Tax Season IT Security Checklist for Accounting Firms

Posted: April 1, 2026 to Cybersecurity.

Tax Season IT Security Checklist for Accounting Firms

Tax season is the most dangerous time of year for accounting firm cybersecurity. Between January and April, CPA firms handle a concentrated volume of Social Security numbers, W-2 forms, bank account details, investment records, and business financial statements that represent the most valuable data cybercriminals can steal. The IRS reported a 75% increase in phishing attacks targeting tax professionals during the 2025 filing season compared to the rest of the year. The Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (IDTTRF-ISAC) documented over 14,000 reported incidents of tax professional data theft in 2025, many of which resulted in fraudulent returns filed using stolen client information.

The consequences extend beyond client harm. Accounting firms that suffer a data breach face IRS investigation, potential loss of their Electronic Filing Identification Number (EFIN), state board disciplinary action, malpractice liability, and reputational damage that can destroy a practice built over decades. The IRS has revoked EFINs from firms that failed to maintain adequate data security, effectively ending those firms' ability to operate during the most critical period of their business year.

This guide provides a comprehensive IT security checklist for accounting firms organized around three phases: pre-season preparation, active tax season operations, and post-season procedures. It also covers the IRS and FTC regulatory requirements that every tax professional must meet, the most common scams targeting firms during filing season, and the client data protection practices that separate secure firms from vulnerable ones. Organizations that invest in professional cybersecurity services before tax season significantly reduce their exposure to these threats.

Why Tax Season Is Prime Time for Cyberattacks

Cybercriminals target accounting firms during tax season for three reasons that compound to create a uniquely dangerous threat environment. First, the data is concentrated. During the rest of the year, a CPA firm may handle financial records intermittently. Between January and April 15, every client's complete financial picture passes through the firm's systems within a compressed window. A single breach during this period can expose hundreds or thousands of clients' tax data simultaneously.

Second, the urgency of tax season creates security vulnerabilities. Staff work extended hours, temporary employees are brought on to handle volume, and the pressure to meet filing deadlines means that phishing emails and suspicious requests get less scrutiny. An accountant rushing to file 30 returns before a deadline is more likely to click a malicious link disguised as an IRS notice than the same accountant would be in July. Attackers understand this psychology and time their campaigns accordingly.

Third, the value of tax data to criminals is immediate and specific. A stolen Social Security number has limited use in isolation, but a complete tax return containing SSN, employer, income, bank routing numbers, and dependent information allows criminals to file fraudulent tax returns and redirect refunds within days. The IRS paid an estimated $5.5 billion in fraudulent refunds in 2024, much of it enabled by data stolen from tax professionals rather than individual taxpayers. Criminal organizations have industrialized this process, with specialized groups handling data theft, return preparation, and refund laundering as separate operations.

The attack surface has expanded as accounting firms adopt cloud-based tax preparation software, client portals, remote work arrangements, and digital document collection tools. Each of these technologies improves efficiency but introduces new entry points that must be secured. A firm using five different cloud platforms for tax preparation, document storage, client communication, payroll, and practice management has five sets of credentials, five vendor security postures, and five potential breach vectors to manage.

IRS Requirements: Publication 4557, WISP, and the FTC Safeguards Rule

Accounting firm cybersecurity is not optional. Federal regulations require specific security measures, and the IRS actively enforces compliance through EFIN revocation, civil penalties, and referrals to state licensing boards. Understanding these requirements is the foundation for any tax season security program.

IRS Publication 4557: Safeguarding Taxpayer Data

IRS Publication 4557, "Safeguarding Taxpayer Data: A Guide for Your Business," provides the IRS's official guidance on the security measures tax professionals must implement. While Publication 4557 is framed as a guide, the IRS treats its recommendations as minimum expectations during compliance reviews. The publication covers physical security for offices and equipment, data security for electronic records, employee management including background checks and access controls, computer system security including firewalls, encryption, and authentication, and data disposal requirements for both electronic and paper records.

