Why Financial Services Firms Are a Target
When most people hear "financial services cybersecurity," they think of JPMorgan or Goldman Sachs. That is not who this page is for. This page is for the two-person bookkeeping firm that handles payroll for 30 small businesses. The solo tax preparer who files 400 returns every spring. The independent financial advisor with 150 clients and a home office. The regional CPA firm with four partners and a shared server in the back room.
You are holding the keys to enormous amounts of other people's money and personal information. Every client file in your system contains Social Security numbers, bank account numbers, income details, and tax identification numbers. A single client folder in your practice management software is more valuable to an attacker than a stolen credit card, because credit cards get canceled but tax identities can be exploited for years.
The financial services sector faced the highest average cost of data breaches among all industries in 2024, reaching $6.08 million, 22% above the global average. Cyberattacks on accounting firms have increased 300% since 2020. In 2024, 65% of financial services organizations fell victim to ransomware, with an average recovery cost of $2.73 million. And 23% of all global phishing attacks targeted financial institutions.
The regulatory landscape has caught up to this reality. The FTC Safeguards Rule, substantially amended in 2021 and expanded with breach notification requirements in 2024, now requires every tax preparer, bookkeeper, financial advisor, and accountant to maintain a written information security program. The penalties for non-compliance can reach $51,744 per violation per day. Most firms in this space have never heard of the Safeguards Rule, or assumed it did not apply to them. It does.
Threat #1: Business Email Compromise (BEC)
What It Is
BEC is a targeted email attack where an attacker impersonates a trusted party to redirect money or steal sensitive information. The FBI documented $2.77 billion in BEC losses in 2024. For financial services firms, BEC is the most financially devastating threat because your business literally revolves around moving money on behalf of clients.
What It Looks Like at a Financial Services Firm
For an accounting or bookkeeping firm, BEC typically targets the person who processes client payroll or handles accounts payable.
The most common scenario involves payroll redirection. An attacker compromises a client's email account (or spoofs it convincingly) and sends a message to your firm requesting a change to an employee's direct deposit information. The request seems routine. Your bookkeeper updates the direct deposit routing number. The next payroll cycle, that employee's pay goes to an account controlled by the attacker. The employee does not get paid, the client blames your firm, and recovering the funds is extremely difficult because the wire is typically moved within hours.
I have seen this play out at a bookkeeping firm that managed payroll for a dozen small businesses. The attacker sent payroll change requests for one employee at each of three different client companies over a two-week period. Each request came from what appeared to be the client's email address. Each was processed without a verification call because the bookkeeper handled a number of requests like this every month and the clients had never had a problem before. Total loss across the three companies: $25,000. The bookkeeper's firm was held responsible because they had no written verification procedure for payroll changes.
Another common scenario targets tax season. An attacker compromises a tax preparer's email and uses it to send phishing emails to the preparer's entire client list. The email asks clients to "verify their information" through a link that leads to a credential harvesting page. Because the email genuinely comes from the preparer's email address (not a spoofed version), email filters don't always catch it, and clients trust it completely. The attacker now has login credentials for dozens of people who trust their tax preparer with their most sensitive financial information.
How It Gets In
BEC in financial services almost always starts with credential theft. An attacker obtains your email password through phishing, credential stuffing (trying passwords leaked from other breaches), or purchasing stolen credentials on the dark web. With 2.8 billion passwords exposed and posted for sale in 2024 alone, the odds that one of your passwords has been compromised are not trivial.
Once inside your email, the attacker studies your communication patterns. They learn which clients send payroll changes, which vendors your firm pays, and when tax season deadlines create urgency. Then they act at the moment when a rushed, routine request is least likely to trigger suspicion.
What Stops It
Verbal verification for every payroll change and every payment redirection. Call the client at a known phone number (not the one in the email) to confirm any request to change direct deposit information, payment routing, or vendor bank details. Write this into your firm's procedures and follow it every time. (See: Financial Controls in the Controls Library)
MFA on every email account and every client-facing portal. This is the single most effective control. If an attacker cannot get into your email, they cannot monitor your client communications, impersonate you, or redirect payments. Every person at your firm needs MFA on their email, their accounting software, their tax preparation platform, and any portal where client data is accessible. (See: Multi-Factor Authentication in the Controls Library)
Email forwarding rule audits. Attackers who compromise your email set up forwarding rules that silently copy every incoming message to an external address. Check forwarding rules on all firm email accounts monthly. In Microsoft 365, go to Exchange Admin Center and review transport rules. In Google Workspace, check Routing settings in the admin console. (See: Email Security in the Controls Library)
What Your Insurance Carrier Will Ask
Carriers will ask specifically about your payroll change verification procedures, MFA on email, and whether you have dual authorization for outgoing payments. If your firm processes payroll for clients and cannot demonstrate a documented verification process, underwriters will flag the application.
Threat #2: Phishing and Credential Theft
What It Is
Phishing is a fraudulent message designed to trick someone into entering credentials on a fake website, clicking a malicious link, or opening an infected attachment. For financial services firms, phishing is both a direct threat (attackers steal your credentials) and the precursor to almost every other attack on this page.
