
Why CPA Firms Are Primary Targets Every Filing Season
Tax season creates a concentrated risk window that cybercriminals plan around. Between January and mid-April, CPA firms handle enormous volumes of sensitive client data, Social Security numbers, bank routing details, prior-year returns, payroll records, and financial statements, all moving through email, cloud portals, and tax software at high velocity. Attackers time their campaigns to match that window.
This tax season cybersecurity preparation guide for CPA firms covers what you need in place before filing season opens: the IRS and FTC compliance requirements your firm must satisfy, the technical controls that reduce exposure, and the staff procedures that prevent the human-error incidents that account for the majority of breaches in professional services. Whether you run a solo practice or a mid-size regional firm, the controls here apply to your environment.
The IRS Security Summit, a public-private partnership between the IRS, state revenue agencies, and the tax industry, has documented year-over-year surges in phishing campaigns, Business Email Compromise (BEC), and credential-stuffing attacks targeting tax professionals during filing season. Firms that complete their cybersecurity preparation before January 1 consistently suffer fewer incidents and recover faster when one does occur.
The guidance below draws on IRS Publication 4557, the FTC Safeguards Rule, NIST SP 800-171 Rev. 3, and the Verizon 2024 Data Breach Investigations Report (DBIR). For a broader overview of cybersecurity for tax professionals, see our pillar guide covering the full regulatory and technical picture for accounting practices.
The Threat Environment CPA Firms Face
IBM Cost of Data Breach Report 2024
Verizon DBIR 2024
IBM Cost of Data Breach Report 2024
What Makes Tax Season a High-Risk Window for CPA Firms
Filing season compresses risk into a narrow timeframe. Several factors combine to make January through mid-April the most dangerous months of the year for accounting firms:
- Data density: Returns in progress contain SSNs, adjusted gross income, employer identification numbers, and banking details. A single compromised workstation during filing season can expose hundreds of client records simultaneously.
- Seasonal staff: Temporary employees hired for the filing rush typically receive minimal security orientation and may work from personal devices, broadening the attack surface without corresponding security controls.
- Deadline pressure: Staff operating under time constraints are statistically more likely to click phishing links, skip verification steps, or approve wire transfers without proper dual-authorization controls.
- Remote and hybrid work exposure: Many preparers access tax software and client portals from home networks. BEC and RDP attacks on tax practices have grown as remote access became standard. Exposed Remote Desktop Protocol (RDP) ports remain a persistent entry point attackers actively probe during filing season.
- Spear-phishing campaigns: Threat actors send targeted emails impersonating the IRS, tax software vendors (Drake, UltraTax, ProSeries), payroll processors, or existing clients, often timed to arrive in January when practitioners are newly returned from holiday breaks and least guarded.
Understanding what is cyber threat intelligence helps firms contextualize these threats and prioritize defensive spending before the rush begins. The goal of pre-season preparation is to harden systems and procedures before attackers launch their filing-season campaigns, not after the first incident report arrives.
Security Capabilities CPA Firms Need Before Filing Season
Multi-Factor Authentication (MFA)
Enforce MFA on all tax software, email, cloud portals, and remote access systems. Credential theft accounts for a large share of breaches targeting professional services firms, MFA blocks the majority of credential-based attacks.
Endpoint Detection & Response (EDR)
Deploy EDR on all workstations and laptops, including seasonal employee devices. Real-time behavioral telemetry enables early detection of ransomware staging and data exfiltration attempts before they reach full execution.
Email Threat Protection
Implement email filtering with anti-phishing controls, DMARC enforcement (p=reject), DKIM, and SPF to reduce spoofed IRS and vendor emails reaching staff inboxes. Email remains the primary initial access vector for tax-season attacks.
Written Information Security Plan (WISP)
A WISP is required by IRS Publication 4557 and the FTC Safeguards Rule. It documents your security program, incident response procedures, vendor oversight, and data disposal practices, and must be reviewed before each filing season.
Encrypted Backup & Recovery
Maintain offline, encrypted backups of all client files and firm data. Ransomware operators specifically target accounting firms, knowing that filing-season time pressure increases the likelihood firms will pay a ransom rather than restore from backup.
Security Awareness Training
Conduct phishing simulations and role-specific training for all staff, including temporary preparers, before January. Document training completion dates to satisfy IRS Publication 4557 and FTC Safeguards Rule evidence requirements.
IRS and FTC Compliance Requirements for CPA Firms
Tax preparation firms operating in the United States are subject to specific federal security mandates. Non-compliance creates regulatory exposure in addition to operational risk. Below are the key requirements your firm must satisfy before filing season.