Publication 4557 explicitly references the FTC Safeguards Rule and states that all tax professionals are "financial institutions" subject to its requirements. This classification surprises many small practices that do not think of themselves as financial institutions, but the legal reality is clear: if you prepare tax returns for compensation, you are subject to the same data security regulations as banks and mortgage brokers.

Written Information Security Plan (WISP)

The IRS requires every tax professional to maintain a Written Information Security Plan. The WISP must be a formal, documented plan that describes how the firm protects client data, not a general policy statement or a checklist kept in a drawer. The WISP must include designation of an employee to coordinate the security program, identification of risks to client information across all areas of the firm's operations, assessment of current safeguards and their effectiveness, design and implementation of a safeguards program addressing identified risks, selection of appropriate service providers and requiring them to maintain safeguards, and regular evaluation and adjustment of the plan based on testing, monitoring, and changes in operations.

The IRS collaborated with the Security Summit partnership to create a WISP template specifically for tax professionals, available on IRS.gov. Firms that do not have a WISP or whose WISP is outdated face EFIN revocation, fines, and state-level disciplinary action. The IRS has increased enforcement of WISP requirements significantly since 2023, and firms should expect that any IRS compliance review will include a request for the current WISP.

FTC Safeguards Rule

The Federal Trade Commission's Safeguards Rule, updated in June 2023 with requirements phased in through 2024, applies to all "financial institutions" under FTC jurisdiction, which explicitly includes tax preparation firms. The updated Safeguards Rule is substantially more prescriptive than its predecessor. It requires a qualified individual responsible for the information security program, a written risk assessment identifying reasonably foreseeable risks, access controls limiting who can access client information, encryption of client information both at rest and in transit, multi-factor authentication for anyone accessing client information, regular testing through penetration testing or continuous monitoring, an incident response plan, and annual reporting to the firm's governing body or owner.

For accounting firms, the practical impact is significant. The encryption requirement means client tax documents cannot be stored unencrypted on laptops, USB drives, or local servers. The MFA requirement applies to tax preparation software, email, client portals, and any system containing client information. The incident response plan must be documented and tested, not created after a breach occurs. Firms that work with managed IT service providers can satisfy many of these requirements through professionally configured and monitored systems.

Pre-Season IT Security Checklist: 10 Essential Steps

Every accounting firm should complete these ten items before the first client document arrives for the upcoming tax season. Starting this checklist in November or December gives sufficient time to address issues without the pressure of active filing deadlines.

1. Update All Software and Operating Systems

Apply all pending security patches to operating systems, tax preparation software, office productivity suites, PDF readers, web browsers, and firmware on routers and firewalls. Unpatched software is the entry point for a significant percentage of accounting firm breaches. The IRS specifically calls out outdated software as a common finding in firms that experience data theft. Configure automatic updates where possible and verify that updates have been applied across every workstation and server, including machines used by remote staff. Do not skip tax preparation software updates. Vendors release security patches throughout the year, and running outdated versions can expose client data through known vulnerabilities.

2. Review and Restrict User Access

Audit every user account with access to tax preparation software, client document storage, email, and network resources. Remove or disable accounts for employees who have left the firm. Verify that each current employee's access level matches their role. Apply the principle of least privilege: staff who only prepare individual returns should not have access to business client files, payroll databases, or firm financial records. Review and update password policies to require minimum 14-character passwords, prohibit reuse of previous passwords, and mandate password manager usage for staff managing multiple client accounts.

3. Enable Multi-Factor Authentication Everywhere

MFA must be active on every system that accesses client data. This includes tax preparation software (Drake, Lacerte, ProConnect, UltraTax), email accounts (Office 365, Google Workspace), cloud storage (SharePoint, Dropbox, Google Drive), remote access tools (VPN, remote desktop), client portals, and firm accounting software. MFA is not optional under the FTC Safeguards Rule. SMS-based MFA provides a baseline, but authenticator apps (Microsoft Authenticator, Google Authenticator) or hardware security keys (YubiKey) are significantly more resistant to phishing attacks. Firms that experienced breaches despite having MFA almost always had SMS-based MFA that was defeated through SIM-swapping attacks.

