Tax Season 2025 – Why CPAs Should be Vigilant About Cyberattacks?

As tax season 2025 approaches, the bustling months ahead bring not just opportunities for CPAs but also heightened vulnerabilities to cyber threats. In today’s digital age, where sensitive financial data is exchanged across networks, the stakes are higher than ever.

Cybercriminals are constantly evolving their tactics, and CPAs must remain vigilant to protect both their firms and their clients. To shed light on this critical issue, we had the opportunity to speak with Randy Johnston, Executive Vice President, K2 Enterprises who shared invaluable insights on how CPAs can navigate the looming challenges and safeguard their practices.

About Randy Johnston:

Randy is a nationally recognized educator, consultant, and writer with over 30 years of experience in strategic technology planning, accounting software selection, paperless systems, systems and network integration, business continuity and disaster recovery planning, business development and management, process engineering, and outsourced managed services.

Accounting Today listed Randy as one of its Top 100 Most Influential People from 2004-2023. In 2011, CPA Practice Advisor acknowledged Randy in the Accounting Hall of Fame and as a Top 25 Thought Leader from 2011-2024. For the past 29 years, Randy has been a featured speaker at the AICPA Technology Conference. Who’s Who in Business & Industry has acknowledged Randy as a leading business and computing professional. Connect with Randy on LinkedIn.

What specific cyber threats do CPAs face during tax season?

When you get busy producing tax returns, it is difficult to think clearly when so much is happening. That is when bad actors strike with phishing attempts, direct brute force attacks, or other nefarious approaches to break into your applications and computer infrastructure.

Worse, you can have a client that provides those documents that you have been waiting for, and when they arrive, they are infected with a virus from their business or home. These types of infected files are common and include PDFs, Excel spreadsheets, and Word documents. No file attachment or link in an email should be presumed to be safe.

Additionally, bad actors with greater skill can intercept email traffic to and from your firm and make requests in the same style and tone as clients. It’s no wonder that the IRS’s 5293/4557 Written Information Security Policy (WISP) suggests security training at least once per year. We recommend four times per year for tax professionals: immediately before tax season, after the 4/15 deadline, during the summer before starting extensions and again after the 10/15 deadline.

If schedules allowed, we’d prefer security training six times per year. In the meantime, using security testing tools like those from KnowBe4, DUO, or Microsoft will provide insights as to who is vulnerable to bad actor attacks. Unfortunately, the most common role that is fooled is partner. Admin, Staff, Seniors, and Managers are generally more acutely aware of the need to protect your firm than the partners and owners may be.

How can CPAs educate clients on data security?

My skin crawls when I hear stories of clients sending confidential information via email. Personally Identifiable Information (PII) should never be sent in the body of an email or as an attachment that isn’t encrypted. Further, receiving files from minimally protected cloud storage such as Dropbox can be an issue for your firm, too. So, what can you do as a professional.

First, have a pre-composed email message from your firm that all partners and team members have agreed to that states your firm’s position. State simple facts like “our firm is concerned about the security and privacy of your information” and if we saw you acting unsafely in a car or at the Country Club, we would offer assistance. Second, make a secure portal available.

As part of your message, you can state that your firm has a policy of not accepting files as email attachments or from links. It is probably wise to more broadly state that this is generally unsafe computing behavior for anything confidential. Third, suggest that your client may want to protect their own business and family more since identity theft is so common.

Using routine safety measures like running anti-virus, using password management software that allows frequent changes of complex passwords, and other techniques can be low cost and potentially save time. Obviously, you’ll want to take the same steps at your firm.

What proactive steps can CPAs/firms take to prevent data breaches?

There are several things you can do as a firm to improve your security profile and prevent breaches: 

1. Update your software and firmware frequently (apply patches). Replace any hardware and operating systems that are out of date or at end of life. 

2. Install and maintain a firewall at your office and make sure it is updated frequently. We recommend daily updates to protect against the latest attacks. If your firewall can run security services, buy and implement those. Restrict the firewall to only allow certain geolocations (US, Canada) to have access. For example, how many clients do you work with in Uzbekistan? 

3. Consider additional security options, particularly if you have Microsoft 365. To comply with the 5293/4557 WISP regulations, your minimal acceptable licensing is for Microsoft 365 Business Premium. Since you have this platform, implement – 
   • Data Loss Prevention (DLP)
   • Advanced Threat Protection (ATP)
   • Mobile Device Management (MDM) on all phone, tablets, and computers
   • Enable Entra P1 to improve sign-on security
   • Consider using Single Sign-On (SSO) to access your tax software, QuickBooks Online and other applications

4. If your IT provider has EDR (Enhanced Detection and Response) and MDR (Managed Detection and Response) available, consider implementing that.

5. Use multi-factor authentication (DUO, Microsoft Authenticator). This is likely required by your cyber insurance policy anyway.

6. Backup continuously. Many backup platforms run a backup every 15 minutes, minimizing the amount of data that can be loss. Follow the Department of Homeland Security (DHS) 3-2-1 approach where you have at least three backups, on two different media, with at least one off-site and not connected to the internet (air gap). Make sure you backup data out of the cloud to your own backups. For example, Microsoft does not guarantee that data in their cloud will be backed up properly.

How can they stay updated on cybersecurity best practices?

Cybersecurity is a moving target. For most accounting professionals, the best thing you can do is to find a trustworthy Managed Services Provider (MSP), or a Managed Security Services Provider (MSSP). These IT professionals’ job is to recommend and follow industry best practices on cybersecurity. Do all providers to do this? No! But is their knowledge better than yours? Most likely!

Further, with the right contract, you transfer some of the liability of doing cybersecurity right to the provider. Otherwise, there are resources, such as Krebs on security that are very accurate and reliable. However, these sources often cover advanced topics assuming you know the fundamentals.

Managed Security Services: Is it worth using?

As a simple response, yes! As accountants, aren’t you most concerned about doing accounting, right? Security professionals are most concerned about doing security right. We have observed a few providers trying to sell security services to the accounting profession.

Public practice accounting professionals have more regulatory obligations (GLB, FERPA, GDPR, PIPEDA, and more) that need to be met. Industry professional may have other regulatory needs, too. Security professionals understand how to protect for these regulations.

Final Words

Tax season is not just a time to demonstrate financial acumen; it’s also an opportunity to showcase a firm’s commitment to security and trust.

Randy’s expert advice has shed light on the pressing need for CPAs to be proactive, informed, and prepared against cyber threats. His valuable insights on cybersecurity practices, client education, and the role of Managed Security Services provide a clear roadmap for navigating the challenges of 2025.

We sincerely thank Randy for sharing his expertise and helping understand how CPAs can turn potential vulnerabilities into strengths, ensuring trust and integrity remain at the heart of the profession.