Tax season has always been “phishing season,” but 2026 is shaping up to be a step-change year: more AI-written scams, more look‑alike domains, more “urgent payroll update” requests, and more pressure on small teams to move fast. If you’re a small business in Genesee County, or you run a school or church office handling donations, payroll, and vendor payments, your risk is the same as a larger organization, just with fewer layers of defense.
Use this post like a checklist. Begin by scanning the headings and circling the ones that feel uncomfortably familiar. Then, as you move toward each fix, treat it like a mini project: assign an owner, set a deadline, and verify completion (not just “we should do that”).
“Security isn’t a product you buy once. It’s a habit you practice under pressure, exactly when scammers want you to slip.”
Reason #1: You don’t have a security owner (so gaps stay invisible)
What’s happening: In many small businesses, “IT” is a side job. During tax season, everyone is moving fast, HR is pushing W‑2s, accounting is closing books, leadership is approving payments. When nobody owns security, critical basics (patching, access reviews, phishing drills) get skipped until something breaks.
How to fix it (do this now):
- Begin by naming a security owner (even if it’s part-time). Give them authority to enforce changes.
- Block 10–15 hours per week during tax season for security work: patching, access audits, backups verification, phishing review.
- If you can’t staff it, outsource it to a managed provider so it doesn’t die on the vine when things get busy.
This is where a structured approach like managed services becomes practical, not optional, your goal is consistency under stress. Learn more at: https://www.clearpath360.org/managed-services
Reason #2: You don’t have a written security plan (so you can’t respond fast)
What’s happening: When a tax scam lands, the first 30 minutes matter. If your team is debating what to do, who to call, and what to shut off, you’ll lose time, and time is money.
How to fix it (keep it simple and usable):
- Create a one-page “Tax Season Incident Card.” Put it in a shared location and print it.
- Include: who to contact, how to isolate a device, how to reset passwords, where backups live, how to freeze payments, and who talks to staff/customers.
- Strike a balance between detail and speed, this is for action, not perfection.
As you move toward the next sections, treat this plan as the backbone. Every control you add should connect back to how you prevent, detect, and recover.
Reason #3: Your financial data is scattered everywhere
What’s happening: Tax documents end up in inboxes, desktops, USB drives, random “2025 taxes FINAL v7” folders, and personal laptops. Scammers love this because scattered data is hard to protect and easy to leak.
How to fix it (make storage boring on purpose):
- Use one secure system of record for tax and finance files (not email).
- Create clear folders: Payroll, Banking, Vendor W‑9s, Prior Returns, Donation Statements (for churches), Student/Grant Finance (for schools).
- Restrict permissions so only the people who need access have it.
- Set retention rules so old sensitive files don’t live forever.
This is where your documentation discipline pays off: when a “CFO” email asks for “last year’s return,” your team knows exactly where that file should, and should not, be.
Reason #4: MFA isn’t enabled everywhere it matters (or it’s easy to bypass)
What’s happening: Passwords get stolen constantly. Tax season scams often don’t “hack” you, they log in as you. If MFA is missing on payroll, email, banking, or your accounting platform, one phish can turn into direct deposit fraud or a ransomware incident.
How to fix it (prioritize high-impact accounts first):
- Turn on MFA for: email, payroll, banking, accounting, cloud storage, and any remote access.
- Use authenticator apps or security keys where possible (more resistant than SMS).
- Make it a policy: nobody shares MFA codes, ever. Not with “IT,” not with “payroll support,” not with “the bank.”
If you only do one thing this week, do this. Then keep going, because MFA is strongest when paired with good access control and monitoring.
Reason #5: You still share sensitive documents via regular email
What’s happening: “Can you send me the 941s and the employee list?” sounds normal, until it’s an attacker impersonating your CPA, bookkeeper, or a tax software “support agent.” Email is easy to spoof, easy to mis-send, and hard to claw back.
How to fix it (replace risky habits):
- Begin by moving tax document exchange to a secure portal or encrypted file share.
- Use a verification step before sending anything sensitive: call a known number, not the one in the email.
- Set a rule: no SSNs, W‑2s, bank details, or login links sent as email attachments.
If you want a practical place to start, tighten your inbound filtering and impersonation defenses: https://www.clearpath360.org/email-spam-protection
Reason #6: Your patching is reactive (which creates predictable openings)
What’s happening: Tax season attackers don’t need “zero-days” if your systems are behind on updates. Unpatched browsers, PDF readers, Office apps, and firewall firmware create easy entry points, especially when staff are clicking on “urgent IRS forms.”
How to fix it (build a routine, not a scramble):
- Set patch windows weekly for workstations and monthly for network devices.
- Standardize devices where you can, mixed hardware and “mystery laptops” make patching chaos.
- Track exceptions (the one computer running the “special app”) and isolate it if it can’t be updated.
This is where your IT management should feel like a system: predictable, measurable, and boring. Boring is good, because boring is stable.
Reason #7: Your backups exist… but they aren’t tested (or aren’t recoverable)
What’s happening: Ransomware and account takeovers spike during tax season because criminals know what your files are worth right now. Many businesses discover their backups are incomplete, overwritten, or encrypted alongside production data.
