In 2002, the IRS launched the first IRS Dirty Dozen Tax Scams List. The aim was to raise awareness among taxpayers, financial institutions, and tax professionals about the increasing threat of scams and fraudulent schemes. At that time, the most prevalent scam was “Slavery Reparations.” It typically involved promoters charging fees to file fake tax forms that requested non-existent refunds or credits. These promoters created fake “reparations” for slavery, often claiming a specific tax credit, such as “black investment taxes.” This was just a small part of the landscape of scams in the early 2000s.
In 2025, the landscape completely changed, and at a pace far greater than Regulatory Bodies could keep up. For example, today, a CPA firm could be managing its client’s invoices and then be approached by a legitimate Accounts Payable request, only to be revealed as an impersonator using AI for a phishing scam. CPA firms and tax professionals are primary targets of these schemes because they have access to sensitive client financial data.
Financial and tax scams have only become more advanced and sophisticated over the decades. That’s why the IRS keeps updating the Dirty Dozen Tax Scams List to raise awareness about new and evolving scams.
This blog will outline which scams in the latest IRS Dirty Dozen Tax Scams List impact CPA firms, describe how these scams might appear to CPA firms, and explore how to respond if they encounter them.
IRS Dirty Dozen Tax Scams – What CPA firms need to know about the List
Email Phishing and Smishing Scams
Email phishing and smishing remain one of the most common threats to CPA firms because they directly target practitioners’ access to IRS systems, tax software, and confidential client information. The scams often arrive via email or text, designed to appear to come from the IRS, a tax software vendor, a bank, a payroll processor, or even an existing client.
These schemes often take the form of emails or calls from purported legitimate sources within a CPA firm, seeking to “verify your account,” “update E-Services credentials,” or “review the attached tax documents.” Once a staff member opens an attachment or clicks a link, malware can install itself, or credentials can be stolen, which might allow unauthorized e-filing or widespread client identity theft.
Against this, CPA firms should institute strict verification processes for any unsolicited email or text. Staff members should never access a link or open an attachment from an unknown or unverified source, and firms should deploy MFA across all tax software, e-mail platforms, and client portals. Ongoing phishing simulations and cybersecurity training keep teams alert to potential risks, and maintaining a zero-tolerance policy for bypassing security procedures is crucial to preventing compromise.
New Client Scams and Spear-Phishing
Spear-phishing is a more focused version of phishing, and scammers often pose as “new clients” needing help with their taxes. They craft an effective introductory email, mentioning some personal situation, and then attach supposed tax documents containing malware.
These scams turn up most often at CPA firms during the busy season, when staff are apt to open new-client files rapidly. Since these messages seem customized and pertinent, it increases the possibility that one of the people in your firm will open the attachment, thereby providing access to firm information, credentials, or client data.
The best defense is to require formal identity verification before opening any files from prospective clients. Firms should adopt a secure workflow in which all documents must be uploaded through encrypted portals rather than email. Additionally, firms can instruct staff to treat all unsolicited new-client emails as suspicious until verified, and to involve IT/security before interacting with files that originate outside the firm’s normal intake process.
IRS Online Account Help Scams
Another item in the IRS Dirty Dozen Scams List involves scammers offering to “help” taxpayers to set up their IRS online accounts. CPA firms encounter this when clients forward emails or ads from third parties claiming they can create or “optimize” IRS accounts on the client’s behalf.
The scammers ask for Social Security numbers, birthdates and photo identification-all the information needed to commit identity theft or file fraudulent returns. If clients follow these instructions, it’s possible that a CPA later discovers that their client’s online IRS account has been hijacked.
Meanwhile, in combating these scams, it is observed that CPA firms must educate clients not to share sensitive information with unverified third parties and clearly instruct them on how to set up their IRS accounts safely.
Firms may offer to guide clients through the legal setup process or provide an official IRS link. Communication during tax season via a newsletter, portal, or engagement letter can reinforce that CPAs will never outsource the IRS account setup to unfamiliar services.
The Overstated Withholding Scam
The overstated withholding scam works by fabricating W-2 or 1099 forms that inflate the filer’s income and withholding a return to create an artificial refund. CPA firms encounter this when clients provide unusually large or suspicious W-2s prepared by some promoter or printed off of dubious “refund maximization” websites. Even unintentionally filing such returns exposes the CPA firm to possible scrutiny for failing to validate client information.
The solution for document validation is rigorous: employers’ information should be verified, original tax forms requested, and filings compared with prior-year records or payroll transcripts, if necessary. A firm’s internal policies should provide that it will not file any return containing unverifiable or patently incorrect wage or withholding data.
Ghost Tax Return Preparers
Ghost preparers are those who prepare returns but will not sign them with a valid PTIN. They at times impersonate legitimate CPA firms or steal firm identities to make themselves look legitimate. CPA firms may find their firm’s name on returns they never prepared or may find clients who believe they “worked with your firm online,” when actually they have been dealing with an impersonator.
To defend against this threat, firms should monitor PTIN filings, immediately report impersonation incidents to the IRS, and educate clients on how to verify that a tax preparer is truly associated with the firm. Encouraging clients to contact the firm directly through its official website before receiving information helps ensure that no fraudulent impersonation occurs.
Concluding Thoughts
Although the IRS Dirty Dozen Tax Scams List covers a lot of important information about modern scams, CPA firms need to implement security measures against scams beyond those listed. The scammer often evolves way quicker than the IRS’s yearly list can keep up.
For CPA firms, having strong, well-structured background checks enables a higher level of client vetting and reduces exposure to fraudulent activities. Proactively investing in cybersecurity infrastructure, ongoing staff training, and vigilant client communication creates multiple layers of defense. Ultimately, staying informed, remaining skeptical of unsolicited requests, and maintaining rigorous internal controls will empower firms to protect their clients, their reputations, and their businesses from increasingly sophisticated scams.
