Back to Blog
Risk Management

Protecting Client Data in Tax Season

Why January through April is the highest-risk window of the year for accounting firms, the four attack vectors that spike during tax season, and the controls that close each before the next filing window opens.

February 10, 2023
·
9
min read

Protecting Client Data in Tax Season

Tax season is the four highest-risk months of the year for accounting firms. Here are the four attacks that spike from January through April, and the controls that close each.

Why tax season concentrates risk

From January through April, every accounting firm runs hotter, faster, and more distracted than the rest of the year. Volume is up. Hours are up. Seasonal staff are added. New client engagements arrive weekly. Client documents flow in by every channel imaginable. Vendors push out updates and new features mid-season.

Attackers know this. The same window that makes firms profitable also makes them vulnerable. Phishing campaigns aimed at tax professionals consistently spike in February. Ransomware against accounting firms peaks in late March. Insurance carriers report the highest claims volume from this profession in the first calendar quarter.

The four vectors below account for most of the season-specific risk. Each is well-understood, each is closeable, and each compounds if ignored.

Vector 1: IRS-impersonation phishing

Phishing emails purporting to be from the IRS spike during tax season. Common variants include fake e-Services notifications, fake "your client's return was rejected" messages, fake practitioner priority service callbacks, and fake EFIN-related warnings.

The defense is a combination of technical controls and trained eyes:

  • Enforce MFA on every email account. Phishing campaigns aim at credential capture; MFA blocks the next step.
  • Deploy advanced email filtering with impersonation protection that flags messages claiming to be from the IRS, your tax software vendor, or major financial institutions.
  • Train every employee that the IRS does not initiate contact with practitioners by email. If an "IRS" email asks you to click a link or log in to a portal, it is a phishing attempt 100 percent of the time.
  • Run a tax-season-specific phishing simulation in late January using one of the IRS-impersonation templates. The first round always catches people. The second round catches fewer.

Vector 2: Vendor compromise

Your tax software vendor, your practice management vendor, your portal vendor, your e-signature vendor: any one of them is a single point of failure. When one of them gets breached, every firm that uses them is affected.

Several major tax software and practice management platforms have been breached in the last three years. The pattern is consistent. The vendor pushes a security advisory, the firm logs in, the firm's MFA tokens may already be compromised, and any data the vendor was holding may have been exfiltrated weeks earlier.

The defenses are pre-season:

  • Confirm every critical vendor maintains a current SOC 2 Type II report and ask to see it during the off-season.
  • Have a written breach notification clause in every vendor contract requiring notification within 24 hours.
  • Maintain an export of all client data so that if a vendor goes offline mid-season, you can move to a backup workflow within hours.
  • Sign up for the vendor's security advisory mailing list. Most major vendors publish these but do not opt firms in by default.

Vector 3: Seasonal staff access

Most firms add seasonal preparers, reviewers, or admin staff for the season. Each one is a new account in the tax software, a new email address, a new portal login, and a new device that may or may not meet the firm's security baseline.

Seasonal-staff incidents are the most common internal cause of breach. The pattern is usually the same: an account with broad access, no MFA, weak password, used on a personal laptop, exists for 90 days, and is forgotten about for the next 6 months until the contractor's personal email gets phished and the credentials end up in a credential stuffing attack against your tax software.

The defense is a tight onboarding and offboarding cycle:

  • Onboarding includes a signed confidentiality agreement, MFA setup verified, training completion before access is granted, and a written documentation of what each role can access.
  • Role-based access. Seasonal staff get the minimum they need (one client folder at a time, no admin rights, no permanent credentials).
  • Same-day offboarding when the engagement ends. Every system, every account, no exceptions.
  • Where possible, seasonal staff use firm-issued devices, not personal laptops. The cost of a refurbished laptop is less than one-tenth the cost of a breach.

Vector 4: Client portal abuse

Client portals are the front door for client interactions during tax season. Attackers target them because the velocity of legitimate uploads makes anomalies harder to spot.

Common attacks include credential reuse (a client's password leaked from another site, attacker logs in to your portal as them), social engineering of staff to grant access ("hi, I am Jane Smith's son and she said you would send her returns to my email"), and malicious uploads (a document with embedded malware sent to the firm under the guise of a tax document).

The defenses:

  • Require MFA for clients on the portal. Most modern portals support this. Most firms have it disabled to reduce client friction. The friction is worth it.
  • Train staff that no client request involving a change of contact information, account number, or payment routing is processed by phone or email alone. Verify in person or through a known channel.
  • Scan all uploads with a secondary anti-malware engine before opening them. Most modern portals do this; confirm it is enabled.
  • Set up alerts for unusual portal activity (logins from unexpected locations, unusual download volume, late-night activity).

The before-January-1 controls

Most of these defenses cannot be installed mid-season. They are pre-season work. By December 1 of every year, a firm running a defensible tax-season operation has confirmed:

  1. MFA enforced on every system. No exceptions for owner accounts or staff who "are too busy."
  2. Email security is upgraded to include impersonation protection.
  3. Tax-season phishing simulation is scheduled for late January.
  4. Every critical vendor's SOC 2 is on file and current.
  5. Seasonal staff onboarding template is finalized, including confidentiality agreement, MFA setup, role-based access plan, and offboarding procedure.
  6. Client portal MFA is enforced.
  7. Backup restore test passed within the last 90 days.
  8. Incident response plan is current, with the IRS Stakeholder Liaison contact and cyber insurance contact updated.

A firm that gets through that list before the first 1099 arrives has done more than 90 percent of small accounting firms in the country. It is also the firm whose name does not appear in next year's breach notification database.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Risk Management

Cyber Insurance Requirements for Tax Firms in 2026

May 5, 2026
Risk Management

What a Data Breach Actually Costs a Small Accounting Firm

April 22, 2026
Risk Management

Understanding FTC Data Safeguard Rules

October 1, 2025