Tax season creates a perfect storm for cybercriminals.
Unlock full access
Why Accounting Firms Are Targeted
The FBI IC3 categorizes professional services — a category dominated by accounting, legal, and consulting — among the highest-loss industries in Arizona's cybercrime data. Accounting firms are attractive for reasons that compound each other:
• Client data density: A 10-person CPA firm may hold the complete financial picture of 300+ individuals and businesses. That's Social Security numbers, bank account details, income data, and business financial statements — a complete identity theft package per client.
• Tax refund fraud: Stolen tax data enables fraudulent return filing before the legitimate taxpayer files. The IRS estimates billions in fraudulent refunds annually. Accounting firm breaches are a primary source of the data that enables this.
• Business financial intelligence: Business clients' financial data is valuable for targeted fraud, corporate espionage, and competitive intelligence. A compromised accounting firm is a window into its clients' financial health.
• Wire transfer exposure: Accounting firms handle payroll processing, estimated tax payments, and client disbursements — creating direct access to financial flows that BEC attacks target.
• Deadline pressure creates human vulnerability: Phishing attacks timed to tax season deadlines succeed at higher rates because staff are busy, stressed, and processing high email volume.
The Tax Season Attack Window
Sophisticated attackers who target accounting firms don't necessarily strike in April. They compromise firms in January or February — gaining access and doing reconnaissance — and then act in March and April when the most complete client data has been assembled.
A compromised accounting firm in late January gives an attacker access to:
• Prior year complete returns as they're collected from clients
• In-progress current year returns with updated financial data
• Bank account and routing numbers used for direct deposit
• Business financial statements and payroll records
• Client communication channels for social engineering attacks
By the time the breach is discovered — often weeks later — the attacker has had a full season of data access.
The Regulatory Dimension
Accounting professionals in Arizona have regulatory obligations around data security that go beyond basic business prudence.
IRS Publication 4557 and the Written Information Security Plan
The IRS requires all tax preparers — regardless of size — to have a Written Information Security Plan (WISP). This is not optional and is not limited to large firms. A sole practitioner with a home office and 50 clients has the same WISP requirement as a 50-person CPA firm.
The WISP must address how the firm protects taxpayer data, including physical, administrative, and technical safeguards. IRS audits of tax preparers increasingly include WISP review. Firms without a current WISP are out of compliance.
FTC Safeguards Rule
The FTC Safeguards Rule applies to financial institutions — a category that includes accounting firms and tax preparers that handle consumer financial data. The updated Safeguards Rule (effective 2023 for most small businesses) requires:
• A written information security program with a designated coordinator
• Risk assessment of systems containing customer financial information
• Access controls and multi-factor authentication on systems with covered data
• Encryption of customer financial data in transit and at rest
• Monitoring and testing of the security program
• Incident response plan
Non-compliance with the Safeguards Rule creates FTC enforcement exposure. The rule has teeth.
AICPA Standards
The AICPA's cybersecurity risk management framework and the SOC for Cybersecurity attestation service reflect the profession's own standards for security practice. While not mandatory, CPA firms serving business clients are increasingly asked to demonstrate security posture as part of vendor due diligence.
What Protection Looks Like for a Phoenix Accounting Firm
The good news: the controls that satisfy IRS, FTC, and insurance requirements are not exotic. They are the standard managed IT security stack, applied to an environment with specific attention to accounting-sector data handling.
• MFA on all email, accounting software, tax preparation platforms, and client portals — enforced, not optional.
• Encrypted client portal for document exchange — not email attachments for tax documents containing SSNs and financial data.
• EDR on all endpoints, including any home office devices used for client work during tax season.
• Off-site, immutable backup of all client files and tax data — tested quarterly, verified before tax season begins.
• Written Information Security Plan (WISP) — documented, current, available for IRS review.
• Security awareness training with tax season phishing scenarios — conducted in January before the attack window opens.
• BEC verification protocol for any wire transfers or payment direction changes.
• Access controls ensuring staff see only the client files they need.
The Tax Season Preparation Checklist
Every accounting firm should run through this before January each year:
□ ☐ MFA verified as enforced on all systems containing client tax data
□ ☐ Backup restoration test completed — verified clean, off-network backup exists
□ ☐ Staff security awareness training completed, including phishing simulation
□ ☐ WISP reviewed and updated for current year
□ ☐ Client portal active and configured for secure document exchange
□ ☐ EDR active on all devices used for client work, including remote staff devices
□ ☐ BEC payment verification protocol communicated to all staff
□ ☐ IT provider emergency contact confirmed — 24/7 coverage during tax season
AEGITz serves Phoenix-area accounting firms and CPA practices with managed IT and security designed around IRS, FTC, and AICPA requirements. Download our free Accounting Firm Security & Compliance Guide or schedule a discovery call at aegitz.com.
