Solo CPAs Need a Prospect Scam Checklist

Key Takeaways

• The Reddit scan flagged solo CPA scam screening as a recurring firm-ops pain point.

• The safest rule from the scan: no attachments from prospects until identity and referral source are checked.

• Solo practitioners need a repeatable intake control, not a gut-feel inbox review.

• Screening should happen before opening PDFs, collecting sensitive records, or setting up portal access.

• A short checklist can protect the firm without making legitimate prospects feel interrogated.

Why This Reddit Thread Matters

The thread was simple: a solo CPA was contacted multiple times and suspected a scam.

That is enough to pay attention.

Solo practitioners do not have an IT department watching every attachment. They do not have a security team reviewing strange outreach. They often have one inbox, one calendar, one portal, and a stack of urgent work that makes "quickly open this file" feel normal.

That is the risk.

The Ledger scan pulled out the practical control: no attachments from prospects until identity and referral source are checked.

It sounds almost too basic. That is why it works.

The Prospect Stage Is the Soft Spot

Most firms treat security like a client-records problem. Secure portals. Strong passwords. Document retention. Engagement letters. All good.

But scams do not have to wait until someone becomes a client.

The prospect stage is softer. The firm wants to be responsive. The CPA wants to help. A stranger with a tax problem feels like a lead, not a threat. So the normal gates get skipped.

That is when a suspicious PDF, payroll file, tax notice, or prior-year return can become the first real interaction with the firm.

The fix is not paranoia. The fix is sequencing.

Verify first. Open later.

A Simple Solo CPA Scam Screening Checklist

The checklist does not need to be fancy. It needs to be used every time.

Before opening files from a new prospect, confirm:

• Name and contact information match across email, phone, and any referral source.

• The prospect can explain how they found the firm.

• The requested service fits the firm's normal client profile.

• The email domain, file-sharing link, and message tone do not feel mismatched.

• The prospect is willing to use the firm's standard intake process.

• No sensitive documents are exchanged before the firm chooses the channel.

• Attachments are not opened until the prospect clears the basic identity check.

That last point matters most. The inbox should not be the intake portal.

What Legitimate Prospects Should Hear

This does not have to sound hostile.

The script can be plain:

"Before we review documents, we verify new client identity and send our secure intake link. That keeps your information and our firm protected."

Normal clients will understand. Some will appreciate it. The ones who push hard for you to open an attachment immediately are giving you useful information.

That is the point of the control.

Why This Is a Business Process, Not Just Security

A good intake gate also improves the practice.

It filters bad-fit clients. It slows down panic-driven requests. It creates a standard path for referrals, document collection, and engagement review. It also keeps the CPA from making one-off judgment calls while trying to clear the inbox between client deadlines.

For solo firms, consistency is the whole advantage.

You do not need a giant security program to make the obvious scam harder. You need one rule that survives a busy Tuesday: no files from unknown prospects until the basics check out.

What CPAs Should Do Now

Write the rule down and put it where intake actually happens.

Add it to the website contact flow, the email template, the admin checklist, and the portal invitation process. If the firm uses a scheduler, add a line before the booking confirmation that documents will be requested through the firm's secure process after initial review.

Then follow it when the lead looks valuable.

That is where controls usually break.

FAQ

Why are solo CPAs a target for prospect scams?

The scan flagged solo CPA scam risk as directly relevant because small practices often handle prospect screening, document intake, and client communication without a larger support team.

Should a CPA open a PDF from a new prospect?

The safer rule from the scan is no attachments from prospects until identity and referral source are checked.

What should happen before document review?

Verify the prospect's identity, referral source, service fit, and willingness to use the firm's standard secure intake process.

How can firms avoid scaring off real prospects?

Use a neutral process explanation. Tell prospects the firm verifies identity and uses secure intake before reviewing documents. That sounds professional because it is.

Source: Ledger Lowdown Reddit growth scan of r/TaxPros on 2026-05-26, using the thread at https://www.reddit.com/r/TaxPros/comments/1tmnyx4/solo_cpa_someone_tried_to_contact_me_3_times_scam/.