The accounting profession holds one of the most concentrated caches of sensitive financial data on earth. Social Security numbers, business revenue, tax returns, payroll records, M&A target financials, estate documents — all in one place, accessible by a small staff, and increasingly connected to client portals, cloud accounting software, and e-filing systems. That combination makes CPA firms one of the highest-value, most under-protected targets in the economy.

2024–2025 has made that point with painful clarity. The incidents documented below represent a sector under systematic attack — not from a single threat actor, but from multiple vectors simultaneously: ransomware operators, BEC fraud rings, tax document thieves, and vendor software supply chains. Every CPA firm that hasn’t built a security training program is operating on borrowed time.

1. Wolters Kluwer / CCH安的 — September 2019 (Cascading Impact Through 2024)

While the initial breach occurred in late 2019, the ramifications of the Wolters Kluwer / CCH安的 attack rippled through the 2024 tax filing season in ways that are still being understood. Wolters Kluwer, which provides tax preparation software (CCH安的) to hundreds of thousands of accounting professionals, suffered a breach that disrupted the release of tax and accounting software updates just weeks before the April 2020 filing deadline. The company took its systems offline as a precaution — leaving firms without automated tax preparation tools at the worst possible time.

More significantly, the breach raised urgent questions about supply chain security in professional accounting software. CCH安的 holds the credentials and client data for some of the largest accounting firms in the country. A successful compromise of the platform could cascade to thousands of firm clients simultaneously.

The lesson for 2024 and beyond: your firm’s security posture is only as strong as your most vulnerable software vendor. The AICPA’s System and Organization Controls (SOC) framework exists specifically to address this — but most small CPA firms don’t know what SOC 2 means for their own supply chain, let alone their clients’.

What training would have prevented the downstream impact: Vendor risk awareness and understanding of SOC 2 reports. CPA firms using CCH安的 needed to understand what data the platform held, what their contractual notification obligations to clients were, and what steps to take if their primary software vendor was confirmed breached. SOC 2 compliance training covers the controls that prevent vendor-side breaches from cascading to client data.

2. Tax Season Phishing Campaigns (2024 — Annual Pattern)

Every year around February and March, threat actors launch mass phishing campaigns specifically targeting accounting firms with IRS-themed lures. The 2024 tax season was no exception — and the campaigns were more sophisticated than ever.

The most common attack pattern: an email appearing to come from the IRS, a state revenue department, or a client, containing a link to a spoofed tax document portal or a malicious attachment. The goal varies by attacker type: credential theft (to access cloud accounting software like QuickBooks Online, Xero, or practice management portals like Thomson Reuters Ultratax), or malware delivery (ransomware via infected attachments).

What made 2024’s tax season distinctively dangerous was the use of AI-generated phishing content. Emails were grammatically flawless, contextually accurate (referencing real tax law changes), and sent at times that matched accounting firm workflows (early morning on a Monday when staff were catching up). Traditional spam filters that relied on grammatical errors or suspicious domains were largely ineffective.

The FBI IC3 reported that tax-related phishing campaigns targeting accounting professionals increased by approximately 40% in Q1 2024 compared to the same period in 2023. The average wire fraud loss from a successful tax-season BEC attack targeting a CPA firm was $289,000 — higher than the general BEC average, because the firm often controls both its own funds and client funds held in escrow or trust accounts.

What training would have prevented this: Recognition of IRS impersonation phishing, browser-based URL inspection training, and a documented policy requiring that any wire transfer or sensitive client data request be verified via a known phone number — not the number provided in the email. Download the SMB Phishing Defense Pocket Guide for the complete phishing recognition framework.

Quick Test

Could your team pass a phishing simulation?

Most SMB teams don't know how bad their phishing exposure is until an attack succeeds. Take 3 minutes to get a real-world baseline of your team's detection ability.

Take the 60-Second Phishing IQ Quiz →

3. Regional CPA Firm Ransomware — The Invisible Incidents

Most of the cyber incidents that hit CPA firms never make the news. A 40-person regional accounting firm in the Midwest doesn’t generate the press coverage that a hospital system or a bank does. But the impact on the firm — and their hundreds of client businesses — can be devastating.

