By Todd Koch, CPA, MBT, CFP®


Many clients are looking for a new CPA, so receiving email requests for proposals is getting more common. Recently, I received an email request from a Nigerian prince offering me a million dollars to review his tax return. He conveniently attached his return to the email. So, all I needed to do was open his email attachment, and we were in business, right?

Now, while I have not had any phishing emails this obvious before, I have received several similar requests in the last 90 days. These are security threats and are a real danger to our client’s data. We all have heard the warnings that CPAs are prime targets for identity thieves. For years, cybersecurity criminals have been infiltrating the IRS to steal taxpayer information, but they’ve realized it is a lot easier to get that information from us.

A reputation, once lost, is gone forever

We have a legal duty under the Gramm-Leach Bliley Act to have a plan to deal with our clients’ private information. But I worry about client security for another reason. I am a CPA.

As a CPA, one of my primary business assets is my reputation, and it’s vital that I protect this. It has taken me too long to earn my reputation, and it only takes one mistake to lose a good name. I do not want to be part of a news story that begins “Security breach at…”

Constant vigilance and rigorous cybersecurity policies can help protect your firm’s data. The AICPA Tax Section has some best practices for keeping client data secure. Below are a few of my practical considerations that you should be doing (if you are not doing them already).

Secure emails

Emails are a leading entry point for security breaches. At our firm, we receive about 2.2 million emails a year. A cloud spam filter stops 90-95% of these emails from reaching our server. This is a good first step.

Get your staff into the mindset of never opening email attachments from new client solicitations. Be sure to create a policy that includes how all new client communications must first be addressed by a phone call to the potential client to determine if this is a new legitimate business proposal.

A cooperative between staff and IT

To reduce the possibility of becoming a victim of data breaches, our IT consultants routinely train and remind our staff to be vigilant. Staff should forward questionable emails to your IT department to evaluate and quarantine.

Also, have your IT department send out phishing emails disguised as real client emails. Test your staff to see if they will take the bait by clicking on an email attachment. This is a great way to assess whether your training is working.

Your trash is someone else’s treasure

There is a goldmine of client data on phones, tablets, or laptops. Staff should let their IT department know before they plan to sell or trade-in their electronic devices and equipment. The IT department can then wipe all data from the phone before it changes hands.

Also, lost electronic devices and equipment should be immediately reported to your IT department so they can help mitigate some of the damage. They can reset your accounts and possibly disable your stolen devices so thieves cannot steal your firm’s data.

Get your clients on the bandwagon

Clients need to be aware of the issues of data security. Educate them on the potential risks and get them to embrace your policies for safeguarding their information.

The days of sending PDF attachments via regular email are over. We encourage our clients to use client portals to share their files. A client portal makes it easy to access, manage, and share data securely.

For those clients who do not use secure client portals, we send attachments to them using a secure email service that encrypts our emails in addition to other security measures. This ensures we have private communication channels with our clients.

Also, we are mindful of the packages we mail out. Not only do they have our clients’ names, addresses, birthdates, banking, and investment information, but we put all this information in one convenient package with no means to lock or password protect it. Thus, we make it easy for anyone with a motive to easily steal that information.

Make it standard practice for clients to come and pick up their income tax returns. Very few of our clients come and pick up their returns now, but we are encouraging them to pick up their packages or have their returns couriered to them.

Lockdown those assets

Low-tech considerations, although obvious and simple, should not be overlooked. For years now, we have had a shredding company come to the office regularly to get rid of our paper documents securely. They must have a security card to even gain entry to our office.

One thing we implemented this year was asking the vendor who handles our firm’s janitorial duties to come during the workday. It may be a little inconvenient for both parties, but it helps eliminate any potential security concerns that come from documents ending up in the hands of non-staff.

Closing thoughts

A fully secure environment is not possible. As one human can do, another can undo. We need to continue to keep security at the forefront of our everyday life. Otherwise, we may inadvertently allow the Nigerian prince into our doorway.