IRS Publication 4557: Safeguarding Taxpayer Data
Tax safeguard compliance under IRS Publication 4557 requires all tax preparers to implement a written data security plan, use strong authentication on all systems holding taxpayer data, encrypt data in transit and at rest, train staff on data security practices, and properly dispose of client records. These are not voluntary guidelines, they are IRS requirements for anyone who prepares federal returns professionally. Publication 4557 also requires firms to report data theft to the IRS promptly using Form 14242 and to notify affected clients so they can protect themselves against fraudulent returns filed in their names.
FTC Safeguards Rule (Gramm-Leach-Bliley Act)
The FTC Safeguards Rule classifies tax preparers as financial institutions under the Gramm-Leach-Bliley Act (GLBA) and mandates a documented information security program. Since the 2023 amendments took full effect, firms with more than 5,000 customer records must report certain security events to the FTC. The rule also requires designating a qualified individual to oversee your information security program, a governance requirement many small firms overlook until an audit or incident surfaces the gap.
Written Information Security Plan (WISP)
Both the IRS and FTC require a WISP. The IRS provides a sample template through Publication 5708. Review our guide to the IRS Publication 5708 WISP template to understand what sections your plan must include and how to adapt it for your firm's size and client profile. Sole proprietors and single-preparer practices are not exempt, see our WISP template for sole proprietors for a scaled implementation. Your WISP should be reviewed and updated before each filing season to reflect current systems, staff, and vendor relationships.
Tax Season Cybersecurity Preparation: Step-by-Step
Complete a Security Gap Assessment (October-November)
Inventory all systems, software, and data stores that handle client information. Map current controls against IRS Publication 4557 and the FTC Safeguards Rule requirements. Document gaps, assign remediation owners, and set deadlines before January 1.
Update and Test Your WISP (November)
Review your Written Information Security Plan for accuracy. Update vendor contacts, incident response roles, notification procedures, and any system changes made during the year. Run a tabletop exercise simulating a phishing-initiated breach or ransomware incident so staff know their roles before a real event.
Enforce MFA on All Systems (November-December)
Audit authentication settings for tax software, email, client portals, remote access, and cloud storage. Disable any accounts or access paths that do not require MFA. Refer to CISA guidance on password managers and unique passwords for credential hygiene steps that complement MFA enforcement.
Train All Staff Before Opening Day (December-January 1)
Deliver phishing simulation and security awareness training to every employee who will handle client data during filing season, including new hires and seasonal preparers. Document completion dates and store evidence in a location accessible during regulatory inquiries.
Verify Backups and Test Restoration (December)
Confirm that all client data is backed up, that backups are encrypted, and that at least one copy is stored offline or air-gapped. Perform a test restoration to verify backup integrity before high-volume filing begins. Ransomware recovery depends on this test having been done in advance.
Harden Remote Access (December-January)
Restrict RDP access to VPN-only connections and enforce network-level authentication on all RDP sessions. Remove or disable external-facing RDP where it is not operationally required. Document remote work policies for seasonal staff and confirm they are using firm-approved devices.
Establish a Filing-Season Incident Response Contact List (January)
Compile IRS data theft reporting contacts, your state attorney general's breach notification contacts, your cyber insurance carrier's claims line, and a qualified incident response retainer. A breach during filing season requires hours-level response, assemble this list before you need it.
Technical Controls That Reduce Filing-Season Exposure
Compliance documentation matters, but technical controls do the actual blocking and detecting. The following controls address the most common attack vectors targeting CPA firms during tax season.
Email Security Configuration
The majority of tax-season attacks begin with a phishing email. Configure your email environment with DMARC in enforcement mode (p=reject), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework). These three protocols together prevent attackers from spoofing your firm's domain and reduce the number of spoofed IRS or vendor emails reaching staff inboxes. Ask whether the tax preparation software is secure for personal information at the settings level your firm currently uses, many installations leave email encryption options disabled by default.
Endpoint Security for Seasonal Environments
Every device that touches client data, including laptops brought in by seasonal preparers, must have EDR installed and policy-enforced before that device accesses firm systems. Antivirus-only coverage is insufficient for filing season; behavioral detection from EDR is essential for identifying novel ransomware variants before they encrypt client files and trigger a breach notification obligation.
Secure Client File Transfer
Do not accept W-2s, 1099s, or identification documents via unencrypted email. Configure a secure client portal with MFA-protected access, encrypted file transfer, and automatic session timeouts. Review the security settings of your tax client portal before the season opens, many firms discover their portal is operating at vendor defaults rather than firm-appropriate security settings.
Credential Hygiene at Scale
Require unique, complex passwords for every system that handles taxpayer data. Prohibit password reuse between tax software, email, and client portals. Use a business-grade password manager to enforce and audit this policy across staff accounts. CISA's guidance on using a password manager and unique passwords provides a vendor-neutral framework for firms implementing credential controls for the first time or formalizing an informal policy.
