Cybersecurity During Tax Season 2023
Tax season means long hours, tight deadlines, and stressed staff. It also means accounting firms become prime targets for cybercriminals.
Attackers know tax season timing. They know firms are busy, distracted, and handling sensitive financial data. Here's how to stay secure during busiest time of year.
Why Tax Season Attracts Attackers
High-Value Data
Tax returns contain everything attackers want: names, addresses, Social Security numbers, income information, bank accounts.
This data enables identity theft, tax fraud, and financial fraud.
Time Pressure
Staff rushing to meet April 15 deadline are more likely to click phishing emails without scrutiny.
Attackers exploit this pressure.
Distraction
During tax season, staff focus on completing returns. Security awareness decreases when everyone is overwhelmed.
Seasonal Staff
Many firms hire temporary staff for tax season. New people, limited security training, temporary access. This creates vulnerabilities.
Common Tax Season Attacks
W-2 Phishing
Phishing emails pretending to be from executives requesting W-2 information for all employees.
These target HR and accounting staff during tax season when such requests seem plausible.
Fake Client Emails
Emails appearing to come from clients with attached "tax documents" that are actually malware.
Or emails with links to fake tax document portals harvesting credentials.
IRS Impersonation
Phishing emails claiming to be from IRS requesting information or payment.
Real IRS doesn't initiate contact via email, but stressed staff might not remember this.
Tax Software Exploits
Attackers look for vulnerabilities in tax preparation software to access client data.
Business Email Compromise
Compromised email accounts used to request wire transfers or client data.
During tax season, such requests may seem normal and urgent.
Security Measures for Tax Season
Enhanced Email Filtering
Ensure email filtering is configured to catch tax-themed phishing attempts.
Many security vendors offer enhanced protection during tax season.
Security Awareness Refreshers
Before tax season, remind staff about:
- Phishing recognition
- Verifying unusual requests
- Not clicking links in unsolicited emails
- Reporting suspicious emails
Brief refresher training in January prevents problems in March.
Multi-Factor Authentication
MFA on all accounts, especially email and tax software.
Compromised passwords alone won't provide access.
Verify Requests
Any unusual request via email (wire transfers, W-2 data, client information) gets verified through different channel.
Call using known phone number, not number in email.
Software Updates
Ensure tax preparation software and all other software is fully updated before tax season starts.
Don't delay critical security updates even during busy season.
Access Controls
Review who has access to what. Ensure access is appropriate for roles.
Seasonal staff should have limited access to only what they need.
Secure Client Data Handling
Client Portals
Use secure client portals for document exchange, not email attachments.
Encrypted portals protect tax documents in transit and storage.
Encryption
Encrypt sensitive files. If laptop is lost or stolen during tax season, encrypted data remains protected.
Secure Disposal
Shred paper tax documents. Securely delete electronic files when retention period expires.
Limit Data Retention
Don't keep client tax data longer than necessary. Less data means less risk.
Backup and Recovery
Extra Backups
During tax season, backup frequency should increase. Losing data mid-season is catastrophic.
Test Restores
Before tax season, test that backups actually restore successfully. Don't discover backup problems during crisis.
Ransomware Protection
Immutable backups that ransomware can't encrypt. If attacked during tax season, you can recover without paying ransom.
For Seasonal Staff
Security Training
Temporary staff need security training before accessing client data. Brief but covering essentials:
- Password requirements
- Phishing recognition
- Data handling rules
- Who to contact with questions
Limited Access
Seasonal staff get minimum necessary access. Don't grant full access just because it's easier.
Account Management
Create accounts for seasonal staff. Disable when season ends. Don't share accounts.
Background Checks
Seasonal staff handling sensitive financial data should have background checks.
Remote Work Security
Many tax season staff work remotely. This creates additional security considerations:
VPN for Remote Access
Remote staff should connect via VPN, not directly accessing systems over internet.
Secured Home Wi-Fi
Remind staff to use password-protected home Wi-Fi, not open networks.
Physical Security
Lock screens when away. Don't leave tax documents visible during video calls. Secure home office spaces.
Incident Response Planning
Have Plan Before You Need It
Don't wait until security incident during tax season to figure out response.
Plan should cover:
- Who to contact
- How to contain incident
- Client notification procedures
- Legal and regulatory requirements
- Recovery procedures
Contact Information Ready
IT support, security vendors, cyber insurance, legal counsel. Have contact information readily available.
Communication Templates
Pre-draft client notification templates. If breach occurs, you can act quickly.
Post-Tax Season Security Review
After April 15:
Review Access
Remove access for departed seasonal staff. Review access for remaining staff.
Analyze Incidents
Review any security incidents that occurred. What can be improved for next year?
Update Training
Incorporate lessons learned into security training for next tax season.
Test Backups
Verify backups from tax season are complete and restorable.
Compliance Considerations
IRS Security Requirements
Tax preparers must comply with IRS security requirements outlined in Publication 4557.
This includes written security plan, encryption, secure data transmission, employee training.
State Requirements
Many states have additional data security requirements for tax preparers.
Client Notification
If data breach occurs, notification requirements vary by state and type of data compromised.
Cyber Insurance
Accounting firms should have cyber insurance covering:
- Data breach response costs
- Client notification expenses
- Legal fees
- Regulatory fines
- Business interruption
Review coverage before tax season. Understand what's covered and what's not.
Client Communication
Security Practices
Inform clients about your security practices. This builds confidence.
What Clients Should Do
Educate clients about:
- How you'll communicate (and won't communicate)
- Using secure portals for document exchange
- Not emailing sensitive documents
- Verifying requests that seem unusual
Our Recommendations
For accounting firms heading into tax season:
- Update all software and systems before crunch time
- Refresh security awareness training in January
- Enable MFA on all accounts
- Use secure client portals for document exchange
- Increase backup frequency during tax season
- Have incident response plan ready
- Review and limit access for seasonal staff
Don't let tax season pressure create security lapses. Attackers count on this.
We Can Help
At Robell Technologies, we help Arizona accounting firms maintain security during tax season and year-round:
- Security assessments and planning
- Client portal implementation
- MFA deployment
- Backup and disaster recovery
- Security awareness training
- Incident response support
Twelve years serving Arizona professional practices means understanding both technology and operational realities of tax season.
If you need help securing your firm for tax season, contact us. Better to prepare now than respond to incident in March.
Stay secure during tax season. Your clients' financial information depends on it.