What It Looks Like at a Financial Services Firm
Tax season is prime hunting season for attackers targeting financial services firms. The IRS has repeatedly warned tax professionals about phishing campaigns that impersonate the IRS, e-filing platforms, and tax software vendors. These campaigns spike between January and April and target preparers specifically because a compromised preparer gives the attacker access to hundreds of client returns.
A phishing email arrives that appears to be from your e-filing software with a "mandatory security update." The link goes to a login page that looks identical to the real thing. You enter your credentials and the attacker now has access to your tax preparation software, your client list, and potentially the ability to file fraudulent returns using real client data.
Beyond tax season, financial services firms face year-round phishing through fake QuickBooks notifications, fake banking portal alerts, and fake document sharing requests from what appear to be clients. The IRS has documented cases where attackers used stolen preparer credentials to file fraudulent returns and redirect refunds, affecting hundreds of taxpayers from a single compromised firm.
I once consulted with a small CPA firm where a staff accountant clicked on a fake Intuit notification during tax season. The attacker used the stolen credentials to access the firm's QuickBooks Online account and exported three years of client financial data, including Social Security numbers, bank account numbers, and income figures for over 500 clients. The firm had to notify every affected client, file a report with the FTC (because they exceeded the 500-consumer threshold under the Safeguards Rule), and spend the next year dealing with the fallout. Two of their largest clients left immediately. The firm's professional liability insurance covered some costs, but the reputational damage in a small market was lasting.
How It Gets In
Phishing in financial services exploits two things: the volume of legitimate platform notifications your firm receives daily, and the seasonal pressure of deadlines. During tax season, a preparer might receive genuine emails from the IRS, their e-filing platform, their tax software vendor, their document portal, and multiple clients, all in a single hour. Distinguishing a well-crafted fake from the real McCoy in that environment isn't always easy.
The 2025 Verizon DBIR found that 88% of attacks on web applications involved stolen or brute-forced credentials. Only 3% of leaked passwords met basic complexity standards. If your firm is not using unique, complex passwords for every service, backed by a password manager, the odds are stacked against you.
What Stops It
A password manager for the entire firm. Every login should be a unique, randomly generated password stored in a password manager. No one at your firm should be able to recite any of their passwords from memory, because if they can, the password is not strong enough. (See: Password Management in the Controls Library)
Simulated phishing tests, especially during tax season. Run tests that mimic what your firm actually receives: fake IRS notices, fake Intuit login alerts, fake client document sharing requests. Debrief the results with staff. Do not shame people who click, but teach them what to look for. (See: Security Awareness Training in the Controls Library)
DMARC, SPF, and DKIM on your firm's email domain. These protocols prevent attackers from sending emails that appear to come from your domain. If an attacker can spoof your email address, they can phish your clients while appearing to be you. (See: Email Security in the Controls Library)
Threat #3: Ransomware
What It Is
Ransomware encrypts your files and demands payment for the decryption key. For financial services firms, the timing is often deliberate: attackers know that a CPA firm hit with ransomware in March will pay almost anything to get access back before the April 15 filing deadline.
What It Looks Like at a Financial Services Firm
Tax season ransomware is a documented pattern. Attackers target accounting firms in February and March specifically because the deadline pressure maximizes the likelihood of payment. A Georgia CPA firm paid a $450,000 ransom to regain access to encrypted client files. Legacy Professionals LLP in Chicago had to notify 216,752 individuals after a 2024 hack and is facing at least five class-action lawsuits over the exposed data.
For smaller firms, the scenario is simpler and just as devastating. Your tax preparation software, your client files, your document storage, and your email are all encrypted on a Thursday afternoon in mid-March. The ransom demand is $75,000. You have three weeks until the filing deadline. Your clients are calling asking why they cannot access their portal. Your backups, if they exist, are on the same network and are also encrypted.
The double extortion angle is especially painful for financial services firms. The attacker does not just encrypt your files. They steal them first and threaten to publish your clients' tax returns, Social Security numbers, and financial statements on the dark web unless you pay. Even if you can restore from backups, the data is already out there.
What Stops It
Offline, air-gapped backups tested quarterly. Your backup solution needs to be physically disconnected from your network. Cloud backups that sync continuously are not sufficient because ransomware can encrypt synced cloud storage. Test your restore process before you need it. (See: Data Backup and Recovery in the Controls Library)
EDR on every workstation. Traditional antivirus is not sufficient. EDR monitors behavior patterns and can detect ransomware deployment in progress. (See: Endpoint Protection in the Controls Library)
Network segmentation. Separate your client data environment from your general office network. If ransomware gets onto the receptionist's machine, it should not be able to reach your tax preparation server. (See: Network Segmentation in the Controls Library)
Patch management, especially for edge devices. VPN appliances and firewalls with unpatched vulnerabilities were a leading entry point for ransomware in 2024. If your firm uses any internet-facing device that has not been updated in the last 90 days, you have an open door. (See: Patch Management in the Controls Library)
Threat #4: Insider Threat
What It Is
An insider threat is a security risk from someone within your organization: a departing employee who takes client files, a staff member who accesses records they should not, or an accidental exposure that puts client data at risk.
