8 Ways to Help Prevent a Data Breach During Busy Season

As the busy season ramps up, the risk of cyberattacks increases. Cybercriminals know that heightened workloads, tight deadlines, and the influx of client communications create opportunities for exploitation. Whether through phishing emails, intercepted networks, or fraudulent disbursement requests, the stakes for certified public accountants (CPAs) and their clients are high.

Fortunately, by implementing and consistently following data security protocols, CPAs and their firms may help reduce the risk of a cyber incident occurring. Here are eight protocols to consider.

1. Train All Firm Personnel to Identify Phishing Emails

Many cyber incidents begin with a phishing email, an operation initiated by a bad actor, where the recipient is duped into revealing personal or confidential information that’s then used for illicit purposes. It’s important to train all firm members on how to spot and respond to these threats. To start, become familiar with the common characteristics of phishing emails. For example, many phishing emails include:

• Requests with a sense of urgency: These improper requests frequently occur on Friday afternoons or near filing deadlines.
• Slight differences in important information: For example, the bad actor may use an email address that looks like a legitimate one, but it may have a different extension or include a different character in the address. Also, a text message may be sent from one type of device when the purported sender uses a different device, or a phone number may be one digit off.
• A request for action: For the purpose of spying on your computer, phishing emails may contain links or attachments that activate malware when users click or open them. Alternatively, the bad actor may pose as a client requesting you to make an unauthorized disbursement.
• Poor spelling and grammar: Phishing emails often contain spelling and grammatical errors, even if such mistakes aren’t as prevalent as in years past.

After completion of training, consider testing all firm members by sending simulated phishing emails to demonstrate whether they’re applying knowledge learned.

2. Use Caution When Working Remotely on a Wireless Network

Bad actors may be able to infiltrate both public and private wireless internet networks with weak security that remote workers may be connecting to. Help mitigate this risk by using a virtual private network, which creates a secure tunnel between the remote user and the firm across the internet. If encrypted data traveling within the secure tunnel is intercepted, it may be indecipherable to cybercriminals.

3. Encrypt Emails Containing Confidential Information

To further reduce the risk of an email being intercepted, use encrypted email for confidential information sent outside your firm’s network. Email encryption helps protect data confidentiality by transforming emails sent and received into an unreadable format for unauthorized users. However, if the bad actor has access to the CPA’s or client’s email account and password from a prior phishing scheme, they’ll be able to view the encrypted emails.

4. Create a Client Portal for Sharing Files

More effective than email encryption is the use of a secure portal to share information between the CPA and clients. Generally, these portals are cloud-based, accessed through a website, and require clients to register with an email address and password. Once safely logged in, clients have access to and can share sensitive files in one central location.

5. Practice Good Information Technology Hygiene

Using antivirus and anti-malware software on your devices is good practice for helping to keep your system clean and safe from cyber incidents. As part of this process, be sure to timely install updates and security patches, as they’re often deployed to address known security issues. Additionally, practicing good password hygiene is important. This includes setting strong passwords, using a password manager, avoiding the reuse of passwords or variations of the same password, enabling multifactor authentication, and more. The National Institute of Standards and Technology offers additional guidance on passwords.

6. Vet Vendors

CPAs use third parties for many services, such as seasonal help, tax preparation software, cloud storage, portals, or payroll platforms. Before using a third party, make sure to do your homework, ensuring that the vendor’s data security practices are, at a minimum, as comprehensive as yours. Additionally, consider including language in your third-party service agreements that requires the provider to maintain cyber insurance and defend and indemnify you for any breach they cause.

7. Understand Your Insurance Policies

Consult your agent or broker to understand how your firm’s various insurance policies respond to a data security event. Discuss ransomware and other trending cybersecurity threats and inquire as to how coverage would apply if a payment was improperly disbursed on behalf of the client or firm.

8. Establish Strong Cash Disbursement Policies

To help avoid becoming the next victim of a fraudulent act, CPAs providing services that require the distribution of client funds should consider:

• Establishing disbursement parameters with the client. Transaction types, disbursement limits, and bank accounts to be used to disburse funds should be documented before any services commence.
• Using multiple methods of communication if a change from the established disbursement parameters is requested. For example, if an outside-the-norm disbursement was received via email, confirm the request via phone call to a valid phone number from a firm employee who will recognize the client’s voice. Video calls are also effective so you can physically see and confirm the identity of the person authorizing the urgent distribution. Additionally, be sure to document who made the call, received the call, and the number used.
• Requiring advance notice for changes to disbursement parameters. As the engagement progresses, changes may be required. Ensure sufficient time is provided for the firm to confirm and implement the changes.
• Establishing written protocols for unusual or out-of-the-ordinary transactions. These protocols should require the client to examine and verify the transaction before it’s processed. If the authorization is oral, document the client’s approval.
• Using the firm’s client database to confirm information. Don’t use the email reply function or a phone number on the email to respond to clients. Instead, telephone numbers and email addresses from the firm’s database should be used. Include the information used in documentation of the client’s approval.
• Applying security questions. Predetermine a method for verifying the client’s identity before services commence. For example, agree to security questions that require a subjective response. Security questions are also helpful when communication appears suspect or if any doubt as to validity exists.

Overall, when it comes to cash disbursements, always take the cautious approach—just because a request appears to be coming from the client and seemingly routine, it doesn’t mean that it is. Verify twice (or more) and distribute once. You’re not only helping to protect the client’s money but also the firm’s liability.

Cybersecurity is a critical issue that demands year-round attention, but the stakes are particularly high during busy season. Bad actors are continuously evolving their schemes, targeting CPAs through phishing emails, text messages, and even voicemails. By implementing robust cybersecurity measures, training staff, and fostering a culture of caution and verification, CPAs can help protect themselves and their clients. Remember, when in doubt, proceed with caution. Don’t take the bait.

Deborah K. Rood, CPA, is a risk control consulting director at CNA.

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the date of the article. The information, examples and suggestions presented in this material have been developed from sources believed to be reliable. This article should not be viewed as a substitute for the guidance and recommendations of a retained professional and should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situation. This material is for illustrative purposes and is not intended to constitute a contract. Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect thereto.

To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situation, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide actual terms, coverages, amounts, conditions, and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.

“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claim activities. Copyright © 2025 CNA. All rights reserved.