News & Updates

The IRS and the Security Summit partners continue to see a relentless string of attempts by identity thieves to target tax professionals in hopes of gaining valuable client tax information. With stronger fraud defenses put in place by the IRS and Security Summit partners, identity thieves have shifted their attention to tax pros to get more detailed information to help prepare bogus tax returns.

"We continue to see instances where tax professionals have had their systems compromised, and they didn’t realize it for week or months,” IRS Commissioner Danny Werfel said. “Identity thieves are creative, and they can find ways of quietly penetrating systems. There are important warning signs tax pros should watch out for that can help alert them more quickly to a security issue, and speed is critical to protect clients and their businesses from a security incident.”

The IRS, state tax agencies and the nation's tax industry – working together as the Security Summit – reminded tax professionals that they should contact the IRS immediately when there's an identity theft issue while also contacting cybersecurity experts and insurance companies to assist them with determining the cause and extent of the loss.

This is the third week of an eight-part Protect Your Clients; Protect Yourself summer series, part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud.

These security tips will be a key focus of the Nationwide Tax Forum, being held this summer in five cities throughout the U.S. In addition to the series of eight news releases, the tax professional security component will be featured at the forums, which are three-day continuing education events. The next forum begins next week in Orlando, Florida, and is already sold out, followed by the week of August 13 in Baltimore, August 20 in Dallas and September 10 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for the Baltimore and Dallas forums, as San Diego has also sold out.

Each year at the tax forums, the IRS hears from tax professionals attending the sessions who realize that they’re victims of a data theft or a security breach, but they hadn’t realized the warnings signs. Here are some things that can help.

Tax pros: Know the warning signs from clients, their systems

Tax pros should be on the lookout for these critical warning signs from their clients:

• Clients receive notice that an IRS Online Account was created without their consent or that:
  • Someone accessed their IRS Online Account without their knowledge.
  • The IRS disabled their Online Account, either their individual or business Online Account.
• Tax pro clients receive a tax transcript they didn't request.
• Balance due or other notices from the IRS are received that are not correct based on the tax return filed.
• Clients reach out to the tax pro about calls or emails the tax pro didn't make.
• Clients receive refunds without filing a tax return.

Tax professionals should also watch for these red flags when their business experiences these situations:

• Slow or unexpected computer or network responsiveness such as:
  • Software is slow or actions take longer to process than usual.
  • Computer cursor moves or changes numbers without touching the mouse or keyboard.
  • Unexpectedly being locked out of a network or computer.
• Client tax returns are being rejected because their Social Security number was already used on another return.
• IRS authentication letters (5071C, 6331C, 4883C, 5747C) are being received even though a tax return hasn't been filed.
• Getting more e-file receipt acknowledgements than the tax pro actually filed.
• The IRS disabled the tax professional’s online account.
• Transcripts are being delivered to the tax pro’s Secure Object Repository (SOR) that they did not order.
• Notification from the IRS that the tax professional’s Centralized Authorized File (CAF) number has been compromised. If they suffer a data compromise, they should take proactive steps to protect their CAF number and consider requesting a new one to protect themself and their clients.
• Notification from the IRS regarding a client that they do not represent.

While these are only a few examples, tax pros should ensure they have the highest security possible and be ready to react quickly to protect themselves and their clients. To help tax pros, the Summit partners created the Written Information Security Plan PDF or WISP. The newly updated 29-page, easy-to-understand document was developed by and for tax and industry professionals to help keep client and business information safe and secure.

Tax pros should report data theft immediately

If a tax pro or their firm are the victim of data theft, they should:

• Report the incident to their local IRS stakeholder liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients' names and will assist tax pros through the process.
• Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special Report a Data Breach.
• Tax professionals should be proactive with clients who could have been impacted and suggest appropriate actions, such as obtaining an identity protection PIN or completing a Form 14039, Identity Theft Affidavit PDF, if applicable.

Find more information at Data theft information for tax professionals.