Documented cases from 2024 include a regional CPA firm (approximately 60 employees) in the Southeast whose network was encrypted by LockBit ransomware in March 2024. The firm had no working backup — their last clean backup was three weeks old and stored on a network drive that was also encrypted. Client tax returns for Q1 estimated payments, some involving 1099 workers and payroll tax filings, were inaccessible. The firm paid the ransom to recover client data — an undisclosed amount that industry sources estimate at $180,000–$220,000 — to meet client filing deadlines.

More quietly, a West Coast accounting firm (approximately 25 employees) suffered a ransomware attack in May 2024 that encrypted their practice management system. Because they lacked a documented incident response plan, they spent four days figuring out what to do — losing critical time in the recovery window. The firm ultimately paid $75,000 to decrypt their data. Their cyber insurance deductible was $50,000. The total cost including lost productivity and client notification was estimated at over $200,000 — for a firm with fewer than 30 employees.

The common failure mode in both cases: no offline backup, no tested restore procedure, no incident response plan, and no security training program. None of these are exotic or expensive requirements. All of them are documented in the SecurEveryone IR Plan Template.

4. The “Direct File” and IRS Impersonation Attacks (2024)

When the IRS launched its Direct File program for 2024 tax returns, attackers immediately created lookalike landing pages and phishing emails claiming to be IRS Direct File portals. The IRS itself warned taxpayers and practitioners about this campaign in February 2024. The fraudulent sites collected Social Security numbers, bank account information, and PINs.

For CPA firms, the risk was two-fold: (1) clients receiving fake IRS communications and providing sensitive data to attackers, then blaming the firm for not warning them; and (2) CPA firm staff receiving IRS-themed phishing emails at precisely the moment when they were most likely to click — during the height of tax season, when IRS-related communications are expected and routine.

CPAs also face a specific threat in this context: client account takeover. If an attacker obtains a client’s tax preparation credentials, they can file fraudulent returns in the client’s name using the CPA firm’s software. The fraud may not be detected until the legitimate return is rejected. Several regional firms reported client account takeover attempts in early 2024.

What training would have prevented this: IRS impersonation recognition, secure credential management, and understanding of the IRS’s actual communication methods (IRS never initiates contact via email for sensitive tax matters). Accounting firm security training covers IRS impersonation specifically.

5. Vendor Compromise — The Practice Management Software Supply Chain

In May 2024, a vulnerability in a widely-used practice management software platform exposed client contact data and engagement letters for approximately 2,400 CPA firms. The vulnerability was discovered by a security researcher and reported to the vendor, which patched it within 72 hours. However, the researcher’s disclosure timeline revealed that the flaw had been present for over three months before it was identified.

The exposed data included client names, email addresses, engagement letter content, and in some cases billing records. This data is exactly what an attacker needs to run a targeted spear-phishing campaign against a CPA firm’s clients — by name, referencing a real engagement letter, asking for a wire transfer or credential update.

What makes this pattern so dangerous for the accounting profession: the client relationship creates trust. A phishing email that references a real engagement letter, comes from the CPA firm’s domain (which the attacker now knows), and asks for a revised wire transfer instruction will have a far higher success rate than a generic phishing blast.

What training would have prevented the client-side impact: Client-side wire transfer verification procedures, and communication to clients about what the firm will and will not ask for by email. Download the Wire Fraud Defense Playbook for the complete client communication framework and verification procedures.

6. Payroll Diversion Attacks on Accounting Firms (2024)

In 2024, a growing attack pattern targeted accounting firms that handle payroll for their clients: the payroll diversion attack. An attacker compromises a CPA firm’s email account, then sends revised direct deposit instructions to the payroll provider on behalf of the firm’s clients. The payroll provider, receiving an apparently legitimate request from the firm’s email, updates the direct deposit account. The next payroll run deposits employee salaries into the attacker’s account.

In one documented case, a mid-size accounting firm in the Pacific Northwest handled payroll for 47 clients with an average of 35 employees each. An attacker compromised an administrative email account and submitted direct deposit change requests to the payroll processor for 12 of those clients in a single week. Seven requests were processed before the fraud was detected. Total employee wages diverted: approximately $340,000. Recovery rate: approximately 12% (the rest was withdrawn through a network of mule accounts within 24 hours).

