Accountants and CPAs occupy a unique position in the business world. They're entrusted with highly sensitive financial information—tax returns, bank statements, payroll records, business financials—for individuals and organizations alike. This access makes accounting firms attractive targets for cybercriminals, yet many smaller practices have limited resources to dedicate to security.
Why Accounting Firms Are Targeted
The value proposition for attackers is straightforward:
- Concentrated sensitive data: A single accounting firm may hold financial records for hundreds of clients
- Tax season pressure: Tight deadlines create environments where mistakes are more likely and downtime is especially costly
- Trust relationships: Communications from accountants carry inherent credibility with clients
- Payment flows: Accountants often coordinate financial transactions, making them useful for redirect fraud
- Regulatory data: Tax information, Social Security numbers, and other government-related data has lasting value for identity theft
We explored why small businesses generally face elevated risk in our article on why cybercriminals target SMBs.
Current Threats Facing Accounting Firms
Business Email Compromise
Perhaps the most financially damaging threat to accounting practices is business email compromise (BEC). These attacks exploit the trust between accountants and their clients:
- Attackers may impersonate clients requesting wire transfers or payment changes
- Alternatively, they may compromise an accountant's email to request payments from clients
- "Thread hijacking"—inserting fraudulent messages into existing email conversations—has become increasingly common
We discussed email-based attacks in our piece on email security for SMBs.
Phishing and Spear Phishing
Generic phishing remains a concern, but targeted spear phishing presents particular risks:
- Emails crafted to look like IRS communications or tax software notifications
- Messages appearing to come from specific clients, referencing real projects
- Fake portal login pages designed to harvest credentials
AI tools have made these attacks more convincing, enabling personalized messages at scale. We covered AI-enhanced threats in our article on AI-powered cyber threats.
Ransomware
Ransomware attacks on accounting firms carry particular weight because of timing:
- An attack during tax season can prevent a firm from meeting filing deadlines
- Client data may be exfiltrated and threatened with publication ("double extortion")
- Recovery can take weeks, even with good backups
The pressure to pay—or at least to restore operations quickly—can be intense. We discussed ransomware fundamentals in our piece on understanding ransomware.
Credential Theft and Account Takeover
Accounting professionals use numerous online systems:
- Tax preparation software
- Client portals
- Banking and payment platforms
- Practice management systems
Credentials stolen from one breach may be tried against these systems. Without multi-factor authentication, a single compromised password can provide extensive access.
We covered password security in our article on what businesses get wrong about passwords.
Insider Risk and Human Error
Not all breaches come from external attackers. Common internal issues include:
- Emails sent to wrong recipients, exposing client information
- Documents left accessible on improperly secured systems
- Former employees retaining access after departure
- Staff using personal devices or unsecured networks
We explored the human dimension of security in our article on why security awareness matters.
Regulatory Considerations
Accounting firms face specific compliance obligations that intersect with cybersecurity:
FTC Safeguards Rule
In the United States, the FTC Safeguards Rule requires financial institutions—including tax preparers and many accounting firms—to maintain comprehensive information security programs. Requirements include:
- Designated security coordinators
- Written information security programs
- Risk assessments
- Access controls and authentication
- Encryption requirements
- Incident response planning
IRS Requirements
Tax professionals handling federal tax information must follow IRS guidelines for protecting taxpayer data, including those outlined in IRS Publication 4557.
State Breach Notification Laws
All 50 U.S. states have breach notification requirements. A security incident affecting client data may trigger legal obligations to notify affected individuals and potentially regulators.
Professional Standards
AICPA and state CPA boards have standards related to confidentiality and data protection. Security failures can carry professional consequences beyond legal exposure.
Particular Vulnerabilities in Accounting Practices
Several characteristics of accounting work create security challenges:
Seasonal Staffing
Many firms bring on temporary staff during tax season. These employees need access to sensitive systems quickly, sometimes before thorough vetting or training can occur.
Client Document Exchange
Receiving documents from clients—via email attachments, file sharing services, or physical media—creates potential entry points for malware. The volume of documents during busy periods makes careful inspection of each one impractical.
Remote and Hybrid Work
Many accounting professionals work remotely at least part of the time. Home networks and personal devices may lack the security controls of office environments.
We discussed remote work security considerations in our piece on remote work security since 2020.
Software Dependencies
Accounting firms rely heavily on third-party software for tax preparation, practice management, and other functions. A vulnerability in these tools can affect many firms simultaneously.
We explored vendor risk in our article on third-party vendor risk.
Security Considerations for Accounting Firms
While specific security measures depend on each firm's situation, areas commonly requiring attention include:
Authentication
Multi-factor authentication on all systems—especially email, tax software, and client portals—significantly reduces the risk of credential-based attacks.
Email Security
Advanced email filtering, domain authentication (DMARC, SPF, DKIM), and staff training on recognizing suspicious messages help address the primary attack vector.
Backup and Recovery
Regular, tested backups stored separately from primary systems provide recovery options if ransomware strikes. Backups need protection from being encrypted along with production data.
We discussed backup considerations in our article on backup recovery assumptions.
Secure Client Communication
Moving sensitive document exchange from email attachments to secure portals reduces both interception risk and phishing opportunities.
Endpoint Protection
All devices accessing firm systems—including laptops, phones, and home computers—need appropriate security software and configuration.
Staff Training
Given that many incidents begin with human error or manipulation, ongoing security awareness training tailored to accounting-specific scenarios has value.
Questions for Your Practice
Rather than prescribing specific solutions, here are questions that can help accounting firms assess their situation:
- What would happen to your practice if you couldn't access your systems during tax season?
- How would you know if a client's email had been compromised, and someone was impersonating them?
- Do you have documented procedures for verifying unusual payment requests?
- What access do former employees still have to your systems?
- How are client documents protected after you receive them?
- Does your firm meet the requirements of applicable regulations like the FTC Safeguards Rule?
Every firm's situation is different. What matters is understanding your specific risks and making thoughtful decisions about how to address them.
This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Accounting firms should consult with qualified cybersecurity and legal professionals to assess their specific situation and regulatory obligations.