‍

These taxpayers now have until Feb. 3, 2025, to file various federal individual and business tax returns and make tax payments.

The IRS is offering relief to any area designated by the Federal Emergency Management Agency (FEMA). This means that individuals and households that reside or have a business in Anderson, Angelina, Aransas, Austin, Bowie, Brazoria, Brazos, Burleson Calhoun, Cameron, Camp, Cass, Chambers, Cherokee, Colorado, Dewitt, Fayette, Fort Bend, Freestone, Galveston, Goliad, Gregg, Grimes, Hardin, Harris, Harrison, Hidalgo, Houston, Jackson, Jasper, Jefferson, Kenedy, Kleberg, Lavaca, Lee, Leon, Liberty, Madison, Marion, Matagorda, Milam, Montgomery, Morris, Nacogdoches, Newton, Nueces, Orange, Panola, Polk, Refugio, Robertson, Rusk, Sabine, San Augustine, San Jacinto, San Patricio, Shelby, Trinity, Tyler, Upshur, Victoria, Walker, Waller, Washington, Webb, Wharton and Willacy counties qualify for tax relief.

The same relief will be available to any other counties added later to the disaster area. The current list of eligible localities is always available on the Tax relief in disaster situations page on IRS.gov.

Filing and payment relief

The tax relief postpones various tax filing and payment deadlines that occurred from July 5, 2024, through Feb. 3, 2025 (postponement period). As a result, affected individuals and businesses will have until Feb. 3, 2025, to file returns and pay any taxes that were originally due during this period.

This means, for example, that the Feb. 3, 2025, deadline will now apply to:

• Any individual, business or tax-exempt organization that has a valid extension to file their 2023 federal return. The IRS noted, however, that payments on these returns are not eligible for the extra time because they were due last spring before the hurricane occurred.
• Quarterly estimated income tax payments normally due on Sept. 16, 2024, and Jan. 15, 2025.
• Quarterly payroll and excise tax returns normally due on July 31 and Oct. 31, 2024, and Jan. 31, 2025.

In addition, penalties for failing to make payroll and excise tax deposits due on or after July 5, 2024, and before July 22, 2024, will be abated, as long as the deposits are made by July 22, 2024.

The Disaster assistance and emergency relief for individuals and businesses page has details on other returns, payments and tax-related actions qualifying for relief during the postponement period.

The IRS automatically provides filing and penalty relief to any taxpayer with an IRS address of record located in the disaster area. These taxpayers do not need to contact the agency to get this relief.

It is possible an affected taxpayer may not have an IRS address of record located in the disaster area, for example, because they moved to the disaster area after filing their return. In these unique circumstances, the affected taxpayer could receive a late filing or late payment penalty notice from the IRS for the postponement period. The taxpayer should call the number on the notice to have the penalty abated.

In addition, the IRS will work with any taxpayer who lives outside the disaster area but whose records necessary to meet a deadline occurring during the postponement period are located in the affected area. Taxpayers qualifying for relief who live outside the disaster area need to contact the IRS at 866-562-5227. This also includes workers assisting the relief activities who are affiliated with a recognized government or philanthropic organization. Disaster area tax preparers with clients located outside the disaster area can choose to use the bulk requests from practitioners for disaster relief option, described on IRS.gov.

Additional tax relief

Individuals and businesses in a federally declared disaster area who suffered uninsured or unreimbursed disaster-related losses can choose to claim them on either the return for the year the loss occurred (in this instance, the 2024 return normally filed next year), or the return for the prior year (the 2023 return filed this year). Taxpayers have extra time – up to six months after the due date of the taxpayer’s federal income tax return for the disaster year (without regard to any extension of time to file) – to make the election. For individual taxpayers, this means Oct. 15, 2025. Be sure to write the FEMA declaration number – 4798-DR − on any return claiming a loss. See Publication 547, Casualties, Disasters, and Thefts, for details.

