Skip to main content

Don’t Let Cybercriminals Add to Your Busy Season Stress

February 03, 2025

By Deborah K. Rood, CPA, CNA Risk Control Consulting Director

As the busy season ramps up, the risk of cyberattacks increases. Cybercriminals know that heightened workloads, tight deadlines and the influx of client communications create opportunities for exploitation. Whether through phishing emails, intercepted networks or fraudulent disbursement requests, the stakes for CPAs and their clients are high.

Fortunately, data security protocols can be created that may help reduce the risk of a cyber incident when such protocols are implemented and followed consistently. Let's review the protocols. 

Train all staff to identify phishing emails

Many cyber incidents begin with a phishing email, an operation initiated by a bad actor, where the recipient is duped into revealing personal or confidential information that is then used for illicit purposes. Phishing emails contain many common characteristics, including:

  • Urgency: Improper requests frequently occur on Friday afternoons or near filing deadlines.
  • Slight differences in important information: The bad actor may have a similar email address but use a different extension or include a different character in the address. A text message may be sent from one type of device when the purported sender uses a different device, or a phone number may be one digit off.
  • Request for action: To spy on your computer, many phishing emails contain links or attachments that activate malware by clicking on the link or opening the attachment. Alternatively, the bad actor may pose as a client requesting you to make an unauthorized disbursement.
  • Poor spelling and grammar: Phishing emails often contain spelling and grammatical errors, even if such mistakes are not as prevalent as in years past.

 
Train firm members how to spot and respond to potential phishing emails. After completion of training, consider testing all firm members by sending simulated phishing emails to demonstrate whether they are applying knowledge learned. 

Use caution when working remotely on a wireless network

Bad actors may infiltrate the wireless internet when firm members are working remotely. Mitigate this risk by using a virtual private network (VPN). VPNs create a secure tunnel between the remote user and the CPA firm across the internet. Data traveling within the tunnel is encrypted and, if intercepted, is generally indecipherable.

Encrypt emails containing confidential information

To further reduce the risk of an email being intercepted, use encrypted email for confidential information sent outside the firm's network. Email encryption helps protect data confidentiality by transforming emails sent and received into an unreadable format for unauthorized users. However, if the bad actor has access to the CPA's or client's email account and password from a prior phishing scheme, they will be able to view the encrypted emails.

Client portal usage

More effective than email encryption, use of a portal is one of the most secure ways for CPAs and clients to share information. Portal recipients receive an email when an item is awaiting review. The recipient can then click on a link, enter their login information, and access the content.

Practice good information technology hygiene

Use antivirus and anti-malware solutions. Install updates and security patches to software on a timely basis, as they are often deployed to address known security issues. Follow the National Institute of Standards and Technology's guidance on passwords (see NIST Special Publication 800-63B).

Vet vendors

CPAs use third parties for many services such as seasonal help, tax preparation software, cloud storage, portals, or payroll platforms for employees and clients. Do your homework before using a third party, ensuring that its data security practices are, at a minimum, as comprehensive as yours. Consider including language in your third-party service agreements requiring the provider to maintain cyber insurance and to agree to defend and indemnify you for any breach caused by them.

Insure properly 

Consult your agent or broker to understand how the CPA firm's various insurance policies respond to a data security event. Discuss ransomware, which has become a trending cybersecurity threat. Inquire as to how coverage would apply if a payment was improperly disbursed on behalf of the client or firm.

Additional tips for cash disbursements

To help avoid becoming the next victim of a fraudulent act, CPAs providing services that require the distribution of client funds should consider, among others, the following:

  • Establish disbursement parameters with the client. Transaction types, disbursement limits, and bank accounts to be used should be documented before services commence.
  • Use multiple methods of communication if a change from the established disbursement parameters is requested. For example, if an outside-the-norm disbursement was received via email, confirm the request via a phone call to a phone number known to be valid and from a CPA firm employee who will recognize the client's voice. Video calls where you can physically see and confirm the identity of the person authorizing the urgent distribution are likewise effective. Document who made and received the call and the number used.
  • Require advance notice for changes to disbursement parameters. As the engagement progresses, changes may be required. Ensure sufficient time is provided for the CPA firm to confirm and implement the changes.
  • Establish written protocols for unusual or out-of-the-ordinary transactions. These protocols should provide that the client examine and verify the transaction before it is processed. If the authorization is oral, document the client's approval as described above.
  • Use the firm's client database to confirm information. Do not use the email reply function or a phone number on the email to respond to clients. Instead, telephone numbers and email addresses from the CPA firm's database should be used. Include the information used in documentation of the client's approval.
  • Use security questions. Predetermine a method for verifying the client's identity before services commence. For example, agree to security questions that require a subjective response. Use the security questions if communication is suspect or any doubt as to validity exists.

 
In summary, verify twice (or more) and distribute once. Always take the cautious approach. You are not only helping to protect the client's money but also the firm's liability.

Final Thought

Cybersecurity is a critical issue that demands year-round attention, but the stakes are particularly high during the busy season. Bad actors are continuously evolving their schemes, targeting CPAs through phishing emails, text messages and even voicemails. By implementing robust cybersecurity measures, training staff and fostering a culture of caution and verification, CPAs can help protect themselves and their clients. Remember – when in doubt, proceed with caution. Don’t take the bait.

Deborah K. Rood, CPA, is a risk control consulting director at CNA.

Disclaimer

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the date of the article. The information, examples and suggestions presented in this material have been developed from sources believed to be reliable. This article should not be viewed as a substitute for the guidance and recommendations of a retained professional and should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situation. This material is for illustrative purposes and is not intended to constitute a contract. Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect thereto.

To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situation, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide actual terms, coverages, amounts, conditions, and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.

“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claim activities. Copyright © 2025 CNA. All rights reserved.