Phishing Campaigns Peak During Filing Season
The IRS Security Summit consistently warns that impersonation emails targeting tax professionals spike between January and April. Attackers send emails that appear to come from the IRS e-Services team, major tax software vendors, or existing clients, often referencing real firm details gathered from public sources. Never click links in unsolicited IRS or tax-software emails; navigate directly to the vendor's official site. Verify unexpected wire transfer requests or data access requests by phone before acting, using a number you already have on file, not one provided in the email.
Incident Response Preparation Before Filing Season Opens
Every CPA firm needs a documented incident response plan before filing season, not during it. When a breach occurs in February, you have days, not weeks, to contain it, notify affected clients, and report to the IRS and applicable state agencies. Firms without a plan make containment decisions under time pressure, which consistently results in delayed notification, wider data exposure, and larger regulatory exposure.
Your incident response plan should address at minimum:
- Clear decision authority: Who has authority to initiate containment, who communicates externally, and who contacts the IRS and state agencies.
- IRS reporting: Tax professionals must report data theft to the IRS promptly, the IRS recommends within 24 hours of discovery, using the IRS stakeholder liaison contacts listed on IRS.gov and Form 14242.
- State breach notification: Most states require notification to affected residents within 30-72 hours of a confirmed breach. Maintain a record of clients' states of residence to quickly identify applicable notification laws.
- Cyber insurance coordination: Contact your carrier's claims line before taking significant remediation steps. Many policies require pre-authorization for forensic work to be covered under the policy.
- Client communication template: Draft a notification letter before filing season. Customizing incident communications under pressure leads to legally ambiguous wording that can complicate later regulatory interactions.
If your firm lacks internal security resources, a managed detection and response (MDR) retainer gives you access to a 24/7 Security Operations Center (SOC) that monitors for indicators of compromise throughout filing season and manages initial response when an alert fires, without requiring your staff to act as first responders.
Get a Pre-Season Cybersecurity Assessment for Your CPA Firm
Our team reviews your current controls against IRS Publication 4557, the FTC Safeguards Rule, and NIST SP 800-171, then delivers a prioritized remediation plan before filing season opens.
Frequently Asked Questions
Yes. IRS Publication 4557 requires all tax preparers, including sole proprietors, to maintain a written data security plan. The FTC Safeguards Rule independently mandates a documented information security program for tax preparers classified as financial institutions under the Gramm-Leach-Bliley Act. Both requirements apply regardless of firm size, and neither provides an exemption for small practices.
Most preparation should be complete before January 1. Gap assessments and WISP updates should happen in October and November. MFA enforcement, staff training, and backup verification should be complete by December 31. Remote access hardening and incident response plan reviews should wrap up before the first client file is opened in the new year, so your team is not making security configuration decisions while simultaneously processing returns.
Phishing and spear-phishing emails impersonating the IRS, tax software vendors, or clients are the most common initial access vector. Business Email Compromise (BEC), where attackers hijack or spoof firm email to redirect payments or obtain client data, is a growing threat. Ransomware, credential stuffing against tax software portals, and Remote Desktop Protocol (RDP) exploitation are also frequently documented in IRS Security Summit advisories and industry threat reports.
Yes. The FTC Safeguards Rule applies to all financial institutions covered under GLBA, which includes tax preparers regardless of firm size. Firms with 5,000 or fewer customer records have a different threshold for mandatory FTC event notification than larger firms, but all covered firms must implement a written information security program, designate a responsible individual, and meet the 16 specific safeguards in the amended rule.
The IRS directs tax professionals who experience a data theft to immediately contact the IRS stakeholder liaison for their state (contacts are listed on IRS.gov), submit Form 14242 or follow the specific steps in IRS Publication 5293, and notify their tax software provider. You must also notify affected clients so they can file Form 14039 (Identity Theft Affidavit) to protect their accounts, and report to the FTC if your firm meets the reporting threshold under the Safeguards Rule.
IRS Publication 4557 directs tax preparers to use MFA on all systems that access taxpayer data, and most major tax software vendors now require or strongly encourage it. The FTC Safeguards Rule requires covered firms to implement MFA for information systems accessed remotely and may require it for local systems depending on the findings of your security risk assessment. Treat MFA as a baseline control, not an optional enhancement.
Do not click any links or open attachments. Forward the email to phishing@irs.gov and alert your IT or security contact. Navigate directly to IRS.gov or your tax software vendor's official site, never through a link in an unsolicited email. The IRS does not initiate contact with tax preparers or taxpayers by email about account issues, refund holds, or return problems; legitimate IRS outreach arrives by USPS or through your e-Services account.
At minimum, annually, but the better practice is to review your WISP before each filing season and update it after any security incident, significant infrastructure change, staff turnover in a key security role, or new regulatory guidance. Both the IRS and FTC expect your WISP to reflect current operations. A plan that still references legacy systems or outdated contact information provides little compliance value and can complicate incident response when the contacts or procedures no longer match reality.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.



