It’s March 15th. Your team is juggling forty open client files, the phones haven’t stopped, and a message just landed from a longtime client asking you to wire their estimated tax payment to a new account. It looks right. The email address looks right. Nobody questions it.

That’s exactly what the attacker was counting on.

The Problem: Tax Season Is a Hunting Season for Attackers

Business email compromise (BEC) isn’t a technical exploit. There’s no malware, no suspicious attachment, no blinking red flag from your spam filter. It’s social engineering—and it works because it exploits the human factors that strain your firm most during tax season.

CPA firms are structurally attractive targets. You sit between your clients and their banks. You execute fund movement instructions routinely. Your clients trust you to act fast. During tax season, “fast” becomes everything.

Attackers know this. They time campaigns around Q1 and the weeks before April 15th because they know your staff is moving fast, inboxes are flooded, and the appetite for slowing down to verify a request is at its lowest. They’ll spend weeks studying a compromised email account first—learning your communication patterns, identifying active clients, and waiting for the right moment to slip in a fraudulent instruction.

The typical scenario: an attacker either compromises a client’s email account or registers a lookalike domain ([email protected] instead of [email protected]) and sends a wire transfer request or updated banking instructions. The message reads like the client. It references real matters. It lands in the middle of a thread your team is already handling.

By the time anyone catches on, the money is gone—and rarely recovers.

Why This Matters for CPA Firms

CPA firms face a specific blend of professional and regulatory exposure that makes BEC incidents particularly damaging.

Your state board of accountancy and your professional liability carrier both have stakes in how you handle client funds and sensitive financial data. If a fraudulent wire goes out because your firm failed to verify the instruction, the liability question gets murky fast. Did your engagement letter address wire transfer authorization? Did you have a written verification policy? Did your staff receive BEC-specific training?

On the data side, firms that handle tax information are subject to the Federal Trade Commission’s Safeguards Rule, updated in 2023 to explicitly include tax preparers. The rule requires a written information security program, employee training, and controls over how sensitive information is accessed and transmitted. A BEC incident that exposes client Social Security numbers or financial account data isn’t just a client relations problem—it’s a regulatory one.

The American Institute of Certified Public Accountants (AICPA) has also been clear: cybersecurity risk management is part of the profession’s standards. Your professional liability coverage may exclude social engineering losses unless you have documented controls in place.

The financial exposure is real. The FBI’s Internet Crime Complaint Center reported that BEC schemes accounted for more than $2.9 billion in losses in 2023 alone—the highest-loss category of cybercrime by a wide margin.

How to Address Business Email Compromise at Your CPA Firm

The good news: BEC is preventable with the right procedures. The bad news: prevention isn’t primarily technical. It’s procedural and behavioral—which means you need to build it before busy season starts, not install a tool and hope.

Establish a callback verification policy for wire transfers. This is the single most effective control. Any request to initiate, change, or confirm a wire transfer—regardless of who it appears to come from—should require a live phone call to a verified number on file. Not a reply to the email. Not a text to a number in the message. A call to the number you already have for that client. Write it down. Make it firm-wide standard, not a suggestion.

Create clear wire transfer authorization procedures in your engagement letters. Clients need to know how your firm handles payment instructions. If your engagement letter specifies that your firm won’t act on wiring instructions received by email alone, you’ve set a shared expectation—and a defense if something goes wrong.

Train staff on BEC specifically, not generic phishing. Standard phishing awareness teaches people to spot suspicious links and attachments. BEC attacks often have neither. Train your team to recognize the real warning signs: urgency, requests for secrecy, unexpected changes to payment instructions, and sender addresses that are slightly off. Run scenario-based exercises in the fall—before busy season—so the reflex is there when stress is high.

Implement email authentication protocols. Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), make it significantly harder for attackers to spoof your domain. They won’t stop every attack, but they protect your clients from fraudulent emails appearing to come from you.

Monitor for lookalike domains. Services exist that alert you when a domain similar to yours is registered. If an attacker registers yourfirmname-cpa.com the week before tax season, you want to know immediately.

MFA still matters—but understand its limits. MFA protects account access. Once an attacker is inside a legitimate account, MFA is already bypassed. BEC defense requires controls at the transaction level, not just the login level.

What to Look for in an IT Partner

Not every managed IT services provider understands CPA firm workflows well enough to build BEC controls that actually fit how you operate. Here’s what to ask:

  • Do you have experience implementing email authentication (DMARC, SPF, DKIM) for professional services firms?
  • Can you help us develop a written wire transfer verification policy that aligns with our engagement letter language?
  • Do you provide security awareness training that includes BEC-specific scenarios, not just generic phishing simulations?
  • Have you worked with firms subject to the FTC Safeguards Rule?
  • Can you set up domain monitoring so we’re alerted when a lookalike domain is registered?

A provider who answers with specifics—not generalities—understands your actual risk.

The Bottom Line

BEC attacks on CPA firms aren’t random. They’re timed, targeted, and designed to exploit the exact conditions that define your busy season. Standard technical controls won’t catch them. What stops BEC is a combination of written procedures, verified callback policies, staff training on the right scenarios, and email authentication that protects your domain. Build these controls before January. Don’t wait until a wire goes to the wrong place.

Frequently Asked Questions

What is business email compromise and how is it different from regular phishing?

Business email compromise is fraud where an attacker impersonates a trusted contact—a client, partner, or executive—to trick someone into transferring funds or sharing sensitive data. Unlike standard phishing, BEC attacks typically don’t contain malicious links or attachments. They rely on social engineering and often come from legitimate-looking or compromised email accounts, which is why spam filters miss them.

Can MFA protect my CPA firm from a BEC attack?

MFA protects your accounts from unauthorized login attempts, but it doesn’t stop a BEC attack from an already-compromised account or a convincing lookalike domain. Once an attacker is operating from a legitimate-looking address, MFA doesn’t affect the outbound fraud. Firms need transaction-level controls—like callback verification for wire requests—in addition to strong authentication.

What are the signs that a wire transfer request might be a BEC attempt?

Common red flags include unexpected changes to payment instructions or banking details, requests that arrive with unusual urgency, messages asking you to keep the request confidential, and sender addresses that are slightly different from the usual contact’s address. Any request to wire funds that arrives only by email—with no prior phone confirmation—should be treated as high-risk until verified through a live callback.

Is my CPA firm legally required to have controls against BEC?

The FTC Safeguards Rule, which applies to tax preparers, requires a written information security program that includes employee training and controls over how sensitive financial data is handled. While the rule doesn’t name BEC explicitly, the obligations it creates directly apply to the scenarios BEC exploits. Professional liability insurers are also increasingly requiring documented social engineering controls as a coverage condition.

If you’re working through business email compromise challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area—we know your world.