The Email That Redirected a Client's Tax Refund: And Why Your Firm Was Liable
THE SHORT ANSWER
In 2024, the IRS uncovered $9.1 billion in tax fraud and logged nearly 300,000 identity theft reports, many directly linked to phishing attacks targeting tax preparers. One compromised CPA email account gives an attacker everything they need: Social Security numbers, bank routing details, prior-year returns, and the trusted relationship with your client that makes fraudulent instructions believable. When a client’s refund is misdirected because an attacker impersonated your firm, the client does not always blame the attacker. They blame the firm that lost control of the channel the attacker used. For accounting firms in Los Angeles handling high-net-worth individuals, entertainment clients, and complex real estate transactions, the liability exposure of an unsecured email environment is not hypothetical. It is documented, active, and growing.
IT Accuracy | Managed IT Services, Los Angeles | Date: May 11, 2026 | 14 min read
AT A GLANCE
AT A GLANCE
Your firm did not send the email. An attacker did, using a domain nearly identical to yours, to a client who had been filing with you for eleven years. The refund instructions looked right. The tone was right. The amount was right. The bank account was not. By the time anyone realized what had happened, the wire had settled.
What the IRS Found in 2024 and What It Means for Your Practice
The scale of the problem is not ambiguous. In 2024, the IRS uncovered $9.1 billion in tax fraud and logged nearly 300,000 identity theft reports. A significant portion of those reports traced back to phishing attacks targeting tax preparers rather than individual taxpayers. The logic is straightforward: compromise one CPA, and you have access to dozens or hundreds of client records simultaneously. Compromise a taxpayer directly, and you have one.
The IRS included spear-phishing targeting CPA firms on its 2024 Dirty Dozen list, the annual publication detailing the most dangerous and active tax scams. Spear-phishing differs from general phishing in one critical way: it is not spray-and-pray. Attackers research the firm, identify the software it uses, understand its billing cycles and client communication patterns, and construct emails that look exactly like what the firm’s clients or staff would expect to receive. A rejected e-file notification from Drake Tax. A client query about a refund status. An urgent update from a payroll integration vendor. The hook is indistinguishable from legitimate correspondence.
With approximately 80 million tax returns prepared by CPAs annually, the industry represents an efficiently exploitable attack surface. A successful breach of one firm’s email environment does not yield one record. It yields a client roster. In Los Angeles, where accounting firms frequently serve entertainment industry clients, high-net-worth individuals, real estate investors, and multi-entity business owners, the value of that roster is compounded. Each client file contains the exact data points that enable identity theft, fraudulent return filing, and refund diversion at scale.
Why Accounting Firms Are the Target, Not the Bank
There is a misconception in the accounting profession that cybersecurity is a concern for technology companies or financial institutions, meaning organizations with large IT budgets and complex infrastructure. The 2024 threat landscape does not support this. Small and mid-sized CPA firms are now the preferred attack vector precisely because they hold what attackers want and are less likely to have the defenses in place to stop them.
Consider what a typical accounting firm’s network contains: Social Security numbers for every individual client, bank routing and account numbers tied to refund deposits, employer identification numbers for every business client, prior-year tax returns documenting income, assets, and liabilities, payroll records including employee compensation and benefit elections, and the active filing credentials including EFIN and PTIN that allow returns to be submitted in the firm’s name.
The multiplier problem
A bank holds financial accounts. A CPA firm holds the keys to financial identity. The data in one compromised CPA firm file drawer, physical or digital, is sufficient to file fraudulent returns, open lines of credit, redirect refunds, and impersonate both the firm and its clients across multiple institutions simultaneously.
For Los Angeles accounting firms, the attack surface is wider than a practice in a smaller market. The entertainment industry generates unusually complex compensation structures involving residuals, licensing arrangements, and multi-state filings. Real estate clients hold layered entity structures with significant transaction histories. High-net-worth individuals have tax situations that require ongoing communication about estimated payments, extensions, and refunds, all of which create legitimate-looking pretexts for fraudulent email instructions. Attackers who research a firm’s client profile before striking know exactly which type of request will be acted on without a second look.