4. Test Backup and Recovery Systems

Verify that backups are running, that they include all systems containing client data, and that restoration actually works. Too many firms discover their backups are incomplete or corrupted only after a ransomware attack destroys production data. Test a full restoration of your tax preparation software database, client document folders, and email archives to a separate system. Confirm that the restored data is complete and functional. Document the recovery time. If full restoration takes longer than 24 hours, consider whether your backup infrastructure is adequate for a firm that cannot afford multi-day downtime during filing season. The 3-2-1 backup rule remains the standard: three copies of data, on two different media types, with one copy stored offsite or in the cloud.

5. Review Temporary and Seasonal Staff Policies

Many accounting firms hire temporary staff to handle tax season volume. These employees need access to client data to do their jobs, but they present elevated risk. They may be less familiar with security policies, less invested in the firm's reputation, and more likely to take shortcuts under pressure. Before temporary staff arrive, prepare limited-access user accounts that restrict access to only the data and systems required for their role. Require background checks for anyone who will access client tax information. Schedule security orientation during onboarding, before they touch any system. Ensure all temporary staff sign confidentiality agreements that specifically address electronic data. Plan for immediate account deactivation on the last day of their engagement.

6. Conduct Phishing Awareness Training

Run a phishing simulation and training session for all staff, including partners. Tax season phishing campaigns are sophisticated and specifically target accounting professionals. Common lures include fake IRS notices about e-file rejections, spoofed emails from tax software vendors about urgent updates, fraudulent client emails with malicious attachments disguised as W-2s or 1099s, and fake bank notifications about direct deposit changes. Training should cover how to identify phishing emails, the firm's procedure for reporting suspicious messages, and real examples of tax-season phishing attempts. The Petronella free phishing security test provides a quick assessment of your firm's vulnerability to email-based attacks. Firms that conduct regular security awareness training reduce successful phishing clicks by 60-80% compared to untrained organizations.

7. Verify Encryption on All Devices and Communications

Confirm that full-disk encryption is enabled on every workstation, laptop, and mobile device that accesses client data. Windows devices should use BitLocker; Mac devices should use FileVault. Verify that encryption is active, not just installed. Check that email encryption is configured for messages containing client information. Confirm that your client portal uses TLS 1.2 or higher. Verify that your tax preparation software encrypts data both at rest and in transit. For firms with staff working from home, verify that home Wi-Fi networks use WPA3 encryption and that client work is conducted through VPN connections rather than direct internet access.

8. Test Your Incident Response Plan

Review your incident response plan and conduct a tabletop exercise with key staff. Walk through a realistic scenario: a staff member clicks a phishing link that compromises their email credentials, and the attacker begins downloading client W-2 forms. Who is responsible for what? How quickly can affected systems be isolated? Who contacts the IRS? Who notifies clients? What is the firm's communication plan? If your firm does not have a documented incident response plan, creating one is a regulatory requirement under the FTC Safeguards Rule. The plan should include contact information for your IT provider, insurance carrier, legal counsel, and law enforcement. During tax season, the window between initial compromise and significant data theft can be measured in hours, not days.

9. Review Client Portal Security

Evaluate the security configuration of any client-facing portal used for document uploads, tax return delivery, and client communication. Verify that the portal requires client authentication before access, that file upload functionality scans for malware, that access logs are enabled and monitored, that document retention policies automatically remove files after a defined period, and that the portal vendor's SOC 2 report is current. Client portals are a double-edged sword: they eliminate the security risk of email attachments but introduce a new system that must be properly configured and maintained. A misconfigured portal can expose client data more broadly than email ever would.