How to fix it (make backups a recovery plan, not a checkbox):
- Use the 3-2-1 idea: 3 copies of data, 2 different media, 1 offsite/immutable copy.
- Back up the right things: accounting data, payroll exports, tax docs, email, and cloud drive content.
- Test restores monthly, pick a file and restore it. Time how long it takes.
- Protect backups from admin takeover with separate credentials and MFA.
If you need a straight path here, start with a formal backup and recovery service: https://www.clearpath360.org/data-backup-and-recovery
“Backups don’t prove you’re safe. Restores prove you can survive.”
As you move toward access control and monitoring, keep your recovery goal in mind: reduce downtime, reduce data loss, and keep payroll and operations moving.
Reason #8: Remote access is too open (and nobody is watching the logs)
What’s happening: Remote work is normal, especially for owners, bookkeepers, and volunteers supporting churches and school offices after hours. But “quick access” often becomes “permanent access,” and permanent access becomes an attacker’s favorite door.
How to fix it (tighten the edges):
- Inventory all remote access paths: VPN, RDP, remote support tools, cloud admin portals.
- Require MFA for remote access, no exceptions.
- Use least privilege: bookkeepers don’t need global admin; volunteers don’t need payroll.
- Review sign-in logs weekly during tax season and look for: impossible travel, late-night logins, new devices, repeated failures.
This is where professional monitoring matters, detection is what turns an incident into a near-miss instead of a headline. Explore options here: https://www.clearpath360.org/network-security
Reason #9: Your team isn’t trained for AI-driven phishing and “behavioral” scams
What’s happening: 2026 scams aren’t always sloppy. They’re well-written, personalized, and timed perfectly, because AI makes it cheap to tailor messages. Add urgency (“we need this before the deadline”) and authority (“the IRS,” “your bank,” “your pastor,” “the superintendent”), and good people make rushed decisions.
How to fix it (coach behavior, don’t just warn):
- Run 10-minute micro-trainings weekly through April: one scenario, one rule, one practice rep.
- Teach staff to slow down on money movement: direct deposit changes, new payees, wire requests, gift card requests.
- Use scripts your team can follow:
- “I can’t act on email-only requests for payroll changes.”
- “I’m going to call you back using the number we already have on file.”
- “Please submit that through our portal.”
Add a simple “Tax Season Verification Rule”:
- Any request involving W‑2s, employee lists, ACH changes, bank info, or vendor payment changes requires a second channel verification (phone call or in-person) plus manager approval.
This is where you build a security culture that holds up under pressure: because scams win when your team feels rushed and alone. Make them feel supported and empowered to pause.
Reason #10: You’re focused on filing… but not on monitoring (so fraud can linger)
What’s happening: Many businesses treat tax work as a sprint: file, exhale, move on. Scammers count on that. If an attacker gained access during tax season, the damage may show up later: new payees, account rule changes, altered payroll settings, or vendor invoice fraud.
How to fix it (extend your attention span by 30 days):
- Monitor bank activity daily during filing windows (set alerts for new payees, large transfers, ACH changes).
- Check payroll audit logs weekly for new accounts, changed routing numbers, admin role changes.
- Review email forwarding rules (a common persistence tactic).
- Keep IRS/state notices visible: don’t let them sit unopened in a shared mailbox.
As you move from prevention to detection, think in cycles: the goal isn’t “never get targeted.” The goal is “spot it fast, contain it, recover cleanly.”
Bonus: Don’t ignore the physical side: tax season scams can be paired with onsite risk
Most businesses think “tax scam” equals “email.” But in 2026, blended threats are common: social engineering plus in-person distraction, tailgating, and opportunistic theft: especially in public-facing environments like schools and churches.
Begin by hardening the front door habits:
- Require sign-in and visible badges for visitors and vendors.
- Keep sensitive printing secure (no payroll docs sitting on a copier).
- Use cameras strategically at entrances, office hallways, and front counters: this helps deter theft, supports investigations, and strengthens overall safety culture.
If you’re in Genesee County and you care about community safety, this is also where modern surveillance supports broader public safety initiatives. ClearPath360’s Intelligent Sentry theme is about combining cybersecurity thinking (detect, verify, respond) with physical security tools like intelligent cameras and real-time monitoring.
Use this space to evaluate whether your cameras are simply recording: or actually helping you detect and respond.
A practical “2026 Tax Scam Readiness” checklist (copy this into your notes)
Do these in order: each step creates momentum for the next:
- Assign a security owner and block weekly time.
- Write a one-page incident plan for tax season.
- Centralize finance/tax documents and lock down permissions.
- Enable MFA on email, payroll, banking, accounting, cloud storage.
- Stop emailing sensitive attachments; use a secure portal.
- Patch weekly; track exceptions and isolate legacy devices.
- Implement tested backups with monthly restore drills.
- Lock down remote access; review logs weekly.
- Train staff weekly with verification scripts and micro-drills.
- Monitor for 30 days after filing (bank alerts, payroll logs, email rules).
If you want help turning this checklist into a real, repeatable program: managed IT, cybersecurity, and surveillance working together: start here: https://www.clearpath360.org/services or reach out directly: https://www.clearpath360.org/contact
