Tax Season Cybersecurity: Protecting Client Data from February to April

Accounting firms in BC are subject to PIPEDA and often PIPA, to the Rules of Professional Conduct under CPABC, and to the practical expectation that client data will not leak. A single compromised T1 file contains a Social Insurance Number, address, banking information, employer details, dependants, and often investment account information. Multiply that by a few hundred clients, and a ransomware or BEC event at a small firm is a provincial-level breach in the eyes of the OPC.

The Tax Season Threat Pattern

What we see in Hexafusion's phishing-detection data every year between mid-January and late April:

• CRA impersonation: fake refund notices, fake audit notices, fake "we need to verify your account" emails targeting both firms and their clients.
• Client impersonation: an attacker emails the firm claiming to be a client, asking to change where the refund gets deposited, or requesting a copy of prior returns sent to a new address.
• Firm impersonation: attackers spoof the firm's domain and email clients with fake invoices or fake portal login links.
• Malicious attachments: documents pretending to be T-slips, T4s, or receipts, loaded with macros or link-chasing payloads.
• Tax software lookalikes: fake login pages for TaxCycle, CCH iFirm, Profile, or UFile, harvesting preparer credentials.

The Canada Revenue Agency maintains an updated list of known scams at canada.ca. Sharing that link with clients before February is a small thing that prevents big problems.

Pre-Season Preparation (January)

Test your backups before the rush

Pick a live client file, restore it from backup into an isolated environment, open it in your tax software, and confirm the file is intact. Do this in January. Discovering a backup failure in mid-April is how firms lose a week of work.

Harden Microsoft 365 for the season

• MFA enforced on every user, not just partners.
• Conditional access policy blocking sign-ins from countries the firm does not operate in.
• Legacy authentication protocols disabled.
• External email banners enabled, with a stronger banner for first-time senders.
• Audit logging enabled with retention extended where licencing permits.

Patch everything, especially the edge

Your VPN gateway, firewall, and any remote-access appliance should be fully patched before clients start uploading files. Tax season is a terrible time to schedule a firmware upgrade, so get ahead of it.

Refresh the phishing simulation

Run a phishing simulation in mid-January, specifically with tax-themed lures. The objective is not to catch anyone. It is to reset attention before the real wave arrives. Follow up with a 15-minute training session that specifically covers CRA and client impersonation patterns.

In-Season Controls (February to April)

Move client data off email entirely

Email attachments are the single biggest source of accidental and malicious exposure. Use a client portal (TaxFolder, SmartVault, Citrix ShareFile, Liscio, or the portal built into your tax software) for inbound and outbound document exchange. Links to the portal should not be clickable shortcuts in email templates that attackers can easily replicate; print instructions in the engagement letter and in the client welcome pack, and verify first portal sign-in by phone for new clients.

Segregate client environments where it matters

For larger firms and for sensitive engagements (estate work, divorce, corporate reorganisations), isolate the working environment: separate file share, separate permission group, separate distribution list. A compromise of one engagement team should not expose the firm's full client book.

Lock down the preparer workstations

• EDR on every machine, alerts monitored during business hours at minimum.
• Local administrator rights removed from standard user accounts.
• USB storage blocked or restricted to encrypted approved devices.
• Browser managed to prevent shadow IT extensions from being installed mid-season.

Verification policy for refund and banking changes

If a client asks, by email, to change the bank account a refund is deposited to, the firm must verify by phone to a previously known good number before actioning. This is the same discipline that stops wire fraud in other industries. Document the policy in writing and post it near every preparer's desk during tax season.

Client-facing materials

A short one-page client advisory, sent in early February, reduces phishing success rates substantially. Cover:

• We will never ask for your SIN, banking information, or password by email.
• CRA will not email you a refund link. Log in to My Account directly.
• If you get a suspicious email claiming to be from us, forward it to [your address] before clicking anything.
• Use the client portal, not email, for any document with personal or financial information.

Incident Response During Crunch

If something goes wrong between February and April, the firm cannot afford a three-day triage. Have the essentials in place:

• Incident response retainer or cyber insurer hotline number taped to the partner's desk.
• IT provider's emergency contact with documented response expectations.
• A short internal notification list: managing partner, privacy officer (often the same person at small firms), and the IT provider.
• A decision tree for: possible phishing click, possible BEC, possible ransomware, possible lost laptop.

For the specific playbooks, see our articles on phishing link response, wire transfer fraud recovery, and the first 60 minutes of a ransomware event.

Post-Season Wrap (May to June)

Once the rush is over, the temptation is to collapse and forget the IT issues that surfaced. Resist. Use May for:

• Access review: every shared mailbox, every delegate, every portal account. Remove contractors and summer-only staff the week their engagement ends.
• Client data retention: align with CPABC practice advisory on file retention. Do not keep source documents longer than required, and do not keep working papers on preparer desktops.
• Secure archival: tax files move to the firm's long-term archive with proper access controls, not the preparer's OneDrive.
• Incident post-mortem: any ticket that hit "possible security issue" during the season gets a written review. Patterns repeat year over year.
• Plan next year's hardening project: if you saw friction, fix it before January. MFA fatigue, slow portal sign-ins, or broken backup jobs are projects, not tickets.

Useful References

• CPABC: professional conduct, practice advisories, and member resources.
• Canada Revenue Agency: current scam notices and preparer security guidance.
• Canadian Centre for Cyber Security baseline controls.

Related articles: Compliance in Canada by Industry · PIPEDA 72-Hour Playbook · I Clicked a Phishing Link

← Back to Blog