10. Review Cyber Insurance Coverage

Contact your insurance broker before tax season to verify that your cyber insurance policy is current, that coverage limits are appropriate for the volume of client data you handle, and that you meet all policy conditions. Many cyber insurance policies require specific controls such as MFA, endpoint protection, and employee training as conditions of coverage. If you have implemented new systems or changed your technology environment since the last renewal, notify your carrier to ensure those changes do not create coverage gaps. Cyber insurance does not prevent breaches, but it provides the financial resources to respond effectively, including forensic investigation, client notification, credit monitoring, and legal defense.

During Tax Season: Ongoing Security Practices

The pre-season checklist establishes the foundation. Maintaining security during the active filing period requires daily vigilance across four critical areas.

Monitor for Phishing and Social Engineering

Phishing volume targeting accounting firms peaks between February and April. Designate a staff member or your IT provider as the point of contact for reporting suspicious emails. Establish a simple forwarding rule: any email that seems unusual gets forwarded to a dedicated review address before any links are clicked or attachments opened. Brief staff weekly on current phishing campaigns. The IRS publishes alerts about active scams through its Tax Tip series, and the AICPA distributes threat intelligence relevant to accounting firms. During peak season, even a single compromised email account can result in thousands of client records being exfiltrated within hours.

Enforce Clean Desk and Screen Policies

Tax documents left on desks, visible on screens, or accessible in unlocked offices create physical security risks that no amount of digital security can mitigate. Require all paper documents to be locked in cabinets when not actively in use. Configure workstation screen locks to activate after two minutes of inactivity. Ensure that client information is not visible to other clients in waiting areas. For firms with open office layouts, position monitors so they face away from high-traffic areas. Shred paper documents immediately after scanning rather than accumulating them in recycling bins. Physical security failures are among the most common findings in IRS compliance reviews of accounting firms.

Secure Remote Access

Remote work during tax season is standard practice for many firms, but it introduces risks that must be actively managed. All remote access to firm systems should route through a VPN or zero-trust network access solution. Remote workers should not store client data on personal devices. Confirm that home Wi-Fi networks used for tax preparation work are secured with current encryption standards and not shared with IoT devices that could serve as entry points. Prohibit the use of public Wi-Fi for any activity involving client data, including checking firm email. Remote desktop connections should use MFA at the gateway level, and idle sessions should disconnect automatically after a defined timeout.

Secure Client Document Uploads

Tax season generates a massive volume of incoming documents from clients: W-2s, 1099s, mortgage interest statements, investment summaries, and identification documents. Every incoming file is a potential malware delivery mechanism. Configure your client portal and email systems to scan all uploaded files for malware before they reach your network. Instruct clients to use the firm's secure portal rather than email for document submission. If clients insist on emailing documents, ensure those emails are processed through advanced threat protection that detonates attachments in a sandbox before delivery. Never open client-submitted files on a machine connected to your tax preparation system without scanning them first.

Post-Season Security Procedures

When the filing deadline passes, the security work is not finished. Post-season procedures are critical for reducing year-round risk and preparing for the next cycle. Many firms neglect these steps because post-deadline fatigue is real, but the data accumulated during tax season remains on your systems long after April 15.

Revoke Temporary Staff Access Immediately

On the last day of each temporary employee's engagement, disable their user accounts across all systems: email, tax preparation software, VPN, client portal, and any cloud services. Do not wait until the end of the week. Do not simply change their passwords. Disable the accounts entirely and verify that no shared accounts were used that retain their access. Recover any firm-owned devices, remove any personal devices from the firm's mobile device management system, and confirm that no client data was transferred to personal storage during the engagement. Former temporary employees with active credentials represent one of the most preventable and most common causes of post-season data breaches at accounting firms.

Archive Client Data Securely

Move completed tax year data to encrypted archive storage with restricted access controls. Active tax preparation systems should not retain previous-year client data beyond what is needed for current-year preparation. Archived data should be encrypted at rest using AES-256, stored in a location with access limited to authorized personnel, backed up to a separate secure location, and subject to your firm's retention policy, which should specify how long different data types are retained and when they are securely destroyed. The IRS recommends that tax professionals retain copies of client returns and supporting documents for a minimum of three years, but individual state requirements and professional standards may require longer retention. Whatever the retention period, the data must remain encrypted and access-controlled throughout.

