Ransomware Against Tax Firms: How It Happens and What It Costs

Ransomware is the most common existential threat to a small accounting firm. Here is how attackers actually get in, what they ask for, and the controls that block 90 percent of these attacks.

Why tax firms are targets

Ransomware operators target accounting firms for three reasons. The data is highly sensitive (Social Security numbers, financial records, payroll, client business records), the firms have insurance and the means to pay, and the operational pressure of tax season makes them more likely to settle quickly to restore operations.

Most ransomware attacks against accounting firms in the last three years have followed the same pattern. An attacker gains access through a phishing email or a vulnerable remote-access tool, spends a week or two mapping the network and exfiltrating data, then deploys the encryption payload at a strategically painful moment (often a Friday evening in March).

Understanding the playbook is the first step to closing it.

How attackers actually get in

There are four common entry points. The first three account for over 90 percent of accounting-firm incidents.

Phishing

A staff member clicks a link or opens an attachment in a phishing email. Their credentials are captured, or malware is installed on their workstation. From that single foothold, the attacker pivots through the network using the same credentials and tools the staff member uses every day.

Phishing is the entry point in roughly 60 percent of ransomware attacks against small accounting firms. It is also the cheapest to address through training and email filtering.

Remote Desktop Protocol (RDP) abuse

RDP exposed to the internet has been a leading attack vector for years. Attackers brute-force or buy stolen credentials, log in as a legitimate user, and have full desktop access from there.

If your firm allows remote work and the IT setup involves "log in to the office computer," ask whether the remote-access mechanism is RDP exposed to the internet. If it is, replace it with a managed VPN or a zero-trust remote-access tool. RDP on the public internet is not defensible in 2026.

Vendor compromise

Your tax software, your practice management system, your portal, or any other vendor in your stack gets breached. The attacker uses the trusted relationship between you and the vendor to deliver malware or pivot into your environment.

Multiple major accounting-software platforms have been breached in this manner in the last 36 months. Vendor compromise is harder to defend against, but not impossible. SOC 2 Type II review, breach-notification clauses in contracts, and offline backups limit the blast radius.

Credential stuffing

A staff member reuses a password from a personal account that gets breached on another website. The leaked credentials show up in a credential dump, and attackers test them against business systems. If MFA is not enforced, they get in.

This is why MFA on every business system is the single most important control. Reused passwords are statistically inevitable. MFA renders them useless without the second factor.

What attackers actually ask for

For a small accounting firm (roughly 1 to 50 employees), ransom demands typically land in the $50,000 to $500,000 range, with the median around $150,000. Larger firms see correspondingly larger demands, scaling roughly with revenue.

The demand is rarely the full picture. Modern ransomware operators run a "double extortion" model: they encrypt the firm's data and they exfiltrate a copy. Even if the firm restores from backup, the attackers threaten to publish the stolen client data unless paid.

A firm that pays once is also more likely to be hit again. Threat intelligence shows that paid victims are re-targeted at roughly twice the rate of victims who refused to pay or who recovered without paying.

What cyber insurance actually covers

Cyber insurance is essential, and it is also routinely misunderstood. The typical policy for a small accounting firm covers:

• Breach response services (forensics, legal, notification)
• Business interruption losses (revenue lost during downtime)
• Cyber extortion (the ransom itself, in some cases)
• Regulatory defense costs
• Third-party liability (claims from affected clients)

What insurance often does not cover, or covers only with exclusions:

• Pre-existing conditions (vulnerabilities the carrier deems should have been remediated before the policy started)
• Failure to maintain stated security controls (if the application said you have MFA and you do not, the claim can be denied)
• War-exclusion clauses (some attacks attributed to nation-state actors are excluded)
• Acts by senior leadership (an owner negligently disabling controls)

The firms that get the best claim outcomes share three traits: their stated security controls match what they actually run, they engage a breach coach immediately on discovery, and they document everything from minute zero. The firms that get denied or limited coverage typically misrepresented their controls on the application.

The 5 controls that block 90 percent

If a small accounting firm only has the budget and attention to do five things, these five close the realistic ransomware exposure.

1. Enforce MFA on every system, including email, tax software, practice management, portal, and remote access. No exceptions.
2. Replace any internet-exposed RDP with a managed VPN or zero-trust remote access. RDP on the public internet is the single most common entry point for ransomware.
3. Deploy business-grade endpoint detection and response on every device, with 24/7 monitoring through a security operations center. Consumer antivirus does not stop modern ransomware.
4. Maintain offline, immutable backups tested quarterly. The first time you discover your backups are corrupted should not be the day after the encryption hits.
5. Run quarterly phishing training and simulations. People are the entry point in 60 percent of attacks. Training compounds.

The cost of all five for a 10-person firm runs roughly $500 to $1,200 per month under a managed services arrangement. The cost of one ransomware incident starts in the low six figures and can run into the millions.

If you get hit anyway

Even firms with strong controls occasionally get hit. The response window is the first 24 hours, and the right moves are:

1. Disconnect affected systems from the network. Do not power them off; preserving memory matters for forensics.
2. Call your cyber insurance carrier's incident hotline. They will assign a breach coach and pay for forensics.
3. Do not negotiate with the attackers directly. The breach coach engages a specialist negotiator if appropriate.
4. Notify the IRS Stakeholder Liaison and any state-level breach reporting agencies on the timeline required.
5. Document every decision and every action with timestamps. The documentation is what makes the insurance claim work.

The difference between a ransomware attack that ends a firm and one that ends a bad week is rarely about the size of the attacker or the sophistication of the attack. It is almost always about whether the controls were in place beforehand and whether the response plan was rehearsed.

Book a 15-minute WISP and security review