How a Phishing Attack Moves Through a CPA Firm's Systems
The mechanics of how these attacks unfold makes clear why technical controls matter more than staff vigilance alone. Awareness training is necessary. It is not sufficient. The sequence below represents the pattern documented across multiple IRS enforcement actions and professional liability cases in 2024 and 2025.
How a phishing attack targets and compromises a CPA firm: step by step
The firm is profiled before the first email arrives
Attackers review the firm’s website, LinkedIn page, state licensing records, and any public-facing client mentions. They identify the software the firm uses, including Drake, ProSeries, UltraTax, and QuickBooks, as well as the communication patterns typical of that software’s notifications. They identify which partners sign client-facing correspondence and what the firm’s standard subject line formats look like.
A spear-phishing email arrives mimicking a known sender
The email appears to come from the IRS e-Services portal, a tax software vendor, or a client. It creates urgency: a rejected e-file, a flagged return, a password expiration for the firm’s EFIN portal. The link or attachment it contains delivers either credential-harvesting malware or a login page that captures the staff member’s credentials in real time.
Credentials are captured and the inbox is monitored silently
With a staff member’s email credentials, the attacker authenticates into the firm’s Microsoft 365 or Google Workspace account. They do not immediately act. They set up inbox rules to forward copies of relevant emails covering anything mentioning refunds, payment details, bank changes, or specific client names, to an external address. This monitoring phase can last weeks before any visible action is taken.
A fraudulent instruction is sent to a client or a refund is rerouted
Using the compromised account or a lookalike domain, the attacker sends payment or refund instructions to a client. Because the communication matches the firm’s tone, formatting, and established relationship, the client acts on it. Alternatively, the attacker accesses the firm’s tax preparation software directly and changes the banking details on a return before it is filed. The refund goes to an attacker-controlled account.
The firm learns about it from a client, not from its own systems
The most common discovery method is a client phone call: their refund has not arrived, or they received a notice that their return was already filed. By the time the firm understands what happened, the attacker has been in the system for weeks. Every client whose data passed through the compromised inbox during that window is potentially affected.
The Regulatory Exposure Most Los Angeles Firms Do Not Know They Have
Beyond the financial and reputational damage, a breach of a CPA firm’s client data triggers specific regulatory obligations that most firms are not prepared to meet. The Gramm-Leach-Bliley Act Safeguards Rule applies to all tax return preparation firms regardless of size. It is not a regulation for large financial institutions. It applies to a two-partner CPA firm in Encino the same way it applies to a regional bank.
The Safeguards Rule requires a Written Information Security Plan, referred to as a WISP. The WISP must designate a qualified individual to oversee the security program, document the controls the firm has in place, conduct annual risk assessments, and describe what the firm will do when something goes wrong. The IRS separately requires a WISP for all tax preparers as part of its Publication 4557 guidance. Most accounting firms in Los Angeles do not have one.
All tax professionals must stay vigilant during this time of heightened risk. Sensitive data like Social Security numbers, income details, and banking information are constantly in transit. A single breach can expose thousands of client records. Stolen data may be used for identity theft, tax refund fraud, or unauthorized financial access.
IRS guidance on cybersecurity for tax professionals, 2024The absence of a WISP is not just a compliance gap. In the event of a breach, it becomes evidence of negligence. Clients who suffer financial harm because their CPA firm lacked basic documented security controls have a stronger civil claim than they would against a firm that had controls in place but was breached despite them. Professional liability insurers are beginning to require WISP documentation as a condition of coverage, and some are excluding breach claims where no WISP existed at the time of the incident.
For Los Angeles accounting firms that handle clients in regulated industries such as healthcare-adjacent businesses, investment advisors, and entities subject to SEC reporting, the compliance exposure extends further. A breach that exposes client financial data may trigger notification obligations under California’s Consumer Privacy Rights Act in addition to the federal Safeguards Rule. The notification requirement is not discretionary. Once client data is confirmed as compromised, every affected individual must receive written notification regardless of whether actual harm has occurred.
The Controls That Stop It Before a Client Gets a Letter
Every stage of this attack has a corresponding control. None of them require enterprise-scale infrastructure. All of them require deliberate configuration that the average accounting firm email environment has never received.
