Your Accounting Firm's Biggest Cyber Risk Isn't Email. It's Client Portals.

Everyone trains staff on phishing. Almost nobody audits the portal where clients upload tax returns, bank statements, and payroll records. That's the problem.

Your team has probably sat through phishing awareness training. Maybe twice. They know not to click the invoice from the sender they don’t recognize. Good.

But when was the last time anyone reviewed who has access to your client portal?

The portal is where the sensitive stuff actually lives

Email gets all the attention in cybersecurity conversations because it’s the most common entry point. Fair enough. But the client portal is where your most sensitive documents sit: tax returns, bank statements, payroll records, K-1s, financial statements, Social Security numbers. Everything an attacker actually wants.

Most CPA firms set up their portal (ShareFile, SmartVault, SafeSend, Canopy, Liscio, whatever you use) when they first adopted it and haven’t touched the configuration since. That means:

  • Former clients still have active accounts
  • Former employees still have access (or their accounts were “disabled” but never fully removed)
  • Shared links from three tax seasons ago are still live
  • MFA is optional or only required for internal staff, not clients
  • Nobody’s looking at access logs to see who downloaded what, and when

This is already happening. In April 2026, the IRS’s Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (ISAC) warned that threat actors were specifically targeting tax professionals’ client portals and cloud storage to harvest PII for fraudulent returns. The pattern: compromise one staff credential through phishing, then use that access to quietly download client documents from the portal over days or weeks before anyone notices.

Why this matters more than a phishing click

When an employee clicks a phishing link, you usually know pretty quickly. The credential gets used somewhere suspicious, MFA blocks it, or the security tool fires an alert. There’s a detection window.

Portal compromise is quieter. An attacker with valid credentials downloading documents looks identical to normal business activity. There’s no malware to detect. No suspicious executable. Just someone logging in and accessing files they’re “authorized” to see.

And the blast radius is different. A compromised email account exposes whatever’s in that person’s inbox. A compromised portal account can expose every client document in the system, depending on how permissions are structured. For a 15-person CPA firm with 400 clients, that’s thousands of tax returns and financial statements in one breach.

What your cyber insurer is starting to ask

Cyber insurance underwriters have caught on. Renewal questionnaires over the past 18 months have gotten noticeably more specific about cloud storage and client-facing applications. Questions we’re seeing on 2026 renewals:

  • Do you require MFA for all users accessing client data, including external/client users?
  • Do you have a process for deprovisioning access when client relationships end?
  • Are file-sharing links set to expire automatically?
  • Do you review access logs for your document management or portal system?
  • Is your client portal configured for least-privilege access (staff only see clients they’re assigned to)?

If you can’t answer “yes” to those, you’re either paying more for coverage or not getting the coverage you think you have. Some underwriters are adding exclusions for breaches involving unmanaged cloud applications. That client portal you set up in 2019 and forgot about qualifies.

The audit nobody does

A quarterly portal security review doesn’t need to be complicated. It needs to happen.

Pull the full user list and compare it against current clients and current employees. Remove everyone who shouldn’t be there. This takes 30 minutes for a small firm, but nobody does it because nobody owns it.

Check permissions. Does every staff member need access to every client folder? Probably not. Your admin staff doesn’t need to see the same files as your senior partner. Most portal platforms support role-based access, but the defaults give everyone access to everything.

Look at shared links. Most platforms let you set auto-expiration (7 days, 30 days, after first download). If you’ve been sending permanent links, those are still live. Any of them could be forwarded, bookmarked, or sitting in a compromised email account somewhere.

Turn on MFA for client accounts if your portal supports it (most modern ones do). Yes, some clients will complain. That complaint is easier to handle than calling 400 clients to tell them their SSNs were stolen.

And review your logs. Login times, download volumes, geographic locations. If a client in Des Moines is suddenly downloading files from an IP in Eastern Europe at 2 AM, you want to know about that before the IRS calls you.

The connection to your WISP

If your firm has a Written Information Security Plan (and the IRS requires one), your portal security should be documented in it. The WISP needs to cover how you protect client data across your operation, and the portal is where most of that data lives.

But a WISP that says “we use ShareFile” without specifying how it’s configured, who reviews access, and what happens when a client relationship ends is just a checkbox. It won’t protect you in an investigation, and it won’t satisfy an underwriter who actually reads it.

What to do this week

You don’t need a six-month project. You need someone to log into your portal admin panel and answer five questions:

  1. Are there users who shouldn’t have access anymore?
  2. Is MFA required for everyone, including clients?
  3. Are shared links set to expire?
  4. Can staff access only the clients they work with?
  5. When was the last time anyone looked at access logs?

If you don’t know the answers, or if the person responsible for knowing left the firm two years ago, that’s the actual risk. Not the phishing email your team is trained to spot. The portal nobody’s looked at since it was set up.


Artech Solutions manages IT infrastructure and cybersecurity for CPA firms and professional services organizations in the Des Moines metro. If you want someone to audit your portal configuration and build the review process into your ongoing IT management, let’s talk.