Qualified disaster relief payments are generally excluded from gross income. In general, this means that affected taxpayers can exclude from their gross income amounts received from a government agency for reasonable and necessary personal, family, living or funeral expenses, as well as for the repair or rehabilitation of their home, or for the repair or replacement of its contents. See Publication 525, Taxable and Nontaxable Income, for details.

Additional relief may be available to affected taxpayers who participate in a retirement plan or individual retirement arrangement (IRA). For example, a taxpayer may be eligible to take a special disaster distribution that would not be subject to the additional 10% early distribution tax and allows the taxpayer to spread the income over three years. Taxpayers may also be eligible to make a hardship withdrawal. Each plan or IRA has specific rules and guidance for their participants to follow.

The IRS may provide additional disaster relief in the future.

The tax relief is part of a coordinated federal response to the damage caused by these storms and is based on local damage assessments by FEMA. For information on disaster recovery, visit DisasterAssistance.gov.

‍

Identity thieves are taking numerous approaches to steal sensitive information from tax professionals. This includes posing as new clients; using phishing emails to trick people into sharing Central Authorization File information as well elaborate schemes involving calling and texting. Tax professionals need to be on the lookout to avoid falling prey to these attacks, which threaten not just their clients but their businesses.

“As the Security Summit partners have continued to improve our defenses against identity theft, thieves have upped their game by targeting tax professionals to get valuable information needed to file authentic-looking tax returns,” IRS Commissioner Danny Werfel said. “Tax professionals need to watch out for deviously clever scams that can masquerade as new clients as well as communications from the IRS or others in the tax community. We continue to see tax professionals bombarded by these scams, and people shouldn’t let their defenses down.”

The alert comes as part of an annual education effort by the Security Summit partners, a coalition of tax professionals, industry partners, state tax groups and the IRS. Started in 2015, the public-private partnership works to protect the tax system against tax-related identity theft and fraud.

This marks the opening week of a special Security Summit summer news release series called Protect Your Clients; Protect Yourself. The campaign is aimed at increasing awareness among tax professionals on ways to shield themselves and their clients from identity theft and security threats.

Now in its ninth year, the Protect Your Clients; Protect Yourself series will feature news releases each Tuesday for eight weeks. The series coincides with the Nationwide Tax Forum, a three-day seminar starting today in Chicago and continues with sessions the week of July 30 in Orlando, August 13 in Baltimore, August 20 in Dallas and September 10 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for several of the forums, and Chicago and Orlando are already sold out.

The IRS forums will feature several specific sessions to help educate the tax professional community on security-related topics. Tax professionals will hear from experts at the IRS, the tax professional community as well as a special session from the Salve Regina University’s Pell Center from Rhode Island. The entire news release series will be available in Spanish as well.

As part of this effort, the IRS and Security Summit partners are warning against the most recent wave of activity coming from tax scammers. Here are some trending examples that tax professionals should watch out for:

Beware of the “new client” scheme

In this form of so-called spear phishing, fraudsters pretend to be real taxpayers seeking tax pros’ help with their taxes. They use emails to try to get sensitive information or gain access to a practitioner’s client data. In these fake “new client” schemes, the fraudster can send a malicious attachment or include a link to a site that the tax professional thinks they need to access to obtain the supposed new client’s tax information. But in reality, the site is collecting information from the tax pro, such as their email and password, or loading malware onto the tax pro’s computer to gain access to their computer or system.

While not a fresh scam, the IRS continues seeing activity this year. It remains an ongoing threat that can be alluring to a tax professional or a practice’s employees seeking new business. And while this fake outreach can peak around tax season, this sort of scam remains a threat year-round.

Look out for multiple phishing scams involving EFINs, PTINs, CAF numbers

Another scam circulating on a large scale this year involves phishing attempts by scammers trying to obtain various identification numbers used by tax professionals, including their Electronic Filing Identification Number or EFIN; EFIN documents; their Preparer Tax Identification Number or PTIN; and their Centralized Authorized File or CAF number.

