An independent cybersecurity review across the largest tax preparers in the United States — national retail tax chains, online DIY platforms, and professional tax-software vendors including H&R Block, Intuit, and Jackson Hewitt — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each preparer’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 76% to 30% — 7 of 17 (41%) scored below 60%.
Cybersecurity Scores of Tax Preparers
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Tax Preparer | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | FreeTaxUSA | freetaxusa.com | 76% | Strong |
| 2 | TaxSlayer | taxslayer.com | 73% | Strong |
| 3 | H&R Block | hrblock.com | 70% | Strong |
| 3 | Liberty Tax | libertytax.com | 70% | Strong |
| 3 | ezTaxReturn | eztaxreturn.com | 70% | Strong |
| 3 | Intuit | intuit.com | 70% | Strong |
| 7 | Sprintax | sprintax.com | 64% | Above Average |
| 8 | TaxAct | taxact.com | 61% | Above Average |
| 9 | Credit Karma Tax | creditkarma.com | 60% | Above Average |
| 9 | Cash App Taxes | cash.app | 60% | Above Average |
| 11 | Drake Software | drakesoftware.com | 55% | Average |
| 12 | Wolters Kluwer | wolterskluwer.com | 54% | Below Average |
| 12 | Ace Cash Express | acecashexpress.com | 54% | Below Average |
| 14 | Jackson Hewitt | jacksonhewitt.com | 50% | Below Average |
| 15 | ATAX | atax.com | 44% | Weak |
| 16 | Thomson Reuters Tax | tax.thomsonreuters.com | 35% | Weak |
| 17 | OLT Pro | oltpro.com | 30% | Weak |
What the Results Reveal
- Scores range from 76% (FreeTaxUSA) down to 30% (OLT Pro) — 6 brands reach a strong (70%+) posture.
- Online-first brands lead: FreeTaxUSA (76%) and TaxSlayer (73%) outscore several legacy retail chains.
- OLT Pro (30%) and Thomson Reuters Tax (35%) sit at the bottom — well below H&R Block (70%), Intuit (70%), and Liberty Tax (70%).
- Without an enforced DMARC policy, criminals can spoof a preparer’s domain to phish taxpayers about refunds, stimulus payments, or “account verification.”
Why This Matters for Tax Preparers
Paid and DIY tax preparers are bound by IRS e-file and Publication 4557 safeguards, FTC Safeguards Rule requirements, and state consumer-protection oversight. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against refund fraud, preparer impersonation, and W-2 phishing during filing season.
Check any preparer’s posture at audit.emailmenow.com/?industry=cpa-firms.
See also — state audits
- Texas Accounting Firms
- California Accounting Firms
- Florida Accounting Firms
- Illinois Accounting Firms
- New York Accounting Firms
- Pennsylvania Accounting Firms
- Ohio Accounting Firms
- Georgia Accounting Firms
- Michigan Accounting Firms
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=cpa-firms.
Contact EmailMeNow IT Consulting for help with tax-season email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.