The latest Treasury Inspector General for Tax Administration’s Report revealed huge discrepancies in how the Internal Revenue Service is handling telephone calls. And this resulted in potentially massive fraud-related refunds that, thankfully, were caught during an audit process.
The IRS has a thorough guidance tool to process and authenticate incoming callers to aid in identifying the appropriate individuals. There was training conducted multiple times on this process throughout 2024; however, despite this training, the process remained unfollowed. The largest area of discrepancy was the Business Specialty Tax services. BST assists the IRS with processing calls related to payroll reports among other things.
Concern was raised in both June 2024 and August 2024 with no response. Despite the concerns with evidence being presented, high-level IRS executives proceeded with no change or path to correction. In fact, the year and a half from January 2023 through July 2024, an estimated $55.6 million in fraudulent refunds related to Form 941 were issued. The final numbers connected to this timeframe are still under review.
Following this timeframe, in October 2024, it was determined that $93 million in fraudulent refunds were issued; however, nearly $90 million of that was caught during an audit process. As reported, it is believed $2.7 million in fraudulent refunds were actually processed and paid.
To this moment, no corrective action has been taken and the IRS continues to struggle and remains vulnerable to telephonic threats.
Vishing is Not an Obscure Risk
Businesses have faced increased threat from vishing. If you recall, the MGM Resorts International breach from 2023 began from a vishing attack. The Clorox breach from 2023 that resulted in approximately $400 million is loss began as a vishing attack. Cisco fell victim to a breach in July 2025 that began as vishing. Google also recently experienced a breach from a vishing attack.
The attacks continue to increase in both breadth and nature.
What Can A Financial Services Firm Do to Mitigate Vishing Attacks?
Accounting firms, tax professionals, and all others in financial services, face an increasing risk for vishing, smishing, phishing attacks. With an increase in AI-based tools available as well, voice authentication is no longer a viable solution.
Firms must find a solution to mitigate this risk. Authenticating with voice is no longer viable. Authenticating with key information such as address, phone number, etc is no longer viable as many of these are publicly available.
It is best to find a means to confirm information that is not publicly available. One of the largest cybersecurity insurance companies suggests that each client should have a passphrase that they leverage to authenticate.
So what do you do to authenticate a caller? What steps are you planning to improve this process?
If you do not fully understand an issues or if you need assistance working through a resolution, the team here at Financial Guardians is available for Individual Support Calls to assist with any individual or specific matters.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
