Why Accounting Firms Are Targeted Differently

Most small business cybersecurity advice is generic. Lock your Wi-Fi. Use strong passwords. But accounting firms face a specific threat profile:

Tax season phishing spikes. Between January and April, attackers specifically impersonate the IRS, Intuit, and state tax agencies to steal credentials from accounting professionals. The FBI issues warnings about this pattern every year — because it keeps working.

Business Email Compromise targeting your clients. Once an attacker gets into your email, they do not just steal your data. They email your clients pretending to be you, changing wire transfer instructions. The money goes to them. The liability discussion starts with you.

Intuit credential stuffing. Attackers take credentials leaked from unrelated breaches and try them against QuickBooks accounts. If any of your staff reuse passwords across accounts, this works.

Law firms using Microsoft 365 face a very similar Business Email Compromise risk. Our guide to M365 security for law firms covers this threat in depth for professional services practices.

1 Enable Multi-Factor Authentication on Every QBO Account

QuickBooks Online supports MFA. Most firms have it on for the owner and off for everyone else because "it slows us down during busy season." This is the most common entry point we see in accounting firm breaches.

  • Log into QuickBooks Online as the primary admin → Settings → Manage Users
  • Verify each user's Intuit account has MFA enabled (enforced at accounts.intuit.com → Security, not from inside QBO)
  • Require all staff to use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) — not SMS. SMS can be bypassed via SIM-swapping for staff with admin access to client files.

2 Audit Who Has Access to What — Right Now

QuickBooks Online has five user roles: Master Admin, Company Admin, Standard User, Reports Only, and Time Tracking Only. In most small firms every staff member is either a Company Admin or Standard User with access to all clients. Nobody has revisited this since initial setup.

  • Bookkeepers handling day-to-day transactions: Standard User, limited to their assigned clients only
  • Staff accountants preparing returns: Standard User with read access to financial reports
  • Payroll processors: Only the Payroll Admin role if using QBO Payroll — nothing extra
  • Owner / CPA: Company Admin with MFA enforced

QBO lets you restrict access by company (client file). Use it. If one staff account is compromised, attackers should reach one client's data — not all 200. To review: Settings → Manage Users → click each user.

3 Stop Emailing Client Documents Through Gmail

The standard workflow: export a report from QBO → save as PDF → email via Gmail or Outlook. That PDF now sits unencrypted in your sent folder, your client's inbox, their email provider's servers, and potentially a dozen intermediate mail servers.

For documents containing SSNs or bank account numbers, this is a compliance problem under the FTC Safeguards Rule and a security problem. Better alternatives:

  • Intuit's built-in client portal — clients get a secure link, not an attachment
  • ShareFile or SmartVault — both integrate directly with QuickBooks and are built for accounting firms. Encrypted at rest and in transit.
  • Canopy or TaxDome — practice management platforms with secure portals that also handle engagement letters, signatures, and billing

If you are emailing W-2s, 1099s, or tax returns as attachments today, the FTC Safeguards Rule (which applies to tax preparers) requires you to stop.

4 Audit Accountant Access for Every Client File

QuickBooks Online has an "Accountant Access" feature for inviting external accountants into client books. We routinely find former bookkeepers, employees of previous CPA firms, and random accountants from years ago who still have active access to client QuickBooks files. Do this for every client file you manage:

  1. Open the client's QBO company
  2. Go to Settings → Manage Users → Accounting Firms
  3. Remove anyone who should not be there
  4. Repeat quarterly — not just once

5 Create a Written Information Security Plan (WISP)

This is not optional for US tax preparers. The IRS requires it. The FTC requires it. And almost no small firms have one.

A WISP for a firm with under 10 staff can be 4–6 pages covering:

  • Who is responsible for data security at the firm
  • What client data you collect, where it is stored, and who can access it
  • How you handle a breach (who to notify, when)
  • Your password and MFA policies
  • How you dispose of old client records

The IRS has a free WISP template for small tax professionals at irs.gov, updated in 2022, that takes about two hours to complete properly. If you do not have a WISP and a client's data is compromised, your professional liability exposure increases significantly.

The FTC Safeguards Rule applies to tax preparers Under the FTC Safeguards Rule, tax preparers are classified as "financial institutions" and are required to implement a written information security program, use encryption for customer data in transit and at rest, and maintain multi-factor authentication. These are not optional.

What a Breach Actually Looks Like for an Accounting Firm

How it starts: A staff accountant uses the same password for QBO and their personal Netflix account.

The breach: Netflix gets breached; credentials end up on the dark web. Attacker logs into QBO — no MFA because "it slows us down." Attacker exports all clients with SSNs and bank routing numbers. Using the accountant's business email, they send fraudulent invoice emails to 40 clients.

The damage: Two clients wire money to the attacker's account before anyone notices. Firm notifies all clients, loses three of them, spends $15,000 on incident response, and receives a complaint filed with the state CPA board.

The timeline: About 72 hours from initial compromise to discovery. It happens in January, during tax season, when you're too busy to notice warning signs.

The Bottom Line

You do not need a $50,000 security programme. You need:

  1. MFA on every QuickBooks and email account
  2. Least-privilege access for all staff — by client file, not just by role
  3. A secure document portal instead of email attachments
  4. A short written security policy (the IRS template is free)
  5. Quarterly access audits across QBO and email

For most small accounting firms, implementing all five takes one afternoon and costs under $100/month in tooling you should be paying for already.

Your email security deserves the same attention as QBO. If you use Microsoft 365, our M365 security guide for professional services firms covers the specific configurations — forwarding rules, Conditional Access, and Business Email Compromise prevention — that protect your practice at the email layer.

Firms that process client card payments directly also face PCI-DSS vulnerability scanning requirements on top of the FTC Safeguards Rule — quarterly internal and external scans that most small accounting firms are unaware of. UK practices seeking Cyber Essentials certification should also review our Cyber Essentials IT security policy guide, which covers the five control areas your written policy must address.

QuickBooks Security Review

We review your QBO user permissions, access controls, email practices, and WISP documentation — and deliver a prioritised action list. No retainers, no 12-month contracts.

Get in Touch

Fixed-fee engagement. Written report included.

When to Bring in Outside Help

If you have never had a security professional review your QuickBooks configuration and user access, that is the first gap to close. You are not buying a year-long managed security engagement — you are buying a second set of eyes on your specific setup.

Areas where outside help makes the most difference: reviewing QBO permissions across all client files, drafting your WISP, evaluating your email security posture (particularly if you are on Gmail or basic Outlook), and providing annual staff training documentation for compliance purposes.

Learn more about our compliance and security services for professional services firms.

This post is for informational purposes. Requirements under the FTC Safeguards Rule and IRS data security guidance may change — consult a qualified professional for compliance advice specific to your firm.