Tech Advisors
Back to blog
8 min read

Phishing and Business Email Compromise for CPA Firms: The Tax-Season Prevention Playbook

Phishing and Business Email Compromise for CPA Firms: The Tax-Season Prevention Playbook

Consumers reported losing more than $12.5 billion to fraud in 2024, a 25% increase from the prior year (FTC, 2025). For CPA firms, that surge is not abstract. Your accounting practice sits at the center of tax returns, payroll reports, bank account details, and other sensitive financial data that fraudsters actively target.

During tax season, accounting firms rely heavily on email to exchange tax documents, coordinate with clients, and communicate with the IRS and state agencies. That mix of high-value data, constant email traffic, and tight deadlines makes phishing for CPA firms especially attractive to scammers, hackers, and cybercriminals.

Urgency is the leverage point. One convincing message can lead to unauthorized access, diverted payments, identity theft, or a data breach that disrupts operations and damages client trust at the worst possible time. This playbook focuses on quick wins: practical email security controls, clear processes, and staff habits you can implement immediately, even without a dedicated cybersecurity team.

Key takeaways

  • The biggest improvements come from simple process controls paired with strong email and account protection.
  • Business email compromise is often more dangerous than classic phishing because it targets payments and trust, not just credentials.
  • Training works best when combined with technical safeguards and clear reporting workflows for suspicious emails.

The CPA firm anti-phishing playbook

During tax season, you gain more protection by tightening a few specific controls than by drafting a long cybersecurity strategy that you cannot execute quickly. Most phishing attacks and business email compromise incidents succeed through email accounts, stolen login credentials, and rushed approval processes, not through advanced technical exploits. Social engineering attacks target how your team works under pressure.

In 2024, email compromise accounted for nearly 46% of Kroll’s digital forensics and incident response engagements, many of which were tied to financial fraud.

Each step below is a practical, quick win you can implement immediately. These controls align with the common cloud email platforms used by CPA firms and meet the IRS’s baseline data security expectations for tax professionals.

The 6 most effective prevention steps

  1. Enforce multi-factor authentication on every email account and admin login. MFA ensures that stolen passwords alone cannot grant unauthorized access to email, portals, or client information.
  2. Lock down mailbox rules and forwarding. Restrict automatic forwarding to external addresses and review inbox rules regularly to detect silent business email compromise.
  3. Use role-based access and eliminate shared credentials. Individual accounts tied to roles limit damage if login credentials are stolen and improve accountability across your accounting practice.
  4. Require callback verification for bank account or payment changes. Always confirm requests using known phone numbers or secure portals, rather than replying directly to email.
  5. Standardize how staff report suspicious emails. Provide a simple, non-punitive way to report phishing emails and suspicious links so issues surface quickly.
  6. Run short, recurring phishing training. Brief sessions focused on current tax-season scams are more effective than once-a-year training and reinforce safer habits.

A simple “if you clicked” response checklist

When someone clicks a suspicious message, speed and clarity matter more than blame.

  • Report the phishing attempt immediately to begin containment.
  • Reset credentials and review recent account sign-ins for suspicious access.
  • Check inbox rules and forwarding settings for unauthorized changes.
  • Notify the internal owner and assess exposure at a high level.
  • Determine whether client data or sensitive information could be part of a data breach.

Phishing vs BEC for accounting firms (Why it matters)

Not all cyber threats affect CPA firms equally. Understanding the difference between phishing attacks and business email compromise helps you apply the right mix of controls.

Phishing

Phishing attacks use fraudulent messages to trick staff into clicking malicious links, opening infected attachments, or entering login credentials into fake websites. In accounting firms, these messages often reference tax returns, portals, or document sharing. Successful phishing can introduce malware, ransomware, or credential theft, exposing client data and backups to further compromise.

Business email compromise

Business email compromise, or BEC, relies on impersonating partners, clients, or service providers to divert payments or change bank details. Because messages appear legitimate, staff may move money quickly. For CPA firms, BEC is often more dangerous than classic phishing because it causes immediate financial loss and erodes client trust.

CPA firms are prime targets because clients, banks, and vendors already trust your instructions, and tax season compresses decision-making. Effective defenses combine email security controls with process checks to prevent phishing scams and BEC schemes from becoming costly incidents.

The most common CPA-firm scenarios

The IRS reported nearly 200 tax professional data incidents potentially affecting up to 180,000 clients, many of which were tied to email-based impersonation and credential theft.

The following high-level scenarios frequently occur during tax season and often lead to phishing scams or BEC attempts. Recognizing these patterns helps your team pause before responding.

