Somewhere in the last decade, the cybersecurity industry built a very expensive wall. Firewalls. Intrusion detection systems. Antivirus software. Perimeter defenses of every shape and size.
Attackers stopped trying to climb it.
Instead, they started looking for the door. And then they started stealing the key.
The Darktrace Annual Threat Report 2026 one of the most comprehensive analyses of global cyberthreat activity available, put it plainly: software vulnerabilities rose 20% year-over-year in 2025. And yet, attackers are increasingly bypassing those vulnerabilities entirely in favor of credential abuse and identity-led intrusions.
More bugs. Less exploitation.
Because why spend weeks hunting for a zero-day exploit when a phishing email can hand you someone’s login in minutes?
“Traditional perimeter defenses were built for a world where attackers had to break in. Today they simply log in.”
— Nathaniel Jones, VP of Security & AI Strategy, Darktrace
For CPA firms, tax professionals, and accounting practices of every size, this is not an abstract headline. This is your threat landscape. And it requires a different kind of response than you’ve probably been told about.
This article breaks down what’s actually happening, why accounting firms are one of the most targeted professional categories, what the regulatory stakes now are, and what a genuinely secure infrastructure setup looks like in 2026.
Table of Contents Show
The Paradigm Has Shifted: From Breaking In to Logging In
For most of its history, cybersecurity operated on a simple assumption: attackers are on the outside, defenders are on the inside, and the goal is to keep them separated. Firewalls monitored traffic. Antivirus flagged suspicious files. Network detection tools watched for unusual patterns at the edge.
That model assumed the threat would look foreign. It would arrive via a strange IP address, a known malware signature, or an obvious intrusion attempt.
The 2026 threat landscape doesn’t look like that anymore.
When an attacker uses stolen credentials to log into your QuickBooks hosting environment, your email system, or your client portal, they don’t trigger any of those legacy defenses. They look legitimate. They use real usernames and real passwords. They arrive from recognized applications. Their activity looks indistinguishable from your staff’s regular workday.
That’s the core insight from the Darktrace report. According to their global data, nearly 70% of incidents in the Americas now begin with stolen or misused accounts. Not with an unpatched software vulnerability. Not with a brute-force attack on your perimeter. With a valid credential that an attacker obtained some other way, usually through phishing.
The Numbers Behind the Shift
The scale is hard to ignore. In 2025 alone, Darktrace detected 32 million phishing emails across its global customer fleet. Of those, more than 8.2 million specifically targeted VIPs, which in accounting terms means managing partners, senior CPAs, and anyone with broad system access. That’s over a quarter of all phishing activity directed at your highest-value accounts.
AI is accelerating this. Darktrace found that signs of AI-assisted phishing grew year-over-year, with novel social engineering techniques rising from 32% to 38% and long-form, high-text messages (the kind that look like real client communications) increasing from 27% to 33%. Attackers are using the same AI tools that everyone else is using, and they’re using them to write better phishing emails at scale.
QR-code phishing increased 28%, climbing from 940,000 attacks in 2024 to more than 1.2 million in 2025. New variants include a technique called “splishing,” in which a QR code is split across two separate images to evade email security filters. These are appearing in emails that look like routine client requests, invoices, or software notifications.
And when those phishing attacks work, what happens next is the problem. Once an attacker has valid credentials, they don’t need to exploit anything. They use legitimate tools and existing permissions to move through your systems quietly. Traditional security tools cannot distinguish between your paralegal logging in at 9am and an attacker logging in at 2am from another country, because both are using the same valid password.
As one security executive summarized in response to the Darktrace findings: “Identity has become the attacker’s skeleton key.”
Why Accounting and Tax Firms Are the Perfect Target
Every industry has a cybersecurity problem right now. But accounting firms have a specific, structural problem that makes them disproportionately attractive targets.
Think about what you hold. For every client on your roster, you have their Social Security number, prior-year tax returns, bank account information, payroll data, investment records, and business financials. That’s not one sensitive file. That’s a complete financial identity, and you hold dozens or hundreds of them.
On the dark web, a stolen credit card number sells for a few dollars. A complete tax identity package with SSN, income history, and bank details can command ten to twenty times more. Cybercriminals know your client files are among the most monetizable records in any industry.
