CPA Firms Are Walking Into Tax Season With Zero Incident Response Plan

The IRS tracks tax-related identity theft and phishing campaigns against accounting professionals as a major threat category every single year. The reason isn't surprising: CPA firms are a concentrated source of Social Security numbers, EINs, financial statements, and bank account data for dozens or hundreds of clients — all in one place, all accessible through a handful of employee accounts.

For an attacker, a successful intrusion into a mid-size CPA firm during tax season isn't just one victim. It's access to that firm's entire client base.

What Makes Tax Season Specifically High-Risk

• Staff are overloaded — suspicious emails get less scrutiny when everyone is buried under returns
• Deadline pressure creates urgency that attackers exploit in phishing and BEC campaigns
• Temporary staff and seasonal contractors are onboarded quickly, often without proper security training
• Client portal access, tax software credentials, and document sharing activity spikes — creating noise that hides malicious activity
• The volume of legitimate wire-adjacent communications (estimated payments, refund routing) creates cover for BEC fraud

// The Specific Attacks Targeting Accounting Firms Right Now

The IRS and its Security Summit partners issue annual warnings about campaigns specifically targeting tax professionals. These include spear-phishing emails impersonating software vendors like Drake, ProSeries, or UltraTax asking for credential re-entry. They include fake client portal login pages. They include BEC campaigns that impersonate a CPA's own email to redirect client refunds or estimated payments.

What an Incident Response Plan Actually Needs to Cover

An IR plan isn't a generic document you download from the internet. For a CPA firm, it needs to address your specific systems, data types, and obligations.

• Decision authority chain — who makes the call to take systems offline, notify clients, and engage external help at 11pm on April 14th?
• Contact list — your cyber insurance carrier, an IR firm (with an existing retainer if possible), your attorney, and your state CPA society's breach guidance line
• Data inventory — you cannot assess the scope of a breach without knowing what data you hold and where it lives across tax software, cloud storage, and email
• Notification obligations — which states do your clients reside in? Each has its own breach notification timeline and threshold. Some are 30 days. Some are 72 hours.
• IRS reporting requirements — tax professionals who experience a data theft must report to the IRS within 24 hours using a specific process
• Client communication templates — pre-written, attorney-reviewed notification letters you can send without having to draft them in the middle of a crisis

The Minimum Security Baseline Before Next Tax Season

• MFA on every account — tax software, email, client portals, cloud storage
• Separate credentials for tax software vs. general business systems
• Offline or immutable backups of client files — not just a second copy on the same network
• Annual phishing simulation and staff training — especially for seasonal employees
• Written IR plan reviewed and tested at least once before peak season begins

The accounting firms that get through a breach without losing clients are the ones that respond quickly, communicate transparently, and demonstrate that they had controls in place. The ones that don't are the ones that had no plan, no backups, and no idea who to call — and their clients find out about it on the news.