April 1 comes and goes. For most businesses, it's a date on the calendar. For Salt Lake City CPA firms, it's the final stretch of the busiest — and most dangerous — time of the year.
Tax season is prime hunting season for cybercriminals. Not because CPAs are careless, but because your accounting staff is under maximum deadline pressure, processing hundreds of client returns, fielding a constant stream of client requests and IRS-related correspondence. That's the exact environment attackers engineer for: high volume, high urgency, low time to think.
Here are three active cybersecurity threats hitting CPA firms right now. Not targeting gullible people, but sharp, detail-oriented accounting professionals who are just trying to get through April. As you read through these, ask yourself one honest question: Would everyone on your accounting team pause long enough to catch each one — at 6 PM on April 12th?
Scam #1: The Toll Road (or Parking Fee) Text
A staff accountant gets a text between client return reviews: "You have an unpaid toll balance of $6.99. Pay within 12 hours to avoid late fees." The amount is small. They're under deadline, so they click and pay quickly. Except the link wasn't real. The FBI received more than 60,000 complaints about fake toll texts in 2024 alone, and volume jumped 900% in 2025. The reason it works during tax season: $6 doesn't feel risky, and your team is moving too fast to stop and verify something this minor.
The guardrail: No payments through text-message links, period. Go directly to the official website. Convenience is the bait. Process is the defense — even during April.
Scam #2: The Fake IRS Notice or State Tax Authority Email
An accountant receives an email that appears to be an IRS notice, a state tax authority correspondence, or a client document upload notification from your portal system — UltraTax, TaxDome, SafeSend, or your document management platform. The formatting looks exactly like the real thing. They click, enter their credentials, and now an attacker has access to your tax preparation platform, your client portal, and potentially every client return in process.
Phishing campaigns disguised as IRS correspondence and tax software notifications are specifically timed to peak during tax season. The IRS itself consistently reports this as one of the highest-volume phishing campaigns every year. For CPA firms, a compromised UltraTax or Lacerte credential during tax season isn't just an IT problem — it's a client data breach involving SSNs, bank account information, and business financials for potentially hundreds of clients.
IRS Publication 4557 specifically requires tax preparers to implement security measures to protect client data. A breach during tax season can trigger IRS reporting requirements and state board notifications.
The guardrail: The IRS never initiates contact via email. If a notification from your tax software or client portal looks unexpected, don't click — log in directly through the browser. Enable multi-factor authentication on every tax preparation and document management platform.
Scam #3: The Email That's Written Too Well
A 2025 study found that AI-generated phishing emails achieved a 54% click rate, compared to 12% for human-written ones. For CPA firms, the most dangerous variant targets billing and payment workflows — a fake client email requesting updated bank information for a refund deposit, or a fake vendor invoice during the chaos of April. In one recent test, 72% of employees engaged with vendor impersonation emails during high-pressure periods.
Tax season creates exactly the distracted, high-volume environment where this succeeds. Your team is processing hundreds of client files. One convincing fake slipping through can compromise your entire client database.
The guardrail: Any request involving payment changes or sensitive client data gets verified through a second channel — a phone call to a number already on file. Urgency is the warning sign. Real clients and vendors understand you're in tax season.
What This Means for Your Salt Lake City CPA Firm
Tax season deadline pressure creates the exact conditions attackers exploit: high volume, high urgency, limited bandwidth to pause and verify. Your clients trust you with their most sensitive financial information — SSNs, bank accounts, business financials. A breach doesn't just create a notification obligation. It can damage client relationships that took years to build.
IRS Publication 4557 requires tax preparers to have a documented cybersecurity plan. The goal isn't just compliance — it's process design that protects client data even when your accounting team is running at full capacity through April 15.
Frequently Asked Questions
What cybersecurity threats target CPA firms specifically during tax season?
Phishing disguised as IRS notices and tax software notifications is the highest-volume threat for CPA firms during tax season. These attacks are deliberately timed for maximum impact and specifically target UltraTax, Lacerte, Drake, and TaxDome users. Vendor impersonation emails targeting billing changes and fake client document upload requests round out the top active threats.
What does IRS Publication 4557 require for CPA firm data security?
IRS Pub 4557 requires tax preparers to implement a Written Information Security Plan (WISP), use multi-factor authentication on all tax preparation platforms, encrypt client data in transit and at rest, conduct employee security awareness training, and have documented procedures for responding to data breaches. A qualified IT provider can help you build and document a compliant WISP.
Does Qualit offer cybersecurity and IT support for CPA firms in Salt Lake City?
Yes. Qualit provides cybersecurity and managed IT services for CPA firms and accounting practices across Salt Lake City and the greater Utah area, including tax software platform security and IRS Pub 4557-aligned cybersecurity programs. A quick discovery call is a good place to start.
That's Where We Can Help
Most Salt Lake City CPA partners don't want to become cybersecurity policy writers during tax season. They want to know their client data is protected and their firm meets IRS requirements. We'll cover:
- The cybersecurity risks Salt Lake City CPA firms are seeing right now — especially during tax season
- Where client data exposure risks surface through normal accounting workflows
- How to build a defensible, IRS-compliant cybersecurity program without disrupting your practice
