In early February 2026, Microsoft’s threat intelligence team tracked a single phishing campaign that sent emails to more than 29,000 users across 10,000 organizations — almost exclusively targeting accountants and tax preparers in the United States.

The emails impersonated the IRS. They claimed that potentially irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number. Each email was customized with the recipient’s name and organization.

This wasn’t a mass blast hoping someone would click. It was a targeted, AI-assisted campaign built to hit CPA firms at their most vulnerable moment: peak filing season, maximum workload, minimum time to think.

The IRS Just Confirmed It

Phishing and impersonation scams topped the IRS’s 2026 Dirty Dozen list — the agency’s annual ranking of the most dangerous tax-related threats. This isn’t the first year phishing has led the list. The IRS keeps warning about it because it keeps working.

What’s changed in 2026 is the sophistication. Attackers now use AI to generate personalized emails that reference real client names, mimic firm branding, and pass basic spam filters. The result is phishing that looks indistinguishable from legitimate IRS or client correspondence.

900 cyberattack attempts hit average CPA firm during tax season

Why Tax Season Creates a Perfect Attack Window

The math works for attackers. During January through April:

Data density is highest. W-2s, K-1s, Social Security numbers, bank accounts, payroll data, and business financials all flow through your systems simultaneously.

Pressure is highest. Deadlines are non-negotiable. Ransomware that locks your systems on April 12th creates immediate, overwhelming pressure to pay.

Vigilance is lowest. When your team is processing hundreds of returns under deadline, one suspicious email is easy to miss. Attackers count on this.

According to CPA Practice Advisor, 15% of U.S. accounting firms have already experienced a breach — despite 99% saying online security was important. The gap between awareness and preparedness is where attackers live.

What the Attacks Look Like Right Now

Microsoft’s February 2026 report documented several active campaigns:

IRS impersonation emails claiming irregular filings, directing recipients to fake portals that harvest credentials.

Client-spoofed phishing using real client names and firm logos scraped from websites — asking for updated banking information or W-2 verification.

QR code attacks embedded in fake W-2 documents — bypassing email link scanners by hiding the malicious URL inside a QR code.

Payroll fraud targeting — emails to HR and payroll staff requesting direct deposit changes or bulk W-2 data exports.

Five Things to Do Before April 15th

// CPA FIRM TAX SEASON SECURITY CHECKLIST

  • Enable MFA on all staff accounts — especially email, tax software, and client portals. SMS is acceptable; authenticator app is better.
  • Brief your team on current phishing tactics before peak season — show them real examples of IRS impersonation and client-spoofed emails
  • Verify any request for wire transfers, direct deposit changes, or W-2 data exports by phone — not by replying to the email
  • Check your WISP (Written Information Security Plan) is current — the IRS and FTC Safeguards Rule require it
  • Test your backup restore process — ransomware just before tax deadlines is a known tactic

The FTC Safeguards Rule Applies to You

CPA firms are classified as financial institutions under the FTC Safeguards Rule. This means you have legal obligations around data security that go beyond good practice — including written security plans, employee training, and vendor oversight. The FTC has begun enforcement actions against smaller financial services providers.

Tax season is the worst time to find out you’re not compliant.

Accounting Security Bundle

20+ security documents built for CPA firms and accounting professionals — BEC and wire fraud prevention, phishing defense, IRS 4557 and WISP compliance, ransomware response, and tax season security protocols.

View Bundle →