Tax Season Phishing: Why CPAs and Their Clients Get Hit Every April

Tax season is the busiest and highest-risk season of the year for small accounting firms and their clients. The combination of large wire flows, time pressure, and concentrated personal financial data makes April a structural target for email fraud. This post is the realistic guide for CPAs and small accounting firms heading into the season.

Why Tax Season Is Different

Three structural reasons explain why fraud volume spikes in March and April.

Wire and refund traffic peaks. Estimated quarterly tax payments, full-year reconciliations, refund deposits, and adjusted-return refunds all concentrate in this window. The dollar volume is large. The pressure to move money quickly is high. The verification window for any individual transaction is narrow.

The IRS communicates by mail and email throughout the season. Real notices about refunds, audits, or filings arrive by both channels. Attackers mimic the IRS’s actual communication patterns, which makes the fake notice less obviously fake. “IRS Notice CP2000” is a real category of correspondence; attackers know the format.

CPA firms hold concentrated personal data. A small firm with 200 client returns has 200 households’ worth of Social Security numbers, bank accounts, employer information, and dependents. A successful credential-phishing attack against the firm’s email or tax-prep software unlocks that data. The attacker can then file fraudulent returns claiming refunds, sometimes hundreds of them, sometimes within a single weekend before the firm notices.

The combination produces a target-rich environment for both opportunistic and sophisticated attacks.

The Four Dominant Attack Patterns

Pattern one: client impersonation for refund or payment redirection. A CPA receives an email purporting to be from a client, asking to update bank information for an upcoming refund deposit or to redirect a tax-payment instruction. The email arrives during the busiest stretch of the season. The CPA processes the change without verifying. The refund or payment goes to the attacker’s account.

The defense is procedural. Any banking change request from a client should be verified by phone using a number the CPA has in their CRM or contact list, not a number from the email. The verification adds five minutes per change and prevents most successful attacks of this type.

Pattern two: CEO impersonation requesting W-2 forms. Less common at small firms but devastating when it happens. The HR or admin function receives an email purportedly from the firm’s owner asking for a list of employee W-2 forms (or all employees’) to be sent by reply email. The recipient complies. The W-2 forms are then used for tax-refund fraud against the employees.

This pattern is well-documented. The IRS issued public warnings about it in 2016 and 2017, and it has continued every year since. The defense is procedural: any request for sensitive HR data is verified by phone, and ideally the firm has a policy that W-2 forms are never sent by reply email under any circumstance.

Pattern three: credential phishing against the firm’s email or tax-prep software. A CPA at the firm receives a phishing email mimicking Microsoft 365 login, Google Workspace login, or the login page of the firm’s tax-prep software (Lacerte, Drake, ProConnect, ATX, UltraTax). The email cites a routine reason for needing to log in. The CPA enters credentials. The attacker now has access.

What follows depends on what the attacker captured. Email-only access lets them read the firm’s correspondence and pivot to other targets. Tax-prep software access lets them download client returns and file fraudulent ones. SSO compromise gives both.

The defense is technical. Hardware-key MFA on the primary email and tax-prep accounts is the highest-impact single control. App-based MFA on all secondary accounts. Password-only access in 2026 is no longer reasonable for a CPA firm. We covered the broader frame in what is BEC.

Pattern four: vendor impersonation against the firm’s AP function. During tax season, the firm’s office manager or AP function is processing routine vendor invoices (e-filing software, professional liability insurance, IRS authorization forms, contractor payments) under deadline pressure. A fraudulent vendor-update email arrives during this window and is processed quickly. The wire goes to the attacker.

The defense is procedural and identical to the year-round vendor fraud defense. Any vendor wire change is verified by phone to a number the AP function already has. We covered this in detail at vendor impersonation: the quiet phishing vector nobody talks about.

What IRS Publication 4557 Actually Requires

Tax preparers are subject to the FTC Safeguards Rule under the Gramm-Leach-Bliley Act, which requires a written information security plan. IRS Publication 4557 (“Safeguarding Taxpayer Data”) provides operational guidance most small firms follow.

The realistic interpretation for a small firm:

Written information security plan. A document describing the firm’s security posture, the controls in place, and the assigned responsibility for them. Templates are available; the document does not need to be long, but it does need to exist and be periodically updated.

