May 2026 | Cybersecurity for CPA Firms | New Employee Security & Phishing Prevention
Tax season is over, and spring is when CPA firms hire. New staff are onboarding — learning UltraTax or Lacerte, getting set up in your client portal, figuring out the workflow in TaxDome or Karbon. The first weeks are overwhelming. New employees are simultaneously learning software, meeting clients, absorbing firm processes, and trying to make a good impression. That combination of unfamiliarity and pressure to perform is exactly what cybercriminals target. Research shows that new employees are 44% more susceptible to phishing attacks than experienced staff — and CEO or partner impersonation attacks are 45% more effective on employees who have been with a firm for less than a year.
Why New Accounting Staff Are Prime Targets
An experienced senior accountant at your firm has developed intuition over years. They know whether partners typically send urgent email requests. They recognize what a real IRS notice looks like versus a phishing email disguised as one. They know the firm's actual document request process versus something that feels off.
A new hire doesn't have any of that. They don't yet know whether it's normal for a partner to email at 7 PM asking for something urgent. They don't know whether client requests typically come through TaxDome or directly by email. They've probably never seen a real IRS notice in your firm's context. And critically, they want to be helpful and competent — which means they're likely to comply with urgent requests without stopping to question them.
The Spring Hiring Window Is High-Risk
Post-tax-season hiring is predictable, and attackers monitor LinkedIn and firm websites for new hire announcements. Within days of a new employee joining a CPA firm, their name may be visible publicly. Attackers can craft targeted emails that reference the firm's real partners, real clients they've researched, or real IRS and state tax authority communications — making phishing attempts far more convincing.
This isn't theoretical. CPA firms have been specifically targeted by phishing campaigns that impersonate IRS audit notices, state tax authority requests, and partner-to-staff requests for W-2 data or direct deposit changes — all timed during onboarding periods when new staff are most likely to comply.
Three Scenarios That Play Out at Accounting Firms
The Fake IRS Notice
A new staff accountant receives an email that appears to come from an IRS address, referencing a client by name and asking them to log into a portal to respond to an examination notice. The email looks legitimate — IRS seal, official language. The accountant, not yet certain what a real IRS email looks like, clicks the link and enters credentials that are immediately captured by attackers.
The Partner 'Emergency' Request
Late on a Tuesday afternoon, a new associate receives an email from what appears to be the managing partner's email address. It says a client needs their return finalized urgently and asks the associate to pull the client's prior year return from Lacerte and send it to an unfamiliar email address. The associate, not wanting to hold up something the partner considers urgent, complies.
The IT Setup Phish
During the first week, a new hire gets an email that looks like it came from your IT provider or internal IT contact, asking them to 'complete account setup' by clicking a link and entering their credentials. On a chaotic first day when they're getting access to multiple systems, this seems routine. It isn't.
Three Fixes That Protect New Hires
1. Provision Access Before Day One
New employees should never be improvising their own system access during their first days. Credentials for UltraTax or Lacerte, the client portal, QuickBooks or Xero, and workflow software like TaxDome or Karbon should be set up, MFA enrolled, and access rights configured before they walk in the door.
When onboarding is structured and access is pre-provisioned, staff don't need to respond to IT setup emails or click unfamiliar links — eliminating one of the most common new-hire phishing vectors.
2. Teach New Hires What Normal Looks Like at Your Firm
Security training for accounting staff can't be generic. It needs to reflect your firm's actual communication practices. Does your firm use TaxDome or Karbon as the primary communication channel? Is it ever normal for a partner to request client documents by direct email? What does a real IRS notice look like — and how should staff handle it?
When employees have a clear picture of normal firm communication, anomalies become visible. The email that doesn't fit the pattern becomes a red flag rather than something to act on urgently.
3. Designate a Clear Security Point of Contact
Every new hire should know, explicitly, who to contact if something seems suspicious. Not 'report to IT' — a specific person and a specific contact method. This removes the friction that stops employees from speaking up: fear of looking incompetent, not knowing who to ask, or not wanting to slow something down.
That contact might be your office manager, a senior partner, or your managed IT provider's helpdesk. The key is that it's named, communicated during onboarding, and easy to reach without judgment.
The IRS and FTC Compliance Dimension
IRS Publication 4557 requires CPA firms to train employees on data security practices. The FTC Safeguards Rule requires written information security programs that address employee training. A phishing incident involving a new hire who received no security-specific training is not just an operational problem — it represents a gap in your compliance program.
Documenting your new hire security training — what's covered, when it happens, and by whom — is part of demonstrating the written policies and procedures that regulators look for during examinations.
What to Do This Month
- Add security training to your new hire onboarding checklist and schedule it for the first week
- Designate a specific security point of contact for new employees and communicate it explicitly
- Review whether new hires have appropriately scoped access on day one — or overly broad access
- Brief new staff specifically on IRS impersonation phishing — what it looks like and how to respond
- Document your training process for IRS Publication 4557 and FTC Safeguards Rule compliance
Qual IT Works With Salt Lake City CPA Firms
We work with Salt Lake City CPA firms to protect client data and keep systems running through tax season. If you'd like to talk through how to structure new hire security onboarding for your firm, schedule a free discovery call with Qual IT.
Frequently Asked Questions
Does IRS Publication 4557 require us to train new employees on phishing?
Yes. IRS Publication 4557 explicitly requires tax professionals to train employees on data security policies and procedures, including recognizing and responding to phishing attempts. The FTC Safeguards Rule also requires employee training as part of a written information security program. A new hire phishing incident that results in a data breach will be examined against the backdrop of whether the employee received adequate training — making documentation of your training program important.
How do we recognize IRS impersonation phishing emails?
The IRS never initiates contact by email about taxpayer accounts. If you or your staff receive an email claiming to be from the IRS about a client matter, it is phishing — every time. The IRS contacts tax professionals and taxpayers by physical mail. Real IRS correspondence to your firm arrives by postal mail. Training staff on this single fact eliminates a large category of accounting firm phishing attempts.
How long are new employees at elevated phishing risk?
Research indicates the first 30 to 90 days carries the highest risk, but the risk remains elevated throughout the first year as employees are still building familiarity with firm norms. Post-tax-season hires are in a somewhat unusual position — they join when the most intense work period is over but before they've experienced a full cycle. Consider running security awareness reinforcement at the six-month mark as new hires approach their first tax season.
