Phishing Hit a Tax Firm in March: The Damage and the Fix

This is a composite case based on actual phishing incidents at small tax firms during the February to April peak. Names changed, numbers anonymized, but the timeline and decisions are taken from real engagements. It is the kind of attack that lands during the worst possible 6 weeks of a firm's year.

The setup

A 6-person tax firm with 525 active clients, mid-March in tax season. Microsoft 365 with MFA enabled on email. Lacerte for tax software with shared cloud workspace. SmartVault for client portal. WISP existed and was current.

The owner had spent the prior fall investing in MFA and an EDR rollout. The remaining gap was email security beyond the default Microsoft filter.

The phish

Wednesday morning, March 13. A staff preparer receives an email that appears to come from a long-time client. The subject is "Updated W-2, please use this version." The body says the client found an error and is attaching the corrected version. The attachment is a OneDrive link.

The link goes to a real OneDrive page that asks the preparer to "verify your Microsoft 365 credentials to view the document." She enters her email and password. The MFA prompt comes up on her phone. She approves it because she initiated the action.

The attacker now has her credentials and an authenticated session.

Hour 1 to 6: the attacker moves

Within 4 hours, the attacker logs into the preparer's email from an IP in Eastern Europe. They set up an inbox rule that auto-forwards every email containing the words "wire," "ACH," "bank," or "payment" to an external address, then deletes the local copy. Then they wait.

By the next morning, they have intercepted 3 client emails about wire transfers. They reply from the preparer's account with updated wire instructions to a mule bank account.

Hour 24 to 48: discovery

Thursday afternoon. A long-time client calls the firm because the wire instructions look unfamiliar. The owner pulls the email thread, sees that the wire response did not match what the firm sent, and immediately checks the preparer's email inbox.

She finds the auto-forward rule. She finds the wire-instruction emails she does not remember sending. She knows what happened.

First decisions in the next hour:

• Force a password reset on the compromised account, then revoke all active sessions.
• Disable the auto-forward rule and check every other inbox for similar rules. Two more inboxes have related rules added the night before.
• Notify the breach coach and the cyber insurance carrier.
• Call the client whose wire was intercepted and confirm the wire was not sent.

Hour 48 to 96: assessment

The forensic team is engaged. They confirm:

• 3 inboxes were compromised over a 36-hour window.
• An estimated 80 to 120 emails were exposed to the attacker.
• No client data was downloaded in bulk; the attacker was after wire fraud, not record theft.
• No malware was installed on workstations because the EDR caught and blocked the one attempt.

This is meaningfully different from a ransomware case. The breach is real, the cost is real, but the scope is contained. Notification obligations apply for the affected clients (about 40 individuals whose financial information was visible in those emails), but not for the full client list.

The financial cost

• Forensic investigation: $9,500
• Breach coach legal: $6,000
• Notification of 40 affected clients: $720
• Credit monitoring offer: $480 in year one
• Lost productivity during peak season (4 staff members for 3 days each): about 9 days of preparation capacity
• Insurance covered most of the above above the deductible.

Out of pocket: $5,000 plus the productivity hit. No clients left over the incident because the firm was transparent and acted fast.

The fix that prevented the next attempt

Within 30 days, three changes went in:

1. Email security tool added on top of Microsoft Defender. The tool scans inbound links, sandboxes attachments, and flags lookalike domains. Cost: $5 per user per month.
2. Inbox rule monitoring enabled. Any new auto-forward rule triggers an alert. The IT person reviews each one within 24 hours.
3. Wire fraud verification protocol. Before any wire instructions go out or are accepted, a phone call to a known number confirms the change. The protocol is in the WISP and on every wire-related email signature.

30 days later, the attackers tried again with a similar lure. The email security tool flagged the link before the preparer clicked. The attempt was blocked.

What this case proves

MFA alone is not enough when the attacker can social-engineer the user into approving the prompt. The full defense stack for a small tax firm has three layers:

• Identity layer: MFA, ideally with phishing-resistant methods (FIDO2 keys for high-risk users).
• Email layer: A security tool above the platform default, with inbox rule monitoring.
• Procedure layer: Out-of-band verification for wire transfers and credential changes.

The combined cost for a 6-person firm is roughly $80 per month. The cost of skipping any one of those layers, in this case, was $5,000 plus 9 lost preparation days during the most expensive 6 weeks of the year.

Book a 15-minute WISP and security review