From January 15 through April 15, a typical CPA firm in North Central Florida runs at four to five times its slow-season volume on the same infrastructure that quietly carried it through November. The IRS receives more than 160 million individual returns in this window. Threat actors know it. Ransomware groups, phishing operators, and business-email-compromise (BEC) crews shift staffing toward tax-prep firms every January because the leverage is at its highest — a CPA who cannot access client files for 48 hours during the second week of April is incalculably worse off than the same firm in October. This post is the pre-season readiness work we recommend every Florida CPA and accounting firm complete before January 1.
4-5x
Volume increase during tax season
$48K
Avg BEC wire fraud loss per incident
$8K+
Per-hour cost of downtime in peak season
$100K
FTC Safeguards Rule penalty per violation
Why Tax Season Is Different — Three Threat Vectors That Spike Every January
Three categories of attack measurably accelerate during the January-to-April window. The pattern is consistent enough that the IRS publishes annual warnings and the FBI's IC3 has flagged each of them as recurring tax-season threats:
01
W-2 / 1099 Phishing
Attackers send your staff fake 'updated W-2' or '1099-NEC correction' attachments. The PDFs are weaponized or the links land on credential-harvest pages styled to look like Drake, Lacerte, ProSeries, UltraTax, or your client portal. One click during the second week of February and the attacker has a foothold for the next 60 days.
02
Client-Impersonation BEC
Threat actors register lookalike domains (cpa-firm.cm vs cpa-firm.com), monitor email signatures harvested from earlier phishing, and then send your firm a 'change my refund-deposit account' email at the worst possible moment. The IRS direct-deposit window during refund season is the highest-leverage BEC scenario in the calendar.
03
Ransomware Targeting Tax Prep Software
Drake, Lacerte, ProSeries, and UltraTax all run on local servers or workstations at most small firms. Ransomware operators specifically dwell-time into firms in late January, wait for the firm's extension-deadline pressure to peak, and then detonate. Recovery during tax season is measured in days, not hours.
// Warning
The IRS Form 14039-B (data theft incident report) and IRS Pub 4557 require the firm — not the IT vendor — to report a tax-related identity-theft incident to the IRS Stakeholder Liaison and state tax authorities. Plan the response chain now, not after the breach. Every minute spent figuring out who to call during tax season costs you and your clients.
FTC Safeguards Rule — What Every Florida CPA Is Already Required to Do
The amended FTC Safeguards Rule (16 CFR 314) covers every CPA firm that handles customer financial information — which is every firm. As of the 2023 enforcement effective date, the Rule requires nine specific elements in your information security program, regardless of firm size:
A designated Qualified Individual responsible for information security
Written risk assessment, updated periodically
Encryption of customer information in transit and at rest
Multi-factor authentication for all individuals accessing customer information
Access controls limited to those who need the data to perform their job
Continuous monitoring or annual penetration testing + biannual vulnerability assessments
Secure disposal of customer information no later than two years after last use
Written incident response plan
Annual written report to the firm's board or senior management
A breach during tax season with any of these elements missing converts a bad incident into a regulatory enforcement action. The pre-season window is when you close those gaps.
The Pre-Season IT Readiness Checklist (Complete by January 1)
This is the work that produces the most return per hour spent. The earlier in Q4 you complete it, the less it will cost you when something happens in March.
MFA on every account — no exceptions
Email, tax prep software, client portal, payroll system, bank logins, file-share. Hardware keys or TOTP apps; SMS is the floor, not the ceiling. Audit who is exempted and remove the exemptions before January.
Backup tested with an actual restore
Pull a real client file out of last night's backup to a clean workstation. Document date, source backup, file restored, validator. If you cannot perform this drill in December, you will not magically do it in April under fire.
Tax prep software fully patched & supported
Verify Drake, Lacerte, ProSeries, UltraTax, ATX, or TaxAct is on a current supported version with all year-end updates installed. An out-of-band patch dropped on April 8 should not be your first patch attempt of the season.
Email security gateway tuned for tax-season phishing
Increase quarantine sensitivity on attachments from external senders. Add display-name impersonation alerts. Update DMARC, DKIM, SPF to enforce, not just monitor. Train staff on the W-2 / 1099 phishing patterns specifically.
Secure client portal, not email attachments
If clients are still emailing W-2 PDFs, you are responsible for that data the moment it arrives. Stand up a secure portal (ShareFile, SmartVault, TaxDome, Liscio, Canopy) and require it before January. Email-only is no longer a defensible posture.
Staff awareness training refreshed in December
Annual training in Q4, plus a simulated phishing campaign in late December against your own team. Track click-through rates per person. Anyone above the firm average gets remediation before the season starts.
Incident response plan reviewed & posted
Who calls the insurer? Who calls the IRS Stakeholder Liaison? Who emails clients? Who shuts down the network? Print the plan. Tape it inside the supply closet door. The plan you can find at 11pm on a Sunday is the plan that works.
Tax prep vendor, client portal, payroll, banking, e-signature, document management. Pull their latest SOC 2 (or equivalent attestation) and confirm contract terms. Document who has admin access on each platform and rotate or revoke as needed.
During-Season Daily Discipline
Once the season starts, the controls you put in place in Q4 only work if the team uses them. These are the daily operational habits we coach our CPA clients to maintain through April 15:
Verify every refund-deposit change or wire-instruction request by phone to a known number — never the number in the email
Send and receive client tax documents exclusively through the secure portal — no exceptions for friendly long-term clients
Review the EDR / antivirus alert queue at the start of every workday
Confirm last night's backup completed successfully — a missed backup notice on April 1 is not when you find out
Rotate the practitioner's e-filing credentials at start and end of season
Restrict after-hours remote access to the firm to MFA-protected VPN or zero-trust gateway only
What an Outage Actually Costs in March
The financial case for pre-season hardening is straightforward. A 7-person firm preparing 800 returns at an average fee of $450 produces roughly $360,000 of revenue across 10 productive weeks — about $9,000 of daily revenue capacity in the peak window. Add the opportunity cost of missed extension deadlines, late-fee exposure on client returns, and post-incident remediation, and a single ransomware event during the second week of April routinely costs a mid-size firm $80,000 to $180,000 even before insurance triggers. Pre-season hardening — MFA rollouts, EDR, tested backups, security training — comes in at a small fraction of that.
"A CPA who loses two days of access in March is in trouble. A CPA who loses two days in October is annoyed. The risk profile is the same — the consequences are not. We do the work in Q4 specifically because the cost gap between a problem in October and the same problem in March is enormous."
Steve Condit, Simply IT
How Simply IT Supports Florida CPA Firms
For CPA and accounting firms in Ocala, The Villages, Gainesville, and across North Central Florida we deliver a managed IT and security program aligned to the FTC Safeguards Rule and IRS Publication 4557. That includes MFA enforcement, managed EDR, tested backup with quarterly restore drills, secure cloud document portal, ongoing security awareness training with quarterly simulated phishing, and a documented incident response plan reviewed before every tax season. We do not promise zero incidents — we promise the controls, the documentation, and the response chain that make tax season survivable when one does happen.
// Key Takeaway
The cheapest hour you will ever spend on cybersecurity is the one you spend in October. The most expensive is the one you spend in March. Do the readiness work in Q4 — specifically the eight items in the pre-season checklist above — and you will spend tax season practicing accounting instead of practicing incident response.
Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience
Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.
