Phishing Attacks Targeting Accounting Firms and Financial Advisors

Accounting firms and financial advisors hold a uniquely attractive combination of assets from an attacker's perspective: detailed client financial data, tax identification numbers, banking credentials, investment account information, and the trusted-advisor relationships that make clients more likely to comply with an urgent request — whether or not it's real. Phishing attacks targeting this sector have grown in volume, sophistication, and financial impact every year for the past decade. In 2025 and 2026, the integration of artificial intelligence into phishing toolkits has made these attacks harder to detect and far more effective. Understanding the specific threat landscape facing CPA firms and financial advisors is the first step toward building defenses that actually work.

How Big Is the Phishing and BEC Problem for Financial Services Firms?

The scale is significant and growing. The FBI's 2024 IC3 Annual Report documented total cybercrime losses of $16.6 billion — a 33% increase from 2023. Phishing and spoofing were the most reported crime categories, with 193,407 complaints. Business email compromise (BEC) — the phishing variant most dangerous to accounting firms — generated nearly $2.8 billion in losses in 2024 alone, making it the second-highest loss category reported to the FBI. Between 2022 and 2024, BEC cost U.S. victims close to $8.5 billion.

BEC attacks increased 15% in 2025 compared to 2024, according to LevelBlue SpiderLabs research, with invoice and wire-transfer-themed attacks becoming more sophisticated through AI-generated email chains, specific payment pretexts, and falsified invoices. The Association for Financial Professionals' 2025 Payments Fraud and Control Survey found that 63% of organizations experienced BEC last year — and finance, real estate, and professional services firms are consistently among the most targeted sectors.

Account compromise, which typically begins with a successful phishing attack, surged 389% year-over-year in 2025, according to eSentire's threat research, with phishing-as-a-service (PhaaS) kits accounting for 63% of all account compromise incidents. These kits are designed to bypass MFA through adversarial-in-the-middle techniques — meaning that MFA alone, while necessary, is no longer sufficient protection against sophisticated phishing campaigns.

What Does the IRS Say About Phishing Threats to Tax Professionals in 2026?

The IRS's 2026 Dirty Dozen tax scams list, released March 5, 2026, specifically highlights threats targeting tax professionals and their clients during filing season. The IRS reported over 600 social media impersonators in fiscal year 2025 and flagged these recurring and emerging threats:

• IRS impersonation by email and text (phishing and smishing): Emails and texts appearing to be from the IRS, using alarming language and QR codes directing recipients to fake IRS websites to "verify" accounts, enter personal information, or claim refunds. For tax professionals, these attacks target both the firm's staff (attempting credential theft) and clients (attempting to redirect refunds or harvest identities).
• AI-enabled IRS impersonation by phone: Phone scams using computer-generated voice technology, robocalls, and spoofed caller IDs that make calls appear to originate from the IRS. AI voice synthesis has made these calls far more convincing than the heavily-accented calls that trained staff to be skeptical.
• Spear-phishing and malware targeting tax professionals (Dirty Dozen Item 11): "New client" and "document request" emails that deliver malicious links or attachments specifically designed to steal client data or install ransomware on firm systems. The IRS identified this as the only Dirty Dozen item aimed specifically at tax practitioners — and it is the one most directly threatening to CPA firm operations. These emails are now AI-personalized using information about the firm scraped from its website, LinkedIn profiles, and public filings.

The IRS also maintains its Tax Security 2.0 program, which requires tax professionals to contact their local IRS Stakeholder Liaison immediately if they discover data theft, file a complaint with the FTC, notify affected clients, and contract with a cybersecurity expert to stop ongoing theft. These response obligations underscore that phishing and data theft are not merely a nuisance for tax preparers — they are events with regulatory reporting consequences.

What Are the Most Dangerous Phishing Scenarios for Accounting Firms?