DMARC at enforcement is the first line of defense against domain impersonation. SPF, DKIM, and DMARC working together tell receiving mail servers to reject email that claims to come from your domain but cannot pass authentication. If a client’s mail server checks DMARC and your domain has enforcement in place, a lookalike domain attack fails before the email reaches the inbox. Most accounting firm domains have no DMARC policy. IT Accuracy’s email security service implements DMARC at enforcement as a baseline for every accounting client.
Phishing-resistant MFA on every account eliminates the credential theft step entirely. If an attacker harvests a staff member’s username and password through a spear-phishing link, they still cannot authenticate without a hardware security key or passkey that they do not have. Push-notification MFA, the most common type in use, does not provide this protection. An attacker who also social-engineers the MFA code or approval gets through. Hardware-based MFA does not have this vulnerability. Every account with access to client data, tax preparation software, or email should require it.
Why shared credentials are a specific risk for accounting firms
Multiple staff members accessing tax preparation software or client portals under a single shared login defeats audit logging entirely. When a breach occurs, the firm cannot identify which employee’s session was compromised, what data was accessed, or when unauthorized activity began. Regulators and plaintiff attorneys both notice. Individual credentials with MFA enforcement close this gap and produce the access logs that demonstrate due care.
Endpoint detection on every workstation that touches client data catches the malware delivery that spear-phishing emails often carry. Signature-based antivirus misses behavioral threats that modern endpoint detection and response tools catch. For accounting firms where staff access client data from home offices, laptops, and job-site tablets during busy season, endpoint coverage is as important as server-side protection. A cybersecurity assessment will surface every unprotected endpoint and every account lacking MFA before an attacker finds them first.
Phishing-resistant MFA on every account eliminates the credential theft step entirely. If an attacker harvests a staff member’s username and password through a spear-phishing link, they still cannot authenticate without a hardware security key or passkey that they do not have. Push-notification MFA, the most common type in use, does not provide this protection. An attacker who also social-engineers the MFA code or approval gets through. Hardware-based MFA does not have this vulnerability. Every account with access to client data, tax preparation software, or email should require it.
Three Things Your Firm Should Verify Before Next Tax Season
You do not need a full security overhaul to close the gaps that most accounting firm breaches exploit. Accounting firm cybersecurity in Los Angeles starts with three verifiable controls that any firm can audit in an afternoon.
Three immediate verifications for accounting firms: do these before the next filing season
Check your DMARC policy today. Go to mxtoolbox.com and enter your firm’s domain. If the result shows no DMARC record, a policy of “none,” or a policy of “quarantine” rather than “reject,” an attacker can send email impersonating your firm to every client you have right now with no technical barrier. Your IT provider should be able to move this to enforcement within a day. If they cannot tell you what your DMARC policy currently is, that is the answer.
Confirm that every staff account requires MFA, including shared inboxes and tax software logins. Shared credentials are common in accounting environments. One login for a tax preparation platform used by three staff members creates an unaudited entry point. If any account can be accessed with a username and password alone, a phished credential gives an attacker silent access to your client data. The IRS Dirty Dozen warning on spear-phishing is specific: these campaigns are designed to capture working credentials, not just deliver malware.
Confirm that your firm has a Written Information Security Plan and that it reflects your current systems. A WISP is not optional for tax preparers under either the IRS or the FTC Safeguards Rule. If your firm does not have one, it is both a compliance violation and a negligence exposure. If it has one that has not been reviewed in the past year, it may not reflect the current state of your systems, which in a breach investigation is functionally the same as not having one. IT Accuracy can develop or update your WISP as part of an accounting firm security engagement.
What IT Accuracy Does for Accounting Firms in Los Angeles
Most of the accounting firms that get breached had competent operations. The gap was not capability. It was the specific set of controls that address how attacks on tax preparers actually work. DMARC was never set. MFA was optional. The WISP was never written. The backup was never tested. None of those gaps were obvious until the breach made them visible.
Accounting IT and cybersecurity topic cluster: related reading
Managed IT Services | Los Angeles, CA
IT Accuracy provides cybersecurity and security awareness training, managed network services, cloud solutions, and help desk support for businesses across Los Angeles and nationwide.