Tax Day 2018: Cybersecurity Lessons from This Tax Season
It's April 15, which means tax season is officially over for most businesses and individuals. Accounting firms can finally exhale, and small business owners can stop worrying about extensions and documentation.
Before everyone forgets the stress of tax season, let's talk about what we learned this year from a cybersecurity perspective. Because tax season is prime time for cyber attacks, and 2018 had some notable incidents.
What Happened This Tax Season
IRS Impersonation Scams Hit Record Levels
The IRS reported record numbers of phone scams, phishing emails, and fake IRS agent contacts this season. Scammers pretended to be IRS agents demanding immediate payment for back taxes, threatening arrest or deportation if victims didn't pay immediately via wire transfer or prepaid cards.
These scams worked because they created panic. People who think the IRS is after them make irrational decisions.
Accounting Firm Breaches
We saw multiple accounting firms get hit with ransomware or business email compromise (BEC) attacks during tax season. In one case we know about locally, an accounting firm had their files encrypted two weeks before the April deadline, causing massive disruption for dozens of clients.
The attackers knew exactly when to strike to create maximum pressure to pay the ransom.
Tax Preparation Software Vulnerabilities
Security researchers found vulnerabilities in several popular tax preparation software packages this season. While vendors patched most of them quickly, it's a reminder that even widely-used professional software has security gaps.
Lessons for Accounting Firms
Backup Timing Matters
Having backups is good. Having recent backups is better. Having backups that complete before your busiest work hours is best.
We saw firms whose backup windows started running into morning hours because their data had grown. That meant backups were still running when staff arrived, slowing systems down during peak work time.
Review your backup schedules now, during the slow season, and make sure they'll complete overnight even with next year's data growth.
Temp Staff Are Security Risks
Many accounting firms bring on seasonal staff for tax season. These temps need access to sensitive systems and client data, but they're also temporary employees who might not have strong security hygiene.
Make sure seasonal staff get the same security training as permanent employees. Review their access after tax season and disable accounts promptly when they leave.
Email Is Your Biggest Risk
The majority of tax season attacks we saw started with phishing emails. Fake client emails with malware attachments. Fake vendor invoices. Fake IRS notices. Fake urgent messages from senior partners.
Invest in better email filtering. Train staff to recognize phishing. Implement processes for verifying unusual requests (like wire transfers or tax filing changes) through a second channel.
Lessons for Small Businesses
Organize Your Tax Documents Earlier
Many security incidents happen when businesses are scrambling at the last minute to gather tax documents, downloading files from old email accounts, accessing systems they haven't touched in months, or accepting files from questionable sources because they're desperate.
Start organizing next year's tax documents in May, not March. You'll be more careful and less vulnerable to scams or malware when you're not under time pressure.
Verify Tax-Related Requests
If you get an email that appears to be from the IRS, your accountant, or your payroll company asking for sensitive information or urgent action, verify it through a different channel before responding.
Call the person using a phone number you already have (not one provided in the email). The few minutes spent verifying are worth it.
Don't Mix Personal and Business Taxes on the Same Computer
We saw cases this season where someone used their work computer to prepare personal taxes, clicked something they shouldn't have, and brought malware into their business network.
Keep personal financial activities on personal devices, separate from your business systems.
What the IRS Actually Does (and Doesn't Do)
Since IRS impersonation scams were so prevalent this season, it's worth reviewing what the IRS actually does:
The IRS will:
- Send written notices through postal mail
- Provide multiple opportunities to question or appeal amounts owed
- Contact you through official channels with proper identification
The IRS will NOT:
- Call you demanding immediate payment without first sending written notice
- Threaten to have you arrested or deported
- Demand payment via wire transfer, prepaid debit cards, or gift cards
- Ask for credit card information over the phone
- Email you asking for personal or financial information
If someone claiming to be the IRS does any of the things on the second list, it's a scam. Hang up, delete the email, and report it.
Tech Lessons for Next Year
Multi-Factor Authentication on Financial Systems
If you don't have MFA enabled on your accounting software, tax software, bank accounts, and payroll systems, this summer is the time to set it up. Don't wait until next February when you're busy.
Encrypted File Transfers
Stop emailing tax documents as attachments. Use encrypted file sharing services (there are plenty of affordable options) or secure client portals. Email is not a secure way to send sensitive financial information.
Document Retention Policies
How long do you keep tax documents? Where are they stored? Who has access? When do you securely delete old files?
Having clear policies reduces your data exposure. You can't lose data you don't have.
Post-Season Security Audit
Now that tax season is over, take some time to review what worked and what didn't from a security perspective:
- Did anyone encounter suspicious emails or scams?
- Were there near-misses that should be addressed?
- Did security controls cause unnecessary friction for legitimate work?
- What would you change for next year?
Document these lessons now while they're fresh. In November when you're planning for next tax season, you'll be glad you did.
The Bottom Line
Tax season is stressful enough without adding cyber attacks to the mix. The patterns are predictable: attackers create urgency, impersonate trusted entities, and exploit people's fear of the IRS.
The defenses are also predictable: good backups, email security, staff training, verification processes, and MFA on sensitive systems.
Use the slow season to shore up your defenses. Next tax season will come faster than you think, and the attackers will be ready. Make sure you're ready too.
Congratulations on surviving another tax season. Now go update your security.