The Statistics Are Not Abstract
| High-Value Targets | Tax professionals remain a high-value target for identity thieves because they store complete financial identities for clients. |
| Phishing Risk | Phishing remains one of the most common attack vectors used to steal tax professionals’ credentials. |
| Ongoing Threat | Hundreds of breaches affecting hundreds of thousands of taxpayers have been reported in recent years. |
| ~50% | Spike in ransomware, phishing, and credential theft attempts targeting accounting firms during tax season (January through April). |
| $6.08M | Average cost of a data breach in the financial services sector — 22% above the global average. |
| High Stakes | Cyberattacks can be devastating for small firms, often causing prolonged operational disruption and severe financial losses. |
| 88% | Of web application attacks in 2025 involved stolen or brute-forced credentials. |
Real Firms. Real Consequences.
These are not hypothetical scenarios:
- A Georgia CPA firm paid a $450,000 ransom to regain access to encrypted client files after a ransomware attack. The data may still have been sold.
- Chicago-based Legacy Professionals LLP notified 216,752 individuals after a 2024 hack and is now facing at least five class-action lawsuits. The remediation alone represents an existential cost for a mid-sized firm.
- A mid-sized accounting firm in the Southeast was hit 48 hours before the April filing deadline. Systems were down. Deadlines were missed. Within 12 months, the firm had closed.
And outside accounting: Jaguar Land Rover, Marks & Spencer, and Salesforce all experienced high-profile breaches in 2025. In many of these cases, the intrusion began not with a sophisticated software exploit, but with a compromised identity. Once inside, attackers used trusted accounts and existing permissions to move laterally through systems for days or weeks before detection.
For accounting firms, the consequences go beyond financial loss. A breach means IRS notification obligations, potential FTC penalties, client notification requirements, and the near-certain loss of clients who trusted you with their most sensitive data. One accounting advisor summarized it plainly: “We can’t just sit back and say, ‘I don’t understand this’ or ‘I’m going to plead ignorance.’ Ignorance is no longer an excuse.”
Tax Season: The Danger Window
The timing matters. The IRS Security Summit consistently reports that cyberattack attempts against tax professionals spike by roughly 50% between January and April. Attackers know the calendar better than most CPAs do.
During tax season, your staff is handling more logins, more client data, more time pressure, and more external communication than at any other point in the year. Vigilance drops under load. Phishing emails dressed as client requests go unscrutinized. Remote contractors and seasonal staff introduce additional access points.
This creates a compounding risk: the period when your firm is most data-rich is also the period when your defenses are most likely to slip.
The Compliance Layer: This Is Now a Legal Obligation
If the business risk alone isn’t compelling, consider the regulatory environment. Over the last several years, the compliance requirements around data security for accounting and tax professionals have tightened significantly, and many small and mid-sized firms are not aware of the full scope of what’s now required.
FTC Safeguards Rule (GLBA)
The Gramm-Leach-Bliley Act Safeguards Rule, now administered by the FTC, applies directly to CPA firms and tax professionals. Key requirements include: implementing a written information security plan (WISP), conducting regular risk assessments, mandating multi-factor authentication across all systems, and notifying the FTC within 30 days of any breach affecting 500 or more consumers.
This is federal law. It applies to solo practitioners. Non-compliance can result in civil penalties and regulatory action.
IRS Publication 4557 and WISP Requirements
Under IRS Publication 4557, federal law requires all tax professionals to create, implement, and maintain a written information security plan, regardless of firm size. The IRS is explicit: a solo practitioner with one computer and five clients still needs a WISP.
The Written Information Security Plan must document your firm’s data security practices, how client data is stored and transmitted, and what steps you would take in the event of a breach. Firms without one are not just unprepared. They are non-compliant.
AICPA Standards Update (2024)
Effective January 1, 2024, the AICPA updated its Statements on Standards for Tax Services with the addition of Section 1.3, which explicitly requires CPAs to take reasonable steps to safeguard taxpayer data. The updated standard covers data storage methods, third-party vendor security practices, and documentation of protection measures.
This isn’t aspirational guidance. It’s now part of your professional standards.
