Accounting firms hold the keys to the kingdom
If you were a cybercriminal looking for the highest-value target with the weakest defenses, accounting firms would be near the top of your list. A single mid-size accounting firm has access to hundreds or thousands of clients' Social Security numbers, bank account details, tax returns, financial statements, payroll records, and investment portfolios. Compromising one firm gives an attacker the personal and financial data of every client that firm serves.
Unlike a retailer that stores credit card numbers or a healthcare provider that holds medical records, accounting firms hold virtually every type of sensitive data in one place. Tax returns alone contain Social Security numbers, income details, employer information, bank routing numbers for direct deposit refunds, and dependent information. Combined with the financial statements and bank access that firms maintain for bookkeeping and advisory clients, the data an attacker can harvest from a single accounting firm breach is staggering.
And unlike large enterprises with dedicated security teams, most accounting firms — especially those with fewer than 50 employees — rely on a single IT consultant or manage their technology in-house with no formal security program.
Tax season is open season for attackers
Tax season creates a perfect storm for cyberattacks against accounting firms. The volume of sensitive data in transit spikes dramatically. Staff are under pressure, working long hours, and more likely to click on something they normally would not. Clients are sending sensitive documents via email — sometimes unencrypted — and expecting fast responses.
IRS impersonation attacks
Phishing emails impersonating the IRS are among the most common attacks targeting accounting firms during tax season. These emails claim to be about rejected e-file submissions, IRS account updates, new compliance requirements, or EIN verification. The emails link to convincing replicas of IRS portals that harvest the preparer's IRS e-Services credentials.
With stolen IRS e-Services credentials, an attacker can access client tax information, file fraudulent returns, redirect refunds, and obtain transcripts containing the personal data of every client whose return was processed through that account. The IRS has issued repeated warnings about these attacks, but they remain effective year after year because the emails are well-crafted and the time pressure of tax season reduces scrutiny.
Client impersonation
Attackers also impersonate clients during tax season. An email arrives that appears to be from a known client, attaching what claims to be their tax documents for the current year. The attachment contains malware — often a remote access trojan that gives the attacker persistent access to the firm's systems. Because firms are expecting exactly this type of communication during tax season, these emails blend seamlessly into normal workflow.
Wire fraud during tax season
Tax season also sees a spike in wire fraud targeting accounting firms. Attackers who have gained access to a firm's email system monitor communications and wait for an opportunity to insert themselves into a financial transaction. When a client requests a wire transfer or discusses payment details, the attacker sends a follow-up email from the compromised account — directing the funds to an account they control.
The attacks accounting firms face year-round
Tax season gets the headlines, but accounting firms face persistent threats throughout the year.
Business email compromise
Accounting firm employees are high-value targets for business email compromise because they routinely handle financial transactions and have access to clients' banking information. An attacker who compromises an accountant's email can send payment instructions, share fraudulent invoices, or redirect client funds — all from a legitimate email address that clients trust.
The trust relationship between accountants and clients makes these attacks particularly effective. Clients are accustomed to receiving financial instructions from their accountant. When an email arrives asking them to wire funds to a specific account or update payment details for a vendor, they often comply without additional verification because the request is consistent with the accountant's normal role.
Ransomware
Accounting firms are attractive ransomware targets because the data they hold is essential to their operations and their clients' operations. A firm that cannot access its clients' financial records, tax filings, and bookkeeping data cannot function. This creates enormous pressure to pay the ransom quickly — especially during tax season, when deadlines are immovable.
Ransomware operators increasingly combine encryption with data theft. They exfiltrate the firm's data before deploying ransomware, then threaten to publish client records if the ransom is not paid. For an accounting firm, the publication of client financial data would be catastrophic — not just for the firm's reputation, but for the clients whose data would be exposed.
Credential theft through compromised portals
Many accounting firms use client portals for document exchange, and staff access various tax, payroll, and banking platforms daily. Phishing attacks targeting these portal credentials are constant. A compromised portal login gives the attacker access to every document clients have uploaded — tax returns, bank statements, identification documents, and more.
What IRS WISP requirements mean for your firm
The IRS requires all tax preparers to maintain a Written Information Security Plan (WISP) under the Gramm-Leach-Bliley Act. This is not optional — it applies to every firm that handles federal tax returns, regardless of size. A sole practitioner working from a home office has the same legal obligation as a large national firm.
A WISP must document how your firm protects client data, including:
- Risk assessment: Identifying what data you hold and where it is stored
- Employee training: Documenting that staff are trained on security practices and phishing recognition
- Access controls: Defining who has access to what data and how access is granted and revoked
- Incident response: Describing what the firm will do if a breach occurs
- Physical security: Addressing how paper records and physical devices are protected
- Technology controls: Documenting encryption, MFA, password policies, and backup procedures
Many firms have a WISP on file because their professional association provided a template. But a template that has not been customized to the firm's actual practices, reviewed annually, or supported by the controls it describes is a liability, not a protection. If a breach occurs and the firm's WISP describes controls that were never actually implemented, it creates legal exposure rather than reducing it.
What accounting firms should have in place
The security program for an accounting firm does not need to be complex, but it does need to be real. Here are the essential components.
Email security
Configure DMARC, SPF, and DKIM for your domain so that attackers cannot send emails that appear to come from your firm. This is a DNS configuration change that your IT provider can implement in under an hour. Without it, anyone can send email impersonating your firm to your clients — requesting wire transfers, sharing fake invoices, or distributing malware.
Multi-factor authentication everywhere
MFA should be enforced on email, client portals, tax preparation software, banking access, and any cloud services that store client data. This is the single most effective control against credential theft. If an attacker obtains a password through phishing, MFA prevents them from using it.
Phishing training with simulated attacks
Monthly or quarterly phishing simulations train staff to recognize suspicious emails in the context of their daily work. Track results over time — click rates should decrease as staff become more experienced. During tax season, increase the frequency and use tax-themed simulations that mirror real attacks.
Vulnerability scanning
Regular scanning of your firm's public-facing infrastructure identifies weaknesses before attackers do. This includes checking for exposed services, missing security headers, outdated software, and email security misconfigurations. Scan results also provide documentation for your WISP and for cyber insurance applications.
Documented security policies
Written policies covering acceptable use, data handling, access control, and incident response are required by the WISP and expected by cyber insurers. These policies should be reviewed annually, updated when practices change, and formally acknowledged by all employees.
Breach monitoring
Monitor for your firm's email addresses and domain appearing in known data breaches. If employee credentials are compromised through a third-party breach, you need to know immediately so you can force password resets before those credentials are used against you.
The cost of inaction
An accounting firm breach does not just affect the firm — it affects every client the firm serves. The notification requirements, credit monitoring obligations, regulatory scrutiny, professional liability exposure, and reputational damage can be existential for a small to mid-size firm. Multiple firms have closed permanently after significant breaches because clients left and the legal and remediation costs exceeded what the firm could absorb.
The controls described above are not expensive or difficult to implement. They require attention and consistency more than budget. The firms that get breached are rarely the ones that cannot afford security — they are the ones that never got around to it.
See what an attacker sees
The first step is understanding what your firm's internet-facing infrastructure actually looks like from the outside. A security scan of your domain reveals email authentication gaps, exposed services, and known vulnerabilities in minutes.
Run a free security assessment of your firm's domain and get a clear picture of your current exposure.
