Fortify your firm: Data security and lasting trust

Data security is constantly evolving and presenting new challenges, especially for tax professionals and accountants who handle their clients’ sensitive personal and financial data. Protecting your firm and maintaining client trust requires a proactive approach by focusing on the latest threats and implementing robust best practices.

The current threat landscape

Security breaches are a pervasive problem. According to BreachSense, more than 4,100 publicly disclosed data breaches occurred in 2024; that’s about 11 breaches per day based only on the publicly disclosed data.

Looking closer at the causes of data breaches reveals some startling trends. About 60% involve the human element and 81% involve malicious actors. A growing driver of risk is AI-powered cybercrime, with ransomware, malware, and phishing frequently tied to data theft.

This combination highlights a crucial point: In any security system, the human is often the weakest link, and attackers know to target this vulnerability.

Here are several threats to watch out for.

Phishing in all its forms

Phishing attacks have advanced far beyond the easily identifiable spam emails. The attacks now leverage new technologies and methods:

• SMS Phishing (Smishing): Attackers exploit the high usage and lower scrutiny associated with text messages. They can spoof the sender ID to make a text appear to come from a trusted entity, such as a bank, making it harder to detect.
• Voice Phishing (Vishing) and Video Phishing: With AI, criminals can clone a person’s voice using only 10 to 20 seconds of audio. This sophisticated tactic can be combined with deepfake video, making a direct call or video conference with an impersonator virtually indistinguishable from a real interaction.
• Spear Phishing: Attackers use open-source intelligence; information gathered from a business’s public advertisements, websites, and contact info to target professionals specifically. For example, knowing someone does taxes and has client data makes them a prime target.
• Business Email Compromise: Once a hacker compromises a business email, they can use it to target others within the firm or the firm’s clients. This has led to massive financial fraud, as seen in a case where the vishing technique was used on a Zoom call to convince a CFO to wire a significant sum of money. The human element remains extremely susceptible to these varied phishing methods.

Remote access

The ability to work remotely is a massive attack vector. Services such as Remote Desktop Protocol, Virtual Private Networks (VPNs), or other remote access methods are available through the public internet and potentially at risk, unless that access method has been securely configured.  Tools are constantly scanning the internet for open ports and remote access points, easily identifying potential targets such as a tax firm’s server.

If remote access is necessary, it must be configured as securely as possible. This includes implementing two-factor authentication (2FA), and having a technically savvy person or a third-party firm review the setup. Using third-party remote desktop software companies is another way to ensure strong transport security  protocols, and 2FA are implemented, as it is a giant attack vector when left unsecured.

Generative AI

Generative AI is a double-edged sword, and while it offers many benefits, Gen AI significantly up-levels the capabilities of malicious actors:

• Perfect documentation: AI can create flawless phishing documents with correct spelling, grammar, tone, and tenure. This eliminates the visual clues that previously made spam emails easy to spot. Attackers can now type what they want; the AI will “create urgency” or “appear sincere,” making attacks much more difficult to discern.
• Increased hacker capability: AI empowers less-skilled criminals (often called “script kiddies”) by allowing them to type what they want the code to do, and the model creates the malicious code for them. This massively increases the potential for damage from actors who don’t fully understand the underlying technology.

When using AI tools for business, professionals must be aware of how their data is used and stored. Any data cut and pasted or uploaded into these models can potentially be stored, used to train the model, and possibly become discoverable in a jailbreak scenario. Data stewardship principles often caution against submitting sensitive, personally identifiable information to public models. Less than half of companies have a policy and structure for how they safely and securely use AI, highlighting an organizational security gap.

Simple fixes for big vulnerabilities

Fortunately, many security vulnerabilities can be closed by adopting and adhering to a few fundamental practices:

1. Use 2FA: This is the single most effective tool that gives the biggest return for the buck. Whether it’s SMS codes, an authenticator app, or a physical token, 2FA prevents 99% of unauthorized access attempts from low-hanging fruit. It should be enabled on all accounts, especially those containing sensitive client data, like Intuit® accounts.
2. Patch systems and software: System alerts indicating a new update should be addressed as quickly as possible, ideally overnight or when you leave the office. Neglecting patches is a major cause of large-scale compromises.
3. Do not reuse passwords: Reusing passwords across sensitive accounts means that if one site is compromised, all other accounts using that same password are now vulnerable. A password manager can help manage unique, complex passwords for different services.
4. Embrace a culture of security: This extends beyond digital practices to physical security. Simple locks on office doors and file cabinets are often the only things protecting paper copies of client tax returns, which contain the exact same sensitive data as your digital files.