Conduct a Post-Season Security Review

Schedule a security review within 30 days of the filing deadline. This review should assess what security incidents or near-misses occurred during tax season, whether any policy violations were identified, whether phishing attempts were reported and handled effectively, whether any systems or applications presented security concerns, and what changes to staffing, technology, or client volume will affect the next tax season. Document the findings and use them to update your WISP and security procedures for the next cycle. This review is not just good practice; it satisfies the FTC Safeguards Rule requirement for regular evaluation and adjustment of your security program.

Update Your WISP

The Written Information Security Plan is a living document that must reflect your firm's current operations, technology environment, and risk profile. After each tax season, update the WISP to reflect any changes in technology systems or vendors, lessons learned from incidents or near-misses, new regulatory guidance from the IRS or FTC, changes in staffing or office locations, and results of the post-season security review. An outdated WISP is nearly as problematic as no WISP at all. IRS compliance reviewers look for evidence that the plan is actively maintained, not simply created once and filed away. Date all revisions and maintain a change log showing when and why the plan was updated.

Common Tax Season Scams Targeting Accounting Firms

Understanding the specific scams that target accounting firms during tax season helps staff recognize threats before they cause damage. These are not hypothetical scenarios; each is documented in IRS alerts and FBI reports from recent filing seasons.

IRS Impersonation Phishing

Attackers send emails that appear to originate from the IRS, claiming that the firm's e-file application has been suspended, that a specific return has been rejected, or that the firm is under audit. The emails contain links to convincing fake IRS portals that harvest the firm's e-Services credentials. With those credentials, criminals can access the firm's e-file history, client data submitted through IRS systems, and the firm's EFIN. The IRS has repeatedly stated that it does not initiate contact with tax professionals via email to request login credentials. Any email claiming to be from the IRS that includes a link to log in should be treated as fraudulent without exception.

W-2 Theft via Business Email Compromise

This scam targets the relationship between accounting firms and their business clients. An attacker compromises the email account of a business client's HR director or controller, then sends an email to the accounting firm requesting copies of all employee W-2 forms, often with a plausible pretext like a year-end reconciliation. The firm, believing the request is legitimate because it comes from the client's actual email account, sends W-2 data for the entire company. The attacker then uses the Social Security numbers and income data to file hundreds of fraudulent returns. Verification procedures must require out-of-band confirmation (phone call to a known number) for any bulk request for employee tax data, regardless of the apparent source.

Fake Client Documents Containing Malware

Attackers send emails posing as prospective clients seeking tax preparation services. The emails include attachments purporting to be prior-year returns, W-2s, or other tax documents. The attachments contain malware that, when opened, installs a remote access trojan (RAT) that gives the attacker full access to the preparer's workstation and, through it, access to the firm's tax preparation software and client database. These attacks are particularly effective during the early weeks of tax season when firms are actively soliciting new clients and expecting document submissions from unfamiliar individuals. All client-submitted documents should be opened in a sandboxed environment or scanned by advanced threat protection before being processed on production systems.

Ransomware Timed to Filing Deadlines

Ransomware operators deliberately time attacks on accounting firms to coincide with critical filing deadlines, maximizing the pressure to pay. An attack that encrypts a firm's tax preparation database two weeks before April 15 creates an agonizing choice: pay the ransom and hope for decryption, or miss filing deadlines for hundreds of clients while rebuilding from backups. Criminal groups track filing deadlines and specifically target accounting firms during the weeks when downtime is most costly. The defense is a combination of prevention (patched systems, trained staff, endpoint protection) and resilience (tested backups that can restore operations within hours, not days). Firms that rely solely on prevention eventually face a successful attack. Firms that combine prevention with proven recovery capability survive it.

Client Data Protection: Secure Practices for Accounting Firms

Protecting client data is both a regulatory obligation and a competitive advantage. Clients increasingly evaluate their tax professional's security practices before sharing sensitive financial information. Firms that can demonstrate strong data protection win and retain clients that weaker firms lose.