Understanding the specific attack patterns most likely to affect your firm allows you to build targeted defenses and train staff to recognize them. The highest-risk scenarios for CPA firms and financial advisory practices include:

• Wire fraud via compromised email: An attacker gains access to a staff member's email account (typically via a successful phishing attack) and monitors communications until a client transaction or wire transfer is in progress. The attacker then impersonates the firm, intercepts the wire transfer conversation, and substitutes fraudulent payment instructions. The Federal Reserve Financial Services reports that BEC accounts for 73% of all reported cyber incidents involving fraudulent ACH and wire transfers — and the FBI has described BEC as a $55 billion scam over the past decade.
• New client impersonation: Attackers pose as prospective clients, sending an initial engagement email that contains a malicious attachment (described as a prior tax return, financial statement, or engagement document). When a staff member opens the attachment, malware is installed that harvests credentials or establishes persistence for a later ransomware attack. These attacks are specifically designed for CPA firms, whose staff routinely open documents from new client prospects.
• Tax software credential theft: Phishing emails impersonating Wolters Kluwer, Thomson Reuters, Drake Software, or Intuit prompt staff to "re-authenticate" or "verify" their accounts through a spoofed login page. Captured credentials give attackers access to client tax data on the actual platform.
• Client portal spoofing: Fake versions of your firm's client portal or secure document exchange service are used to harvest client login credentials. Clients receive a convincing email from what appears to be your firm, click through to the spoofed portal, and enter their credentials — which go directly to the attacker.
• Payroll diversion: Attackers impersonate employees (often using compromised email accounts or lookalike domains) to request changes to direct deposit banking information. For financial advisory practices with staff managing client payroll, this attack can simultaneously target the firm's own staff and its clients.

How Do AI and Phishing-as-a-Service Make These Attacks Harder to Detect?

Traditional security awareness training taught staff to look for certain red flags: awkward grammar, generic greetings, mismatched email domains, and urgency that doesn't match the sender's normal communication style. AI-generated phishing emails eliminate most of these indicators.

Modern AI phishing tools can craft emails that:

• Are grammatically perfect and contextually accurate
• Reference real ongoing client matters, using information scraped from firm websites, LinkedIn, and social media
• Mimic the tone and communication style of specific individuals (including partners and clients)
• Use the correct names, titles, and relationship context for firm personnel

Phishing-as-a-service (PhaaS) kits like Tycoon2FA, FlowerStorm, and EvilProxy are specifically designed to bypass MFA by acting as a real-time proxy between the target and the legitimate service. The attacker's infrastructure intercepts the legitimate session token after MFA is completed, giving them authenticated access without ever needing the MFA code. These kits are continuously updated to evade detection — and they are widely available to attackers with minimal technical skill.

The practical implication for accounting firms is that phishing defense must now operate at multiple layers simultaneously: technical controls that filter malicious emails before staff see them, authentication mechanisms that resist adversarial-in-the-middle attacks, and behavioral verification procedures for high-risk actions (wire transfers, account changes, credential resets) that don't rely solely on the email communication channel.

What Do FTC Safeguards Rule and IRS Publication 4557 Require for Phishing Defense?

The FTC Safeguards Rule (enacted under the Gramm-Leach-Bliley Act, or GLBA) does not use the word "phishing," but its requirements for protecting customer information directly mandate the technical and procedural controls that constitute phishing defense:

• Section 314.4(b) — Written risk assessment: Must identify reasonably foreseeable risks to customer information, including human-factor risks like phishing and social engineering. A risk assessment that doesn't address phishing is incomplete.
• Section 314.4(c)(5) — Multi-factor authentication: Required for any system that accesses customer financial information. While MFA alone can be bypassed by sophisticated PhaaS attacks, it remains a required baseline control and eliminates the vast majority of opportunistic attacks.
• Section 314.4(e)(2) — Security awareness training: Requires training staff to recognize and respond to information security risks, including "social engineering." This training must be updated regularly to reflect current threats — AI-enhanced phishing is now a required topic.
• Section 314.4(d) — Continuous monitoring: Requires monitoring and testing your safeguards. Email security logs, authentication events, and failed access attempts must be reviewed systematically to detect phishing-enabled compromises in progress.

