Blog
← Back to Blog
January 25, 2022 financial

Tax Season 2022: Protecting Your Accounting Firm from Targeted Attacks

Accounting firm data security during tax season

Tax season is peak season for accountants and for the attackers who target them. Between January and April, accounting firms handle the most concentrated collection of sensitive financial data imaginable: Social Security numbers, bank account information, income details, investment records, and business financials. All flowing through email, portals, and shared drives.

The IRS reported a 400% increase in phishing attacks targeting tax professionals since 2020. Here's how to protect your firm during the highest-risk period of the year.

Tax Season Threats

IRS Impersonation

Emails claiming to be from the IRS, e-Services, or the IRS Tax Professional Account system. They request login credentials, threaten account suspension, or claim urgent action is needed. The IRS does not initiate contact by email. Ever.

Client Impersonation

"Hi, I need to update my bank account for my refund direct deposit." Attackers impersonate clients via email, requesting changes to refund routing. Always verify banking changes through a separate communication channel.

W-2 and 1099 Theft

Emails impersonating company executives requesting employee W-2 data. We've written about this before, but it intensifies during tax season when such requests seem routine.

Tax Software Exploitation

Attackers target tax preparation software credentials to file fraudulent returns using stolen client data. If your Drake, Lacerte, ProSeries, or UltraTax credentials are compromised, every client's data is at risk.

Tax Season Security Checklist

Access Controls

  • MFA on all tax software, IRS e-Services, state tax portals, and email
  • Individual accounts for every staff member (no shared logins to tax software)
  • Disable accounts for seasonal staff immediately after tax season

Data Protection

  • Encrypt all devices containing client tax data
  • Use secure client portals for document exchange (not email attachments)
  • Implement the IRS "Security Six" protections required for tax preparers
  • Enable audit logging in your tax software to track who accessed what

Verification Procedures

  • Verify all banking changes by phone (not email)
  • Confirm client identity before releasing sensitive documents
  • Flag and investigate returns with unusual characteristics (new bank accounts, changed addresses)

IRS Requirements

The IRS requires tax professionals to:

  • Create a Written Information Security Plan (WISP)
  • Report data breaches to the IRS within specific timeframes
  • Implement the "Security Six" minimum protections
  • Use the Publication 4557 security checklist

Tax season is stressful enough without a data breach. Invest the time now to secure your firm before the filing rush begins.