Tax season is here. And so are the hackers.

If you run a CPA firm, tax preparation business, or financial services practice, you need to understand something critical: you're not just handling numbers: you're sitting on a goldmine of sensitive data that cybercriminals are actively hunting. Social Security numbers, bank account details, employer identification numbers, income records: everything a bad actor needs to commit fraud, file false returns, or sell on the dark web.

The numbers don't lie. U.S. victims lost $16.6 billion to cybercrime in 2024, a 33% increase from the previous year. The IRS received over 250 reports of data breach incidents from tax professionals in 2024 alone, impacting more than 200,000 clients. And your firm? It faces an average of 900 cyberattack attempts during tax season.

This isn't fear-mongering. It's the reality of operating a financial practice in 2026.

You're a Financial Institution: Whether You Knew It or Not

Here's something that catches many CPAs off guard: under the FTC Safeguards Rule, your firm is classified as a financial institution. Not just the big banks. Not just investment firms. Your accounting practice.

This classification carries significant weight. The Safeguards Rule mandates that you implement and maintain a comprehensive information security program to protect client data. Non-compliance isn't just risky: it's expensive. Penalties can reach $46,517 per violation per day. Beyond fines, non-compliance can void your professional liability insurance and result in the IRS revoking your PTIN credentials.

The message from regulators is clear: if you handle financial data, you must protect it like a bank would.

CPA office building merging into a secure bank vault, symbolizing financial data protection for tax professionals

The WISP Requirement: Your Compliance Foundation

At the heart of FTC Safeguards Rule compliance sits the Written Information Security Plan (WISP). This isn't optional paperwork: it's a legal requirement under both the FTC Safeguards Rule and IRS Publication 4557.

Your WISP must document:

  • Risk assessment procedures identifying internal and external threats to client data
  • Access controls specifying who can access what information and under what circumstances
  • Employee training protocols ensuring your team understands security policies
  • Incident response plans detailing exactly what happens when (not if) a breach occurs
  • Vendor management policies addressing third-party access to your systems
  • Data retention and disposal procedures for securely handling client information throughout its lifecycle

A WISP isn't a document you draft once and file away. It requires regular review, updates as threats evolve, and documented evidence that you're actually following the policies you've established.

If you don't have a WISP: or if yours hasn't been reviewed in the past year: you're exposed.

AI-Driven Threats: The 2026 Attack Landscape

The threat landscape has fundamentally shifted. Cybercriminals now leverage artificial intelligence to craft attacks that are nearly impossible to distinguish from legitimate communications.

AI-powered phishing has moved beyond the obvious "Nigerian prince" emails of years past. Today's attacks include:

  • Personalized spear phishing that references your actual clients, recent filings, and specific tax deadlines
  • Deepfake audio impersonation where attackers clone the voices of clients or partners to authorize fraudulent transactions
  • Business email compromise using AI that mimics the writing style of people you trust
  • Fake tax software portals designed to harvest credentials from unsuspecting staff

These attacks don't look suspicious. They look like Tuesday.

AI-driven phishing attack targeting a CPA firm's email, highlighting cybersecurity risks during tax season

During tax season, your staff works under pressure. Deadlines loom. Clients demand immediate responses. This creates the perfect environment for a well-crafted phishing email disguised as an IRS notification or client inquiry to slip through. A single click on a malicious link can compromise thousands of files: and trigger the FTC Safeguards Rule violations that put your practice at risk.

Primary Attack Vectors Targeting Tax Professionals

Understanding how attackers get in helps you build better defenses. Here's where CPA firms are most vulnerable in 2026:

Cloud Platform Vulnerabilities

Most tax practices now rely on cloud-based software: QuickBooks Online, CCH, UltraTax, Xero, and similar platforms. These tools improve efficiency but introduce new risks. Misconfigured settings, outdated plugins, and weak access controls provide attackers easy access to client data.

Third-party breaches doubled in just one year according to the 2025 Verizon Data Breach Investigations Report. Your security is only as strong as your weakest vendor connection.

Ransomware Targeting Tax Season

Ransomware operators specifically time attacks to hit CPA firms during filing season. They know you're more likely to pay when you can't access critical tax files with April deadlines approaching. The pressure to restore operations quickly often overrides better judgment.

Unsecured Remote Access

Staff working from home on personal laptops, connecting through public Wi-Fi, or accessing firm systems without proper encryption create openings that attackers actively exploit. Without robust remote access policies, your network perimeter extends to every coffee shop and home office where your employees work.

Unpatched Software

Hackers continuously scan for systems running outdated software. Known vulnerabilities in common applications provide easy entry points. If your firm delays updates during busy season to avoid disruption, you're trading short-term convenience for significant risk.

Multiple cyber threats targeting a tax office, illustrating cloud, ransomware, and remote access risks for CPA firms

Protecting Your Practice: Actionable Steps for 2026

Talk is cheap. Here's what actually moves the needle on protecting your firm:

Deploy Multi-Factor Authentication Everywhere

MFA should be mandatory for every system that touches client data. Email, tax software, cloud storage, client portals: everything. This single control stops the majority of credential-based attacks. No exceptions for partners. No exceptions for convenience.

Implement Secure Client Portals

Stop emailing tax documents. Email was never designed to be secure, and sending sensitive financial information through standard email creates liability every time you hit send. Invest in encrypted client portals that provide secure document exchange with audit trails.

Establish Rigorous Employee Training

Your staff are your first line of defense: or your biggest vulnerability. Implement:

  • Monthly phishing simulations with immediate remedial training for failures
  • Tax-season specific scenarios including IRS impersonation and deepfake awareness
  • Quarterly security awareness training across all departments
  • Clear protocols for verifying unusual requests, even from known contacts

Every staff member trained becomes a human firewall against the threats targeting your practice.

Audit Your Cloud Configurations

Don't assume your cloud platforms are secure by default. Regularly review access permissions, remove inactive users, enable logging, and verify that security settings match your WISP requirements. Pay special attention to integrations with third-party applications.

Maintain Real-Time Backups and Incident Response Plans

Without tested backups and a documented incident response plan, a breach can mean days of downtime or permanent data loss. Your plan should detail:

  • Immediate containment steps
  • Client notification protocols
  • Regulatory reporting requirements
  • Post-incident review frameworks

Test your backups. Practice your response plan. The middle of an incident is the wrong time to discover your recovery procedures don't work.

Consider Continuous Monitoring

AI-powered threat detection tools can flag anomalies in real time across your tax, payroll, and document management systems. Without 24/7 monitoring, minor issues can evolve into major breaches before anyone notices.

The Stakes Are Too High to Wait

Every control you implement reduces your attack surface. Every staff member you train strengthens your defenses. Every policy you document moves you closer to compliance.

The threats targeting CPA firms in 2026 are sophisticated, relentless, and specifically timed to exploit tax season pressures. But they're not unstoppable. Firms that take security seriously: that treat it as a core business function rather than an IT afterthought: successfully protect their clients and their reputations.

The attackers are already preparing for 2026 tax season. The question is: are you?

Need a WISP review or FTC Safeguards Rule compliance check? B&R Computers works with tax professionals and financial businesses to build security programs that meet regulatory requirements and actually stop attacks. Reach out for a straightforward conversation about where your practice stands.