Tax Pros Alert: EFIN Scams Don’t Sleep — Spot, Report & Lock Down Now (Tax Tip 2025-57)

Updated: Aug 18, 2025

A new IRS Tax Tip warns of a phishing scheme where criminals pose as tax software providers and try to trick preparers into faxing their EFIN. Here’s the playbook to stop it, report it, and protect your clients.

How the EFIN scam works

The hook

Scammers impersonate your tax software provider and ask you to fax your EFIN “for verification.” Once obtained, they can steal client data and e-file fraudulent returns for refunds.

Targets & data

They often also phish for PTIN, EFIN, and e-Services usernames/passwords to take over your practice systems.

Bottom line: Never send EFIN or credentials by email or fax based on an unsolicited message.

Source: IRS Tax Tip 2025-57.

If you receive an EFIN phishing email: do this

Do not reply, click links, open attachments, or fax anything.
Preserve the email: forward as an attachment (with full headers) to [email protected].
Notify your software provider named in the email (account security team).
Alert TIGTA (IRS impersonation hotline) and your local IRS Stakeholder Liaison if data theft may have occurred.

Report phishing to IRS Report IRS impersonation (TIGTA) Read Tax Tip 2025-57

Forwarding as an attachment keeps the email headers intact. If you can’t capture headers, include the original email and any malicious URLs.

How to report it — and why it matters

Where	What to send	Why
IRS phishing ([email protected])	Forward the scam email as an attachment with full headers and any URLs	Helps IRS warn providers and block malicious infrastructure
TIGTA (hotline / web)	Details of the impersonation (sender, content, requested data)	Opens an IRS-related impersonation case where appropriate
Your software provider	Copy of the message; affected usernames/emails	Lets them investigate spoofing and protect other customers
IRS Stakeholder Liaison	If client data may be at risk, contact your local Liaison ASAP	IRS can take steps to block fraudulent returns and guide your next steps

The only correct way to share EFIN information

Legitimate EFIN verification requests are handled inside your tax software provider’s secure portal — never by replying to random emails or sending faxes. Always sign in directly to the vendor site (don’t use email links) and verify the request with support before uploading anything.

Security hardening checklist (15 minutes)

Accounts & access

Turn on MFA for tax software, cloud storage, email, and IRS e-Services.
Require unique passwords + a password manager for staff.
Review who has access to EFIN/IRM data; remove stale accounts.

Training & testing

Run a quick phishing drill on “software verification” requests.
Post a one-pager: “We never fax EFINs. All verifications happen in the portal.”

Client protection

Encourage IP PINs for vulnerable clients to prevent fraudulent e-filing.
Have an incident plan: who to call, what to isolate, how to notify.

Pro tip: Bookmark the IRS’s “Identity Theft Information for Tax Professionals” hub and review it each season-opening and quarterly thereafter.

Quick links & resources

Artificial Intelligence Generated Content

Welcome to Ourtaxpartner.com, where the future of content creation meets the present. Embracing the advances of artificial intelligence, we now feature articles crafted by state-of-the-art AI models, ensuring rapid, diverse, and comprehensive insights. While AI begins the content creation process, human oversight guarantees its relevance and quality. Every AI-generated article is transparently marked, blending the best of technology with the trusted human touch that our readers value. Disclaimer for AI-Generated Content on Ourtaxpartner.com : The content marked as "AI-Generated" on Ourtaxpartner.com is produced using advanced artificial intelligence models. While we strive to ensure the accuracy and relevance of this content, it may not always reflect the nuances and judgment of human-authored articles. Ourtaxparter.com / PEAK BCS VENTURES INDIA PPRIVATE LIMITED and its team do not guarantee the completeness, reliability and accuracy of AI-generated content and advise readers to use it as a supplementary resource. We encourage feedback and will continue to refine the integration of AI to better serve our readership.