What It Looks Like at a Financial Services Firm
The departing staff member scenario is especially common in accounting. A bookkeeper who has been managing payroll for your firm's clients for five years leaves to start their own practice. On their way out, they copy client contact information, payroll records, and financial statements to a personal drive. They now have everything they need to solicit your clients directly, using data they obtained while working for you.
The accidental exposure is more common and can be just as costly. A staff accountant emails a client's completed tax return to the wrong email address. A tax preparer shares a folder in Google Drive with a client but accidentally sets it to "anyone with the link" instead of restricting access. A bookkeeper uploads a payroll file to a shared Dropbox folder that a former contractor still has access to.
For firms that work with sensitive client data daily, the risk is compounded by the volume of data handled and the routine nature of the work. When you process hundreds of W-2s and 1099s every January, the risk of one going to the wrong place is no longer theoretical, but statistical.
What Stops It
Role-based access controls. Not everyone at your firm needs access to every client's financial data. Configure your practice management software, your tax platform, and your file storage so that staff members can only access the clients they are actively working on. (See: Access Control Management in the Controls Library)
Offboarding procedures with same-day access revocation. When a staff member leaves, their access to all systems should be terminated on their last day. This includes email, QuickBooks, tax preparation software, document storage, and any client portals. (See: Account Management in the Controls Library)
DLP policies on email. Configure your email system to flag or block outgoing messages that contain Social Security numbers, EINs, or bank account numbers. Both Microsoft 365 and Google Workspace offer DLP features on business-tier plans. (See: Data Loss Prevention in the Controls Library)
Threat #5: Vendor and Third-Party Risk
What It Is
Vendor risk is the exposure that comes from the software and service providers your firm depends on. Your tax preparation software, your cloud accounting platform, your IT provider, and your document sharing service all have their own security postures. If any of them are compromised, your client data may be exposed even though your own systems were never breached.
What It Looks Like at a Financial Services Firm
The tools your firm uses daily are themselves targets. QuickBooks has been subject to documented data theft attacks involving PowerShell-based malware that exfiltrates client data files (see our QuickBooks vendor scorecard for the full analysis). Tax preparation software has been targeted by attackers who compromise preparer accounts to file fraudulent returns. Cloud storage platforms have had breaches that exposed shared documents.
The MSP risk is equally significant. If your IT provider's remote management tool is compromised, the attacker has access to every client that provider serves. For a small accounting firm that relies on a local MSP for IT support, this is a single point of failure that could expose every client file in the practice.
What Stops It
Maintain a vendor inventory and review it annually. List every vendor that has access to client data or your firm's systems. Include your tax software, accounting platform, cloud storage, IT provider, payroll processor, and document sharing tools. (See: Vendor Risk Management in the Controls Library)
Evaluate your IT provider's security posture. Ask for their SOC 2 report. Ask what MFA they use on their remote access tools. Ask what their incident response plan looks like if they are breached and document the answers.
Use the vendor scorecards on this site. We have reviewed the security posture of the most common tools used by small financial services firms, including QuickBooks, Google Workspace, Microsoft 365, Dropbox, and Stripe. Each scorecard gives you an independent assessment of the vendor's encryption, access controls, compliance certifications, and breach history.
How Financial Services Is Different: The Regulatory Context
Most small financial services firms do not realize they are subject to federal cybersecurity regulation, but they are.
The FTC Safeguards Rule applies to every tax preparer, bookkeeper, financial advisor, accountant, mortgage broker, and credit counselor in the United States. It requires a written information security program with nine specific elements, including a designated qualified individual responsible for the program, a documented risk assessment, access controls, encryption, MFA, staff training, an incident response plan, and regular testing. The penalty for non-compliance is up to $51,744 per violation per day. The breach notification requirement, effective May 2024, requires firms to report breaches affecting 500 or more consumers to the FTC within 30 days, and those reports will be made public.
IRS Publication 4557 provides additional guidance specific to tax preparers, including requirements for securing taxpayer data, monitoring for data theft, and reporting security incidents. Compliance with Pub 4557 has been required on PTIN applications since 2019.
The Gramm-Leach-Bliley Act (GLBA) is the statute underlying the Safeguards Rule and applies broadly to businesses engaged in financial activities. If you handle other people's financial data for a living, GLBA applies to you.
The FTC's own plain-language guidance explicitly lists tax preparation firms, financial advisors, credit counselors, mortgage brokers, collection agencies, and investment advisors among the covered entities. If you are unsure whether your firm is covered, the safer assumption is that you are.
For a plain-English walkthrough of what the FTC Safeguards Rule requires from your firm, see our compliance resources.
Take the Next Step
This page gives you the picture. Our free cybersecurity assessment tells you where your firm specifically stands against these threats and maps your results to FTC Safeguards Rule requirements.