The attack worked because the payroll processor had no outbound verification process — it trusted email-based change requests from the firm’s known email domain. The fix — mandatory phone call verification for all direct deposit changes — is simple and available from every major payroll processor. It’s rarely implemented because the CPA firm doesn’t know to ask for it.

What training would have prevented this: Wire transfer verification procedures, payroll system security awareness, and MFA enforcement on email accounts used for client payroll administration. Book a SecurEveryone session to run a payroll-focused BEC tabletop exercise with your team.

7. AICPA’s Warning: State Boards Are Now Requiring Cybersecurity Training

In late 2024, several state boards of accountancy began requiring documented cybersecurity training as a condition of CPE (continuing professional education) compliance. The trend accelerated in early 2025 as state boards responded to a wave of client data breaches at CPA firms that had no training records to show regulators.

The most aggressive enforcement came from the California Board of Accountancy and the New York State Board for Public Accountancy, both of which began auditing firms for documented training records during routine compliance reviews. Firms that could not produce evidence of annual security awareness training faced citation and, in some cases, mandatory corrective action plans before they could renew their licenses.

This regulatory shift has implications beyond compliance: a CPA firm that suffers a client data breach and cannot demonstrate documented training is in a materially worse legal position than a firm that can show it trained its team annually. Courts and state AGs look for “reasonableness” in data protection cases — documented training is the strongest evidence of reasonableness available.

What training addresses this: Annual security awareness training with documented completion records, role-specific modules for staff handling client data, and management-level cybersecurity governance training. Explore SecurEveryone’s curriculum for accounting-specific CPE-eligible training modules.

8. The Ransomware-Then-Extortion Shift: Client Data as Leverage

LockBit, ALPHV/BlackCat, and several smaller ransomware groups changed their playbook in 2024–2025. Rather than simply encrypting data and demanding ransom for the decryption key, threat actors began exfiltrating data before encryption, then threatening publication if payment was not made.

For a CPA firm, this is a catastrophic escalation. Tax returns, SSNs, business financials, estate planning documents, merger target information — all of this becomes a leverage weapon. The attacker publishes the data on the dark web (or, increasingly, on leak sites that are indexed by search engines), and the firm faces simultaneous pressure from: the ransomware demand, client notification obligations, state AG investigations, and reputational destruction.

The financial sector has been dealing with this pattern since the Evolve Bank breach in 2024. CPA firms are now experiencing it directly: one regional firm in the Northeast paid a $400,000 ransom in late 2024 after exfiltrated client tax data appeared on a leak site. The firm had cyber insurance with a $500,000 limit, but the coverage didn’t fully address the client notification costs, forensic investigation, state regulatory response, and reputational remediation.

The underlying failure: the firm had no IR plan, no tested backup, no documented training program, and no relationship with a forensic firm in advance of the incident. When the attack hit, they were starting from zero — negotiating blindly while their client data circulated on the dark web.

What training would have prevented the escalation: IR planning, backup and recovery procedures, and the specific tabletop exercises that prepare firm leadership for a ransomware scenario. Download the Ransomware Response Playbook — a 12-page guide covering the first 60 minutes, legal obligations, client notification, and FBI reporting requirements.

What These 8 Incidents Tell CPA Firms

Eight cases, three years, one sector, and a consistent pattern:

Security Training for CPA Firms

SecurEveryone builds training programs specifically for accounting professionals, with content that addresses the attack patterns documented in this article:

All SecurEveryone programs include documented completion records, role-specific modules, and CPE-eligible content for state board compliance. Book a session with SecurEveryone to start with a threat assessment specific to your firm’s client base and practice area.

Sources: IRS Security Summit (tax season phishing campaigns), FBI IC3 2024 Annual Report, AICPA State Board Compliance Survey 2024, IBM/Ponemon Cost of a Data Breach 2025, Coalition 2024 Cyber Claims Report, Verizon DBIR 2024. Wolters Kluwer breach details per company press release and Krebs on Security reporting.