Obtaining these digits helps a bad actor obtain information and file a fraudulent return that looks legitimate. Scammers are trying to get these sensitive identification numbers by sending emails or texts that appear to be from the IRS. The scammers tell tax pros they need to confirm this information by entering it into a form that was hosted on what appears to be a real IRS website, but in reality is a fake website designed to mimic the real thing.

For example, a fraudster with a compromised CAF number in hand can use it to obtain tax transcripts and other sensitive taxpayer personally identifiable information (PII) to commit identity theft refund fraud and other crimes. In many cases, the fraudster has not only obtained a practitioner’s CAF number but also has the tax professional’s sensitive personal information.

Watch and listen for phone, text and correspondence schemes

Tax professionals should also be aware of another wave of scams hitting taxpayers with frequency, with identity thieves using phone calls and text messages to get Social Security numbers, birth dates and banking information from victims. Several of these schemes are common right now that can target not just taxpayers, but potentially tax professionals and their clients, including:

• Artificial intelligence or AI scams used for false correspondence, with AI being used to create fake IRS letters that are mailed to victims.
• The so-called Zero Tax program, in which callers promise to wipe out tax debt for people who owe back taxes. The callers request people’s Social Security numbers as part of their pitch, which they use for nefarious purposes. Tax professionals should watch out for clients reporting this scheme.
• Social media scams circulating inaccurate or misleading tax information that can involve creating common tax documents that are false like a Form W-2 or claiming credits to which the taxpayer is not entitled like the Fuel Tax Credit, Sick and Family Leave Credit and household employment credits.
• Scammers reaching out by phone or text message to dupe people into handing over sensitive financial information in exchange for a false promise of IRS money for them.

Ways to avoid and report scams

People that receive scams by email should send the email to phishing@irs.gov. As a reminder, people can forward the message, but IRS cybersecurity experts prefer to see the full email header to help them identify the scheme.

For tax professionals who discover they are victims of a security breach, they should contact their IRS Stakeholder Liaison to report a theft. The local IRS Stakeholder Liaison will ensure the appropriate IRS offices are alerted. If incidents are reported quickly, the IRS can take steps to block fraudulent returns in the clients’ names and will assist tax pros through the process.

Tax professionals can also share information with the appropriate state tax agency by visiting a special Report a Data Breach page with the Federation of Tax Administrators.

Tax professionals should also understand the Federal Trade Commissioner data breach response requirements PDF as part of their overall information and data security plan. The new Written Information Security Plan, or WISP, that tax pros are required to have also notes there’s a new requirement to report an incident to the FTC when 500 or more people are affected within 30 days of the incident.

‍

The law with respect to the schedule or classification of marijuana has not changed. Taxpayers seeking a refund of taxes paid related to Internal Revenue Code Section 280E by filing amended returns are not entitled to a refund or payment.

Although the law has not changed, some taxpayers are filing amended returns. The grounds for filing such claims vary, but these claims are not valid. The IRS is taking steps to address these claims.

Section 280E disallows all deductions or credits for any amount paid or incurred in carrying on any trade or business that consists of illegally trafficking in a Schedule I or II controlled substance within the meaning of the federal Controlled Substances Act.

This applies to businesses that sell marijuana, even if they operate in states that have legalized the sale of marijuana. Section 280E does not, however, prohibit a participant in the marijuana industry from reducing its gross receipts by its properly calculated cost of goods sold to determine its gross income.

On May 21, 2024, the Justice Department published a notice of proposed rulemaking with the Federal Register to initiate a formal rulemaking process to consider rescheduling marijuana under the Controlled Substances Act. Until a final rule is published, marijuana remains a Schedule I controlled substance and is subject to the limitations of Internal Revenue Code Section 280E.

The IRS has an existing set of frequently asked questions and other information related to the cannabis industry on IRS.gov.

‍

These final regulations reflect consideration of more than 44,000 public comments received last fall on the proposed regulations. They require brokers to report certain sale and exchange transactions that take place beginning in calendar year 2025 and will be reported on the soon-to-be released Form 1099-DA. The regulations implement reporting requirements by the Infrastructure Investment and Jobs Act, enacted in 2021.