IRS Publication 4557 adds specific requirements for tax preparers, including the obligation to report data theft to the IRS immediately, use anti-phishing email filtering, and implement two-factor authentication for tax software access. The IRS's Tax Security 2.0 checklist explicitly includes anti-phishing measures as required security controls for all tax professionals.

For firms with FINRA-registered advisors, the 2026 FINRA Annual Regulatory Oversight Report specifically addresses AI-enhanced phishing, requiring firms to train employees on the heightened fraud risks from adversarial AI and to evaluate whether their cybersecurity programs specifically address AI-generated social engineering attacks.

What Practical Defenses Should Accounting Firms and Financial Advisors Implement?

Effective phishing defense for financial services firms in 2026 requires a layered approach that addresses both the technical and human dimensions of the attack surface:

• AI-aware email security: Deploy email security platforms that use behavioral analysis and machine learning — not just reputation-based filtering. These tools can identify phishing attempts that pass conventional filters by analyzing communication patterns, relationship graphs, and content anomalies.
• DMARC, DKIM, and SPF enforcement: Email authentication protocols that prevent attackers from spoofing your domain in emails sent to clients. If your firm doesn't have these configured, attackers can send emails that appear to come from your domain with no technical barriers. This is also a cyber insurance requirement at most carriers.
• Phishing-resistant MFA: Hardware security keys (FIDO2/WebAuthn standard) or number-matching authenticator apps for all privileged accounts, including tax software, client portals, and email. Standard SMS-based MFA is vulnerable to PhaaS attacks.
• Out-of-band verification for wire transfers: Any wire transfer request, banking information change, or account update received via email should require a secondary verification call to a pre-established phone number — never a number provided in the suspicious email. This single procedure prevents the vast majority of BEC-enabled wire fraud.
• Security awareness training updated for AI threats: Staff training that reflects current attack patterns, including AI-generated email, voice cloning, and phishing-as-a-service techniques. Quarterly phishing simulations with reporting on click rates and credential submission provide measurable data on staff vulnerability.
• Endpoint detection and response (EDR): If a phishing attack does succeed and malware is installed, EDR solutions detect and contain the compromise based on behavioral indicators — stopping ransomware, data exfiltration, and lateral movement before the damage becomes catastrophic.

What Should Your Firm Do If You Suspect a Phishing Attack Has Succeeded?

Response speed matters enormously. The FBI's Recovery Asset Team achieved a 66% success rate in freezing fraudulent BEC transfers — but only when firms reported quickly enough for the Financial Fraud Kill Chain to intercept the funds. The window closes within hours for domestic transfers and faster for international ones. Your incident response plan must address:

• Immediate isolation of the compromised device or account
• Notification to your MSP/MSSP for forensic investigation
• Notification to your cyber insurer within the policy's required window (typically 48–72 hours)
• For suspected wire fraud: immediate contact with your bank and the FBI's IC3 at ic3.gov
• For tax data theft: immediate notification to IRS Stakeholder Liaison and the FTC
• For breaches involving 500+ consumers: FTC notification within 30 days under Section 314.4(j) of the Safeguards Rule

NorthStar Technology Group provides comprehensive phishing defense and managed security services for accounting firms and financial advisory practices — from deploying AI-aware email security and phishing-resistant MFA to delivering security awareness training designed specifically for the tax professional threat environment. We understand that for your firm, a phishing attack isn't just a security incident; it's a potential FTC Safeguards violation, an IRS reporting obligation, and a client trust crisis all at once. Our goal is to make sure your defenses are strong enough that you never have to find that out firsthand. Learn more about our financial services cybersecurity programs at northstartechnologygroup.com/services. You may also find our article on AI-powered cyber threats targeting financial services in 2026 useful for understanding the broader threat landscape your firm faces.