services focus on proactive defense, including managed firewalls, endpoint protection, threat monitoring, and security assessments to identify vulnerabilities before attackers do.
We support small and medium-sized businesses in Rapid City and Cheyenne by building security postures that withstand real-world pressures, including those experienced during tax season.
If you are unsure where your security gaps are, start with our free cybersecurity resources. These practical tools and guides are designed for business owners who want to strengthen security and better understand their current risks and vulnerabilities.
Visit ktconnections.com/free-cybersecurity-resources to access these resources, or call (888) 891-4201 to speak with a team member about a security assessment for your business.
Common Questions from Business Owners
Why Are Small Businesses Targeted More During Tax Season?
Tax season increases cyber risk because businesses process large volumes of sensitive financial data under tight deadlines. The surge in legitimate financial communications from accountants, payroll systems, the IRS, and vendors makes it easier for fraudulent messages to go unnoticed. Attackers intentionally exploit these circumstances.
How Does Business Email Compromise (Bec) Work, and How Can I Prevent It?
BEC attacks occur when criminals impersonate trusted contacts, such as executives, vendors, accountants, or HR representatives, to deceive employees into transferring funds or sharing sensitive data. To prevent BEC, focus on employee training, implement email authentication protocols (SPF, DKIM, DMARC), and require verbal verification for any financial or data requests received by email, regardless of how legitimate they seem.
What Should I Do if I Receive a Suspicious Email Claiming to Be From the IRS?
Do not click any links or open any attachments. The IRS does not initiate contact. The IRS does not initiate contact by email, text, or social media. Forward suspicious messages to phishing@irs.gov and then delete them. If you are unsure about the legitimacy of a communication, contact the IRS directly at 1-800-829-1040 or log in to your IRS.gov account.
What Is the Most Effective Thing a Business Can Do to Protect Against Ransomware?
Maintain regular, tested, off-site backups of all critical business data. If ransomware encrypts your systems, a clean backup removes the attacker’s leverage and enables you to restore operations without paying a ransom. Additionally, use endpoint protection, email filtering, employee awareness training, and continuous system monitoring.
Is Cybersecurity Only a Concern During Tax Season?
No, cybersecurity is not only a concern during tax season. While tax season brings a spike in certain attacks, threats like phishing, ransomware, BEC, and credential theft persist year-round. A proactive, continuous security posture is more effective than a seasonal vigilance approach. A managed cybersecurity provider can help maintain this posture without requiring your team to become security experts.