KapacyberKapacyber
Accounting & Tax Firm Cybersecurity Guide·Overview·IRS Publication 4557 & the WISP Every Tax Preparer Needs·How Much Does Cybersecurity Cost for an Accounting Firm?·Tax-Season Phishing·Your Tax Firm Had a Data Breach·Cyber Insurance for Tax and Accounting Firms
Accounting · Threat Alert7 min read

Tax-Season Phishing — Accounting Firm Scams

Valuable data, a flood of attachments you're expected to open, and an exhausted team racing a deadline. Tax season is the perfect storm for phishing — and attackers schedule their campaigns around it. Here are the five scams that hit firms hardest.

Kapacyber

Security Research Team

Accounting and tax firms are a near-ideal phishing target, and not by accident. You hold the exact data criminals want — Social Security numbers, bank details, and complete financial profiles for every client. You receive a constant stream of documents and new-client enquiries, so a malicious attachment looks like business as usual. And from January to April your team is moving too fast to second-guess every message. Attackers understand this rhythm and aim their campaigns straight at it.

The good news: the scams are predictable. Here are the five that do the most damage, how each works, and the control that shuts it down.

The Five Scams That Hit Firms Hardest

1

The fake new-client email

How it works

A 'prospective client' opens a friendly thread, then sends a document with their 'tax info' — actually malware or a credential-harvesting link. In season, preparers want the business and open it.

How to stop it

Treat unsolicited attachments and links as hostile by default; open documents in a sandboxed/preview mode; require MFA so a stolen password isn't enough.

2

EFIN / CAF / e-Services credential theft

How it works

A phish mimics IRS e-Services or your tax software login. Once the attacker has your EFIN or e-Services credentials, they can file fraudulent returns under your firm or pull client transcripts.

How to stop it

MFA on e-Services and tax software, unique passwords in a manager, and monitoring for logins from unexpected locations.

3

Client-impersonation wire fraud

How it works

An attacker compromises or spoofs a client mailbox and emails new banking instructions for a refund or payment. The money leaves before anyone notices.

How to stop it

Out-of-band verification of every banking change via a known phone number — built into the workflow, not left to memory.

4

W-2 and refund-fraud harvesting

How it works

Phishing aims to steal the bulk PII a firm holds — names, SSNs, wage data — which is then used to file fraudulent refund claims at scale.

How to stop it

Encryption, least-privilege access to client files, and account-compromise monitoring so a breached mailbox is caught fast.

5

Ransomware via the email door

How it works

A clicked link or macro-laden attachment drops ransomware that encrypts the firm's files mid-season — the worst possible timing for a deadline-driven business.

How to stop it

EDR on every device, tested offsite backups, and email filtering with active response.

The Pattern Behind All Five

Notice that the same handful of controls appears again and again: multi-factor authentication, ongoing phishing training, out-of-band verification of money movements, EDR with monitoring, and tested backups. That's not a coincidence — a small set of well-operated controls covers the overwhelming majority of email-borne attacks. The deeper mechanics of business email compromise are in our $50 billion SMB threat guide, and the human side in why your employees are your best defence.

MFA in particular does the heaviest lifting — even a perfectly crafted phish fails if the stolen password alone can't get in. If you haven't rolled it out everywhere yet, start with our plain-English MFA guide.

What to Do If You've Been Hit

If a credential or mailbox is compromised, speed matters. Reset the affected credentials, revoke sessions, and check for forwarding rules an attacker may have set. For a firm, an EFIN or e-Services compromise also means notifying the IRS — there's a specific reporting path covered in the tax-firm data-breach response guide, and the general first-24-hours steps are in our incident-response guide.

The Bottom Line

Tax-season phishing isn't random — it's a seasonal, repeatable campaign aimed at firms because of what they hold and how busy they are. The defences are equally repeatable. Put MFA everywhere, train continuously, verify money movements out of band, and have someone watching the alerts during the weeks you can least afford a breach.

See how we operate those controls for firms on the cybersecurity for accounting & tax firms page.

Tax Preparers & Accounting Firms

Lock down the firm with the free IRS Pub 4557 + FTC checklist.

The Security Six plus all nine FTC Safeguards WISP elements in one fillable checklist — MFA, encryption, training, and the rest — with PTIN-renewal-ready attestation language.

Get the free checklist

Is Your Firm Ready for Next Filing Season?

A free 30-minute assessment shows whether your email security, MFA coverage, and training would hold up against the scams above — before season starts.

Get a Free Assessment
← Back to Security Insights

Keep Reading

Accounting · Pricing Guide7 min read

How Much Does Cybersecurity Cost for an Accounting Firm?

Read More
Accounting · Incident Response8 min read

Your Tax Firm Had a Data Breach: The IRS Reporting Path Nobody Tells You About

Read More
Accounting · Insurance Guide8 min read

Cyber Insurance for Tax and Accounting Firms: How to Pass the Renewal Questionnaire

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More