Here’s a consequence many firms haven’t thought through: cyber insurance claims are increasingly being denied when firms cannot demonstrate WISP documentation, current risk assessments, or active MFA implementation.
If you purchase a cyber liability policy without meeting these baseline compliance requirements, you may be paying for coverage that will not pay out when you need it. Non-compliance creates double exposure: regulatory liability and uninsured breach costs.
The compliance gap is real: according to CPA Practice Advisor, 99% of accounting firms say cybersecurity is important. But 15% have already experienced a breach they detected. Many more are compromised right now and don’t know it.
What the Old Security Checklist Gets Wrong
Most small and mid-sized accounting firms have some version of the same security setup: antivirus software, a basic firewall, maybe a password manager, and an annual reminder to staff about phishing emails. That’s the checklist. It was designed for a different threat model.
The old model assumed the threat would announce itself. Malware would be caught by antivirus. Intrusions would be flagged by the firewall. Suspicious activity would look suspicious.
Credential-based attacks don’t look suspicious to any of those tools. There is no malware to detect. There is no intrusion to flag. There is only a valid user account that is now controlled by someone who shouldn’t have it, moving through your systems in ways that look completely normal.
According to the 2025 Verizon DBIR, 74% of breaches involved a human element, including errors, stolen credentials, or social engineering. You cannot patch a human element. You cannot firewall a valid password.
This is why the most dangerous thing about credential theft is not the initial compromise. It’s how long attackers can sit inside your environment before being detected. Days. Weeks. Sometimes longer. Quietly downloading client files. Mapping your systems. Waiting for the right moment.
There is a specific risk that many accounting firms don’t fully appreciate: shared cloud hosting environments.
On a shared hosting platform, multiple firms share the same underlying infrastructure. This creates what’s called a “noisy neighbor” problem, but the security implications go further. If another firm on the same shared server is compromised, attackers can potentially leverage that access to probe or reach adjacent environments. Your security posture becomes partially dependent on every other tenant on the same host.
This is especially relevant given Darktrace’s finding that Microsoft Azure was the most targeted cloud provider in 2025, accounting for 43.5% of malware samples collected from honeypot data. Most generic shared cloud environments for accounting firms are built on commodity Azure or AWS infrastructure, with shared credentials and pooled access controls.
What Genuinely Protects Accounting Firms in 2026
The good news is that the shift in threat model, while significant, points clearly toward specific defensive priorities. The firms that are not compromised in 2026 will share a few structural characteristics:
1. Isolated, Dedicated Infrastructure
If your firm’s data lives on a dedicated private server rather than a shared environment, attackers cannot reach you by compromising another tenant. There is no lateral movement path. Your environment is fully isolated.
This is not a luxury for enterprise firms. Dedicated cloud hosting for tax and accounting software is available at a price point accessible to solo practitioners and small firms. And during tax season, when usage can spike 3 to 5 times baseline, dedicated resources also mean no performance degradation, no slowdowns, and no shared bottlenecks.
2. Multi-Factor Authentication, Everywhere
The FTC Safeguards Rule now mandates MFA for tax professionals. But the security case is equally compelling: Microsoft’s research indicates that MFA reduces the risk of account compromise by 98.56%, even when login credentials have been stolen.
MFA alone won’t stop a determined attacker, but it raises the cost of a credential-based attack dramatically. An attacker with a stolen password still needs the second factor. Most opportunistic attackers will move on to easier targets.
MFA must be active on every system that accesses client data: your tax software, your document management platform, your email, your client portal, and your remote access tools. A single unprotected entry point is all an attacker needs.
3. A Current, Compliant WISP
The WISP is both a compliance requirement and a practical tool. When a breach occurs (and at the rate accounting firms are being targeted, “if” is not the right framing), your WISP is the document that tells you what to do, who to notify, and how to limit the damage.
Firms without a WISP face three simultaneous crises when a breach hits: the technical problem, the regulatory reporting obligation, and the absence of any documented plan. Having a written information security plan in place before something goes wrong is the difference between a recoverable incident and a firm-ending one.
The IRS’s IRS Publication 4557 compliance guide provides a solid framework for what your WISP needs to cover.