Secure Portals Versus Email

Email is the most common method clients use to send tax documents to their accountants, and it is the least secure. Standard email transmits in plain text across multiple servers, any of which could be compromised. A single email containing a W-2 and a bank statement provides everything a criminal needs to file a fraudulent return and redirect the refund. Secure client portals eliminate this risk by encrypting documents in transit and at rest, requiring authentication before access, providing an audit trail of every upload and download, and allowing the firm to control document retention and deletion. The cost of a professional client portal ranges from $50 to $300 per month for most accounting firms, a fraction of the cost of a single breach. Firms should adopt a policy that no client tax documents are accepted via unencrypted email and should provide clients with clear, simple instructions for using the portal.

Encryption Standards for Client Data

All client data, whether stored on firm servers, in cloud applications, or on mobile devices, must be encrypted both at rest and in transit. The FTC Safeguards Rule mandates this requirement, and the IRS treats it as a minimum expectation. At rest, use AES-256 encryption for all storage volumes containing client data, including database files for tax preparation software, local and cloud file storage, backup media and archive storage, and email archives and attachments. In transit, verify that TLS 1.2 or higher is used for all connections to cloud services, client portals, email servers, and remote access systems. For email, configure opportunistic TLS at minimum and require TLS for messages sent to or received from known client domains.

Data Retention and Destruction Policies

Retaining client data longer than necessary increases risk without providing value. Establish a clear data retention policy that specifies retention periods aligned with IRS requirements (minimum three years for tax returns), state professional standards (which may require seven years or longer), and the firm's malpractice insurance requirements. When the retention period expires, destroy data securely. Electronic data must be wiped using methods that prevent recovery, not simply deleted. Paper documents must be cross-cut shredded. Backup media containing expired data must be destroyed or securely overwritten. Document the destruction process, including what was destroyed, when, by whom, and the method used. This documentation demonstrates compliance with both IRS and FTC requirements.

Building a Year-Round Security Culture

Tax season security cannot be treated as a seasonal effort. The firms that are most prepared in January are those that maintain security practices throughout the year. This means quarterly phishing simulations and training refreshers, monthly review of access logs and user accounts, prompt application of security patches year-round rather than scrambling in December, regular testing of backup and recovery procedures, annual WISP review and update, and ongoing monitoring for indicators of compromise through managed security services.

A firm that practices security only during tax season is like a firm that practices fire safety only during fire season. The risks exist year-round, and the habits that protect during peak season must be maintained during the off-season to remain effective.

The regulatory landscape for accounting firm cybersecurity will continue to tighten. The IRS has signaled its intent to increase enforcement of WISP requirements and expand the scope of Publication 4557 guidance. The FTC continues to bring enforcement actions against financial institutions, including tax preparers, that fail to meet Safeguards Rule requirements. State boards of accountancy are adding cybersecurity competence to their continuing education requirements. Firms that build comprehensive security programs now will absorb these changes with minimal disruption. Those that wait will face the compounding costs of remediation under regulatory pressure.

Accounting firm cybersecurity during tax season is not a technology problem that can be solved with a single product or tool. It is an operational discipline that requires policy, training, technology, and vigilance working together across the entire firm. The IRS, FTC, and state licensing boards are making this discipline mandatory through regulation and enforcement. The criminals targeting your firm are growing more sophisticated every year, timing their attacks to the moments when your defenses are most likely to fail.

The checklist in this guide provides a structured approach to securing your firm's operations before, during, and after tax season. Each item addresses a specific regulatory requirement, a documented threat, or both. Completing every item on this checklist does not promise that your firm will never be attacked. It does promise that your firm will be significantly harder to breach, faster to detect and respond to incidents, and fully positioned to demonstrate compliance when the IRS or FTC asks for evidence of your security program.

Contact Petronella Technology Group to discuss how your accounting firm can build a security program that protects client data, satisfies IRS and FTC requirements, and supports your practice through every tax season. Call 919-348-4912 to start the conversation.