  • “Client” requesting portal reset or document upload. A scammer may impersonate a new client to harvest credentials or to deliver malicious links. Validate requests using known contact details rather than email alone. These tactics connect directly to tax-related identity theft. TIGTA reported that the IRS flagged nearly 1.9 million tax returns for additional review, totaling about $16.5 billion, using identity theft filters.
  • “Partner” requesting urgent wire or payment change. Messages push urgency around refunds or vendor payments. Follow callback verification and approval workflows before acting.
  • “IRS or state agency” urgency messages near deadlines. Spoofed emails reference penalties or missing filings. Confirm notices through official IRS channels and route them through a single, documented process.

Encouraging staff to share sanitized examples of real phishing campaigns helps patterns become familiar without exposing attacker scripts.

Process controls that stop the damage

Strong information security in a CPA firm depends as much on process as on tools. Even when phishing attempts succeed, well-designed workflows limit vulnerabilities and prevent a single mistake from becoming a major loss.

Use documented approval workflows and two-person verification for money movement and other sensitive actions. Outgoing payments, client refunds, and bank account changes should require review, callback verification, and sign-off before funds move or financial records are released.

In fiscal year 2024 and the beginning of fiscal year 2025, the DOJ reported more than $735.3 million returned to victims, including business email compromise and imposter schemes.

Apply the same discipline to seasonal onboarding and offboarding. Temporary staff should receive only the access they need, with clear end dates. Automation within email and practice management systems can automatically disable accounts, adjust permissions, and flag suspicious behavior. Combined with firewalls, antivirus software, and reliable backups, these controls strengthen data security without slowing daily work.

How Tech Advisors helps CPA firms reduce phishing risk

Many CPA firms choose to work with a specialist service provider rather than manage their own phishing defenses.

Tech Advisors helps accounting firms implement and maintain layered security solutions that reduce phishing and BEC risk during tax season and beyond.

This includes hardening email accounts with multi-factor authentication, tightening access controls, and monitoring for suspicious activity across cloud platforms and social media exposure.

Tech Advisors also delivers brief, recurring security awareness training and phishing simulations tailored to CPA workflows, while helping firms establish clear reporting and response policies. The focus is execution: making sure protections work under real deadline pressure, not just on paper.

Final thoughts: Phishing succeeds when habits fail, not when tools do

Most damage from phishing emails and business email compromise is preventable when CPA firms consistently apply a focused set of controls. Simple, repeatable habits across email security, approvals, and access management are more valuable than complex solutions that staff cannot follow during tax season. Start with the playbook, then systematize it across your firm so protections become part of daily operations.

If you want help validating and strengthening your defenses, request a phishing resilience review for your CPA firm. A structured review of phishing for CPA firms can surface quick wins and give your accounting practice a clear path to safer, more predictable busy seasons.

FAQs

Why is phishing for CPA firms so effective during tax season?

Phishing targeting CPA firms is most effective during tax season because of the urgency, heavy email volume, and payment activity, which lowers scrutiny. Attackers impersonate clients, partners, or the IRS to steal credentials or push fraudulent payment changes. The fastest way to reduce risk is to enforce MFA on all email accounts and slow sensitive requests with verification steps.

How can CPA firms stop business email compromise without hiring more IT staff?

CPA firms can stop business email compromise by pairing strong email security with simple process controls. MFA, restricted mailbox forwarding, and mandatory callback verification for payment changes block most attacks. A co-managed IT partner can implement and monitor these controls without increasing internal headcount.

What is the first thing a CPA firm should do after a phishing attack or suspected data breach?

The first step is to immediately secure the affected email account and report the incident internally. Reset credentials, review inbox rules and sign-in activity, and assess whether client data or financial records were exposed. Fast action limits financial loss, identity theft risk, and damage to client trust.

All articles
Share this article

Related Resource

Take the 2-minute IT Security Assessment

Find out where your firm stands on cybersecurity and compliance. Instant personalized score. Free, no obligation.

Take the Assessment

More from the Tech Advisors blog

FTC Safeguards Rule for CPA Firms: The Practical IT Controls to Focus on in 2026

FTC Safeguards Rule for CPA Firms: The Practical IT Controls to Focus on in 2026

Read
Regular Software Updates for Accounting Firms: A 2026 Patch Management Framework

Regular Software Updates for Accounting Firms: A 2026 Patch Management Framework

Read
accounting firm

Penetration Testing for CPA Firms: Scope, Expectations, and How to Use the Results

Read

Work With Us

Technology expertise, built for accounting firms.

Schedule a free IT assessment. No obligation. Just a conversation.

Get Your Free IT AssessmentSchedule a 15-Minute Call
Fixed monthly pricing
Response in 15 minutes
Free, no obligation
Call UsFree Assessment