“We reviewed thousands of public comments and believe this new guidance addresses those concerns while striking a balance between industry implementation challenges and closing the tax gap related to digital assets,” said IRS Commissioner Danny Werfel. “These regulations are an important part of the larger effort on high-income individual tax compliance. We need to make sure digital assets are not used to hide taxable income, and these final regulations will improve detection of noncompliance in the high-risk space of digital assets. Our research and experience demonstrate that third-party reporting improves compliance. In addition, these regulations will provide taxpayers with much needed information, which will reduce burden and simplify the process of reporting their digital asset activity.”

“Our work to address potential non-compliance in digital currency is another reason why it is so critical to fully fund IRS operations,” Werfel added. “These new assets expand the complexity of our tax system, and the technology and personnel necessary for the IRS to keep pace with these changes is resource intensive. Ultimately, this IRS funding helps address emerging issues and creates significantly more savings than costs to the government’s bottom line.”

The final regulations require reporting by brokers who take possession of the digital assets being sold by their customers. These brokers include operators of custodial digital asset trading platforms, certain digital asset hosted wallet providers, digital asset kiosks, and certain processors of digital asset payments (PDAPs). The majority of digital asset transactions today occur using these brokers. By focusing first on this group, the IRS intends these regulations to cover the greatest number of taxpayers while allowing the IRS and U.S. Treasury Department more time to consider the nuances of transactions involving non-custodial and decentralized brokers.

The final regulations do not include reporting requirements for brokers that do not take possession of the digital assets being sold or exchanged. These brokers are commonly called decentralized or non-custodial brokers. The U.S. Treasury Department and the IRS intend to provide rules for these brokers in a different set of final regulations.

In addition to the broker reporting rules, the regulations provide rules for taxpayers to determine their basis, gain, and loss from digital asset transactions. The regulations also provide backup withholding rules.

The IRS is aware of the challenges that implementing new reporting requirements can pose, which is why the agency is also providing transitional and penalty relief from reporting and backup withholding rules on certain transactions to help phase-in implementation.

Real estate professionals are also required to report the fair market value of digital assets paid by buyers and received by sellers in real estate transactions with closing dates on or after January 1, 2026.

The final regulations provide for an optional, aggregate reporting method for certain sales of stablecoins and certain non-fungible tokens (NFTs) applicable only after sales of these stablecoins and NFTs exceed de minimis thresholds. For PDAP transactions, the regulations require reporting on a transactional basis only if the customer’s sales are above a de minimis threshold.

Finally, basis reporting will be required by certain brokers, for transactions occurring on or after January 1, 2026.

Additional guidance to provide transitional relief regarding digital asset transactions includes:

Transitional relief

Notice 2024-56 PDF provides general transitional relief from reporting penalties and backup withholding for any broker who does not timely and accurately file information returns and furnish payee statements for sales and exchanges of digital assets during calendar year 2025, provided that the broker makes a good faith effort to comply with the reporting obligations. Additionally, the notice provides more limited relief from backup withholding for certain sales of digital assets during 2026 for brokers using the IRS’s TIN-matching system in place of certified TINs. Finally, the Notice also provides backup withholding relief for exchanges of digital assets in return for specified NFTs and real property and for certain sales effected by PDAPs.

Delay on information reporting for certain transactions until future guidance is issued

Notice 2024-57 PDF informs brokers that until the U.S. Treasury Department and the IRS issue further guidance, brokers will not have to file information returns or furnish payee statements on digital asset sales and exchanges for the following six types of transactions:

1. Wrapping and unwrapping transactions,
2. Liquidity provider transactions,
3. Staking transactions,
4. Transactions described by digital asset market participants as lending of digital assets,
5. Transactions described by digital asset market participants as short sales of digital assets, and
6. Notional principal contract transactions.

‍