4. SOC 2 Type II Certified Infrastructure
When evaluating cloud hosting or managed IT providers, SOC 2 Type II certification is the meaningful credential to look for. SOC 2 Type II means an independent auditor has verified that the provider’s security controls were operating effectively over a sustained period, not just on a specific date.
Most commodity cloud hosting providers are not SOC 2 Type II certified. This matters because using a non-certified provider while asserting FTC Safeguards compliance is a gap an auditor or regulator will find.
5. Support That Actually Understands Your Software
There is a practical security dimension to having IT support that genuinely understands accounting software. A support team unfamiliar with Lacerte, Drake Tax, CCH Axcess, or QuickBooks Desktop will take longer to diagnose anomalies, longer to respond to issues, and longer to restore normal operation after an incident.
During tax season, every hour of downtime has a direct dollar cost. The right IT support for accounting firms is one that responds in minutes, resolves issues on first contact, and knows the difference between a QuickBooks multi-user configuration issue and an active intrusion.
If you’re not sure whether your current infrastructure and compliance posture are up to the 2026 threat standard, Verito’s resource on future-proofing your firm is a practical starting point: verito.com/future-proof-your-firm
Verito’s VeritCertifiedTM program ensures every engineer supporting client environments has passed rigorous training across server support, accounting software troubleshooting, cybersecurity operations, and compliance-awareness protocols. The results are measurable: 100% uptime delivery, sub-1-minute average support response times, and a 92% First Touch Resolution rate. That means issues are resolved by the first engineer who picks up the request. No escalations. No call bouncing. No wasted time during a filing deadline.
The Bottom Line: Your Credentials Are the Attack Surface
The threat model has changed. The attack surface is no longer your firewall. It is every login your firm uses.
QuickBooks login. Tax software login. Email. Client portal. Remote access. Every one of these is a potential front door. And the people who want inside your firm are very good at obtaining keys.
The most dangerous thing about credential theft is that it looks like normal activity. An attacker inside your environment using a staff member’s account is invisible to every legacy security tool built on the assumption that threats come from the outside.
The firms that will avoid major breaches in 2026 are not the ones with the most expensive security software. They are the ones that have eliminated shared infrastructure exposure, locked down every access point with MFA, maintained current compliance documentation, and built their technology stack on providers who take cybersecurity for accounting firms as seriously as their clients take protecting their own data.
What to Do This Week
- Audit every login point your firm uses and confirm MFA is active on all of them
- Check whether your current cloud hosting provider is SOC 2 Type II certified
- Review or create your WISP, the IRS requires it and the FTC will ask for it
- Confirm your cyber insurance policy aligns with your actual compliance posture
- Evaluate whether shared hosting infrastructure is introducing risk that dedicated, isolated hosting would eliminate
You protect your clients’ financial lives. Protecting the infrastructure that holds that data is the same obligation. And in 2026, that starts with understanding the threat that’s actually in front of you.
The hackers have moved on from breaking in. Make sure your firm has moved on from protecting only against that.
Frequently Asked Questions
1. What is credential theft and why does it matter for CPA firms?
Credential theft is when an attacker obtains your login credentials (username and password) through phishing, data leaks, or social engineering, and uses them to access your systems as if they were you. For CPA firms, this is especially dangerous because your systems hold complete financial identities for every client: SSNs, tax returns, bank details, and payroll data. An attacker with valid credentials can access all of it without triggering a single security alert, because they’re using a legitimate login. According to the Darktrace Annual Threat Report 2026, nearly 70% of incidents in the Americas now begin with stolen or misused accounts.
2. Are small and solo CPA firms actually at risk, or is this mainly a problem for large practices?
Small and solo firms are often at greater risk precisely because they’re assumed to have weaker security. Cybercriminals target them for the same data they hold (client SSNs, tax returns, financials) while expecting less sophisticated defenses. Tax professionals remain a high-value target for identity thieves because they store complete financial identities for clients. Federal regulations including the FTC Safeguards Rule and IRS Publication 4557 apply to every tax professional regardless of firm size, including sole practitioners.
3. What is a WISP and is it really required?
A WISP (Written Information Security Plan) is a documented policy that outlines how your firm protects client data, how it would respond to a breach, and what security controls are in place. Federal law requires all tax professionals to have one, with no exemptions for firm size. The IRS Publication 4557 and FTC Safeguards Rule both mandate it. Firms without a current WISP face regulatory exposure, potential denial of cyber insurance claims, and significantly worse outcomes when a breach occurs.