Preparing for the inevitable

A firm must assume that a breach is a possibility and prepare for it accordingly.

Cyber breach insurance

Cyber breach insurance is not a preventative measure, but a recovery tool. Like health insurance, it won’t stop a compromise, but it will help with the aftermath. Furthermore, insurance policies often have requirements—such as using 2FA, patching, and encrypting data—which force the firm to increase its security posture to qualify for coverage.

The stall method for phishing

When receiving an unexpected communication, use the S.T.A.L.L. method to review it:

• Sender: Do you know the sender, and is the email address what you expect?
• Tone: Is the tone what you expect from this person?
• Attachment: Is there an attachment? This is a red flag, especially from an unknown sender.
• Link: Does the link go where you expect, or is the URL misspelled?
• Login: Is the communication asking you to log in?

If in doubt, use an out-of-band channel—a different method of communication, like a phone call to a known number or a new email to a known address—to verify the sender’s identity.

Written Information Security Plan

The Written Information Security Plan (WISP) is an IRS requirement for tax filers and a very good security guide. It simply documents the measures a firm takes to protect its systems and data, including physical security and staff training. Developing a WISP helps to surface unknown gaps in a firm’s security practices.

The IRS Security Six

The IRS recommends six core security practices for everyone in the tax ecosystem:

1. Use and enable antivirus software.
2. Use a firewall.
3. Use 2FA.
4. Use backup software and services.
5. Use drive encryption.
6. Create and secure VPNs.

These practices, if implemented correctly, will improve the overall security posture of the firm.

The cost of compromise

When a compromise occurs, the speed of data exfiltration can be shockingly fast—in some reported cases, it has taken less than a minute. Once an attacker has access, they can:

• Install keyloggers and backdoors.
• Use the firm’s trusted machine for fraudulent tax filings; the activity appears normal to monitoring systems.
• Hack from the firm’s network to attack others.
• Glean saved passwords from web browsers.
• Send phishing emails from the firm’s compromised account to clients and others.

The ultimate goal for attackers is multifaceted: tax fraud, identity theft to apply for credit, and selling the “known good” client credentials on the dark web. This data can be used for years to propagate fraud against the firm’s clients.

By understanding the threats, implementing fundamental security measures like 2FA and patching, and preparing a security plan, firms can reduce their risk profile significantly and not be the easy target or the low hanging fruit that bad actors seek out.

FAQs

What are the current major threats to data security for professionals handling sensitive client data?

A significant and growing risk is AI-powered cybercrime, often involving ransomware, malware, and various forms of phishing (Smishing, Vishing, Spear Phishing, and Business Email Compromise).

How does Generative AI increase the capability of cybercriminals?

Generative AI significantly up-levels the capabilities of malicious actors by enabling the creation of flawless phishing documents with correct spelling, grammar, tone, and tenure, eliminating the visual clues that previously made spam easy to spot.

What are the most effective fundamental security practices a firm can implement?

One of the single most effective tools is Two-Factor Authentication (2FA), which prevents 99% of unauthorized access attempts and should be enabled on all sensitive accounts. Other fundamental practices include patching systems and software as quickly as possible, not reusing passwords across sensitive accounts (a password manager can help), and embracing a culture of security that extends to physical security like locking office doors and file cabinets.

What are the core security practices the IRS recommends for the tax ecosystem?

The IRS recommends “The Security Six” core practices for everyone in the tax ecosystem:

1. Use and enable antivirus software.
2. Use a firewall.
3. Use two-factor authentication.
4. Use backup software and services.
5. Use drive encryption.
6. Create and secure virtual private networks (VPNs).