CPA firms get briefed on ransomware by every vendor in the security supply chain. They invest in EDR, MFA, backup hygiene, and tabletop exercises. They renew their cyber policy with ransomware as the centerpiece of the conversation.
Then March through April arrives, and the actual claim is almost never ransomware. It’s tax-season fraud — a category of social-engineering loss that targets accounting firms specifically, runs heavy from January through May, and exploits the one window where every CPA is moving high volumes of sensitive data and money under tight client pressure.
What tax-season fraud looks like
Three patterns dominate.
1. Spoofed client emails redirecting refunds or payments
The firm’s client says “send my refund to this new account” — except it isn’t the client. It’s a threat actor who’s compromised the client’s email, or spoofed it convincingly, and is intercepting the firm’s reply. Refunds get directed to fraud accounts. By the time the real client checks in, the money is gone.
This is funds-transfer fraud / social engineering. Coverage depends on whether the cyber and crime forms have meaningful primary limits for it — many bundled policies sub-limit social engineering to amounts well below typical loss.
2. Credential theft from staff during high-volume preparation
Phishing campaigns are timed to tax season specifically. A staff member preparing 60 returns a week clicks a “verify your IRS account” link, types in credentials, and the threat actor now has access to the firm’s tax software, client portal, or accounting system. From there: fraudulent return filings, intercepted refunds, exfiltrated client data.
The IRS reports a sharp annual spike in fraudulent return filings tied to CPA-firm credential theft. Insurance form response varies wildly here — some cyber policies treat unauthorised access to tax software as a covered breach event; others treat it more narrowly.
3. Refund-redirection attacks on the IRS / state agency side
Some threat actors don’t bother attacking the firm at all — they directly file fraudulent returns against client SSNs, with refunds directed to fraud accounts. The firm is then in the position of helping the client unwind it. This isn’t a direct loss to the firm, but the firm carries reputation risk, professional-liability exposure (was sufficient care taken with client data?), and the operational cost of remediation.
Where the insurance gap is
Most accounting firms carry a cyber policy and a separate crime policy. Both are necessary; together they’re often insufficient for tax-season exposure. Specifically:
- Cyber covers the breach event, but typically with social-engineering sub-limits.
- Crime covers theft and forgery, but standard crime forms often exclude losses where an employee was “tricked” into authorising a transaction — which describes essentially every tax-season social-engineering loss.
- Professional liability picks up client suits alleging failure to protect client data, but with its own retention.
The clean structure for an accounting firm is:
- Cyber with affirmative social-engineering limits sized to the firm’s typical client-money throughput, not a token sub-limit
- Crime policy with social-engineering coverage that doesn’t exclude voluntary transfers
- Professional liability sized to client volume
- All three forms reviewed together so a tax-season fraud loss doesn’t fall in the gap between them
What firms should do before next tax season
Three concrete moves:
- Audit the social-engineering limits on cyber and crime. If either is below $250k for a firm processing >$5M in client refunds and payments annually, that’s a meaningful gap.
- Confirm the “voluntary transfer” exclusion on the crime policy. If it excludes most social-engineering losses, push for an endorsement or a different carrier.
- Run a tax-season-specific tabletop with the firm’s actual staff and the actual claim playbook. The first time anyone runs through the response shouldn’t be at the moment of loss.
Ransomware gets the press because it’s dramatic. Tax-season fraud is what arrives.