Risk assessment. A documented assessment of the firm’s specific risks (the kind of phishing patterns described above, the size and value of client data held, the platforms the firm uses) and the mitigations in place.

Encryption of taxpayer data in transmission and at rest. Tax-prep software handles encryption at rest in most cases. Encryption in transmission means encrypted email when sending tax data, or use of a secure-portal system. Direct unencrypted email of returns, W-2 forms, or 1099s is not reasonable.

Access controls and authentication. MFA is increasingly framed as required, not just recommended. The IRS has tightened guidance on this in recent years, and the FTC’s expectations are similar.

Incident response and breach notification. A plan for what happens if data is exposed, who is notified, and what timelines apply. State breach-notification laws apply on top of any federal requirements.

Training. Periodic security awareness training for all firm personnel. Annual is the minimum; more frequent is better for a small firm.

The Publication 4557 document itself is operational guidance, not a regulation; the underlying regulation is the FTC Safeguards Rule. The operational guidance is the most practical reference.

What the Realistic Defense Looks Like

For a small CPA firm, the realistic 2026 defense stack:

HIPAA-eligible / GLB-compliant email provider. Workspace Business or Microsoft 365 Business with appropriate plan. Both providers handle the underlying encryption and have signed BAAs available for healthcare-adjacent data, but the GLB-relevant question is operational practice, not provider tier.

Hardware-key MFA on partner-tier accounts. YubiKey or similar on the partners’ and senior staff’s primary email and tax-prep accounts. App-based MFA on all secondary accounts.

Out-of-band verification protocols. Documented and enforced for client banking changes, vendor wire changes, and W-2 / 1099 requests. The verification is a phone call to a number the firm already had.

Structural inbox filtering. A filter that reduces the volume of unsolicited mail reaching the inbox is high-impact for small firms. Less noise means more attention for the messages that matter, including the suspicious ones. We covered the broader concept in what is an email paywall.

Annual training, plus pre-tax-season refresher. A short refresher in January or February on the season-specific patterns above is high-value. Generic annual training in November is necessary but not sufficient.

Cyber insurance with social-engineering coverage. A policy that covers wire fraud, credential phishing, and the recovery costs of a breach. Verify the sub-limit, the protocol-compliance requirements, and the breach-response service.

Tax-prep software MFA. This is sometimes overlooked. Lacerte, Drake, ProConnect, ATX, and UltraTax all support MFA in 2026. If your firm has not enabled it, do so before season starts.

What Rythm Does and Does Not Do for a CPA Firm

Rythm sits at the inbox layer on top of Gmail or Outlook. What it does for a CPA firm during tax season:

Reduces the volume of cold outreach during the busiest season. Software vendors, conference invitations, “tax-software upgrades,” and various adjacent solicitation patterns spike in early Q1. Rythm collapses the mass version of this volume by asking unknown senders for a small cover charge.

Reduces lookalike-domain mass attacks. The mass-volume version of “we are your tax software vendor and you need to update payment” attacks becomes uneconomical when each recipient costs four cents. A targeted attacker who pays anyway leaves a payment trail and the email arrives marked PAID. The legitimate tax-software vendor would already be on the firm’s guest list, so a paid email impersonating that vendor is itself a visible red flag.

Does not replace MFA, encryption, or out-of-band verification. A targeted credential-phishing attack against a specific CPA does not depend on volume; it depends on the specific message reaching the specific target. Rythm does not stop that. MFA and verification protocols do.

Does not replace the GLB / Publication 4557 compliance program. Rythm reduces inbox volume; it does not make a firm compliant. The written information security plan, the risk assessment, the encryption practice, and the training program are still required.

For small CPA firms, Rythm is one structural control among several. The combined defense is meaningful. No single layer is sufficient.

A Specific Honest Note

Tax season is when CPA firms get hit. Most of the controls that matter (MFA, verification protocols, training, cyber insurance) are work that happens before season starts. The work cannot be done in March; it has to be done in December.

We have a vertical-specific post at CPA firm email security with the broader frame. For the operational playbook, see business email compromise survival guide for small businesses. For the structural inbox filter that complements the procedural defenses, see Rythm at $1.65 per month, cancel anytime.