4. How does dedicated cloud hosting reduce credential theft risk compared to shared hosting?
On shared hosting, multiple firms share the same underlying infrastructure. If another tenant on the same server is compromised, attackers can potentially leverage that access to reach adjacent environments. Dedicated private servers create full isolation: your environment cannot be reached via another firm’s compromise. There is no shared credential pool, no shared network, and no lateral movement path into your data. It’s the same principle as the difference between a shared office building and a private one.
5. What does SOC 2 Type II certification actually mean?
SOC 2 Type II is an independent audit certification that verifies a service provider’s security controls were operating effectively over a sustained period of time (typically 6 to 12 months). It covers security, availability, processing integrity, confidentiality, and privacy. Unlike a one-time snapshot audit, Type II verifies ongoing operational compliance. For accounting firms evaluating cloud hosting providers, SOC 2 Type II certification is the meaningful standard. Most commodity hosting providers are not certified to this level.
6. Does multi-factor authentication (MFA) actually stop credential theft attacks?
MFA doesn’t prevent credentials from being stolen, but it dramatically reduces the attacker’s ability to use those credentials. Microsoft’s research shows MFA reduces account compromise risk by 98.56% even when login credentials have been obtained. The FTC now mandates MFA for all tax professionals under the updated Safeguards Rule. For accounting firms, MFA needs to be active on every access point: tax software, email, client portals, and remote access tools. A single unprotected login is all an attacker needs.
7. Why are cyberattacks on accounting firms worse during tax season?
The IRS Security Summit reports that ransomware, phishing, and credential theft attempts against tax professionals spike approximately 50% between January and April. Attackers deliberately time campaigns around peak-pressure windows when staff are moving fast, handling more external communications, and less likely to scrutinize suspicious emails. Remote seasonal staff, elevated login activity, and compressed deadlines all create conditions where a single missed phishing email can become a firm-ending incident. This is the accounting equivalent of Black Friday-related phishing, which Darktrace found spiked 620% in late 2025.
8. What questions should I ask my current IT or hosting provider to assess my security posture?
Start with these: Is your infrastructure SOC 2 Type II certified? Are our environments fully isolated from other clients? Is MFA enforced across all access points? What is your average incident response time? What accounting software does your support team have direct expertise with? Do you provide WISP development support and FTC/IRS compliance alignment? If your current provider can’t answer these clearly, that’s meaningful information. Verito’s guide on questions to ask before hiring a CPA IT provider covers this in full.
Sources and Further Reading
Darktrace Annual Threat Report 2026 — GlobeNewswire, February 2026
Darktrace 2025 Mid-Year Cyber Threat Landscape — Darktrace Blog
Darktrace Flags 32 Million Phishing Emails in 2025 — Infosecurity Magazine
Darktrace Threat Report: Logging In Is the New Breaking In — SecureWorld
Cybersecurity for Accounting Firms — Financial Cents (Georgia ransom case, Legacy Professionals LLP)
IRS Security Summit — Protect Your Clients; Protect Yourself — IRS.gov
IRS Identity Theft Information for Tax Professionals — IRS.gov (91% spear phishing statistic)
IRS Security Summit — Protecting Tax Professionals from Identity Theft — IRS.gov
Your Accounting Firm Is a Target: 4 Priorities for Modern Cybersecurity — PICPA (703% credential phishing surge, $4.88M average breach cost)
Top Cybersecurity Priorities for CPA Firms Before Tax Season — Unison Globus (50% tax season spike)
IBM Cost of a Data Breach Report 2024 — IBM Security ($6.08M financial services average)
Verizon Data Breach Investigations Report 2025 — Verizon (88% credential attack statistic, 74% human element)
This article was produced by Derivatex for Verito. For questions about your firm’s IT security and compliance infrastructure, visit verito.com.
![IRS Publication 4557 & WISP Compliance for Accounting Firms [FULL Guide]](https://verito.com/blog/wp-content/uploads/2025/10/IRS-Publication-4557-WISP-Compliance-for-Accounting-Firms-FULL-Guide-380x220.jpg)
