March 2026 Cyber Insider Newsletter

5 Security Questions to Ask Your Accountant This Tax Season 

In this issue, explore some cybersecurity tips for the tax season, and learn how to defend against AI powered tax season scams!

Share Article

A Note from Andy Larin, CEO 

Tax season brings a surge in sophisticated scams targeting Canadian businesses and individuals. In the first three quarters of 2025 Canadians reported losses of $544 M to scams and fraud. That’s a big number, but the Canadian Anti-Fraud Centre estimates that it represents just 5 to 10 percent of actual fraud losses since victims are generally reluctant to report fraud.  

The recent CRA breaches affecting over 62,000 taxpayers remind us that vigilance is critical—even trusted institutions can be vulnerable. But here's something equally important to consider: how secure is your accountant's practice? This month, we're helping you ask the right questions to ensure your tax preparer takes data protection seriously. We’ll also share our top defense strategies to help you spot and avoid AI-powered tax scams. 

Stay alert, verify everything, and don't hesitate to ask tough questions about how your sensitive information is being protected. 

Andysig


FEATURED ARTICLE

5 Security Questions to Ask Your Accountant This Tax Season 

You wouldn't hand over your house keys to someone without knowing they'd keep them secure. Yet every tax season, millions of Canadians hand over something far more valuable—Social Insurance Numbers, banking details, and complete financial histories—to accountants they've never questioned about security. 

With cyberattacks on accounting firms surging 300% since COVID-19 it's time to have an important conversation with your tax preparer. Here's what you need to ask—and what their answers may tell you. 

"How do you protect my personal and financial information?" 

Look for specifics: encrypted data storage, access controls, and regular security audits. Red flags: vague answers or files stored on personal devices or unsecured cloud storage. 

"Do your employees use multi-factor authentication?" 

If they don't know what MFA is or haven't implemented it, your data is protected by passwords alone. Not acceptable in 2026. 

"What happens if you get hacked?" 

Every business needs an incident response plan and cyber liability insurance. If they fumble this or say "we've never been hacked so we haven't worried about it," that's a red flag. Cybersecurity incidents aren't a question of if, but when. 

"How do I securely send you my documents?" 

You want a secure client portal or encrypted email system. Red flags: "Just email them," "Drop them in my Dropbox," or "Text me photos." 

"When was your team last trained on cybersecurity?" 

Regular training (at least annually, ideally quarterly) keeps staff alert to evolving threats. If the answer is "a few years ago" or vague, the firm is vulnerable. 

The Bottom Line: If your accountant gets defensive or can't answer these questions, you've learned something important. Don't be afraid to ask—accountants who take security seriously will appreciate your diligence. 

Want to check your tax preparer's email security? Enter their email address in our Domain Security Checker 


EYE ON A.I.  

AI Fraud Cost Canadian Companies 5% of Annual Profits in 2025 

Tax season brings heightened risk, and this year scammers have a powerful new weapon: artificial intelligence. A KPMG survey of 251 Canadian companies reveals the shocking scale—72% lost up to 5% of their annual profits to AI-driven fraud in 2025, with 81% experiencing AI-enabled attacks. 

Why Traditional Detection No Longer Works: 

Modern AI-powered scams are:

  • Grammatically perfect with authentic tone
  • Personalized at scale using scraped data
  • Convincingly formatted with graphics mimicking legitimate correspondence 

The Top Three AI Fraud Schemes Targeting Businesses: 

According to KPMG's findings: 

  • AI-generated phishing emails/chats (60%) 
  • Deepfake documents (39%)  
  • Voice-clone executive impersonation calls (24%) 
  • The Bottom Line: Verification through independent channels is now your primary defense against AI-enhanced phishing techniques. Picking up the phone and confirming through a verified number can save you a lot of pain – and money! 

TECH TIP 

Your Defense Strategy Against AI-Powered Tax Scams 

Verify independently, always:

  • Never click links in emails claiming to be from the CRA
  • Go directly to https://www.canada.ca/en/revenue-agency to sign into your account and check notices
  • Call the CRA at 1-800-959-8281 (find numbers only from canada.ca—never from suspicious messages)
  • Want to verify if a CRA phone number is legitimate? Use the official verification tool here.
  • Always confirm unexpected requests through known channels before responding 

Check website addresses carefully: 
The official website for the CRA uses web addresses that either start in canada.ca or end in cra-arc.gc.ca. If it doesn’t, it could be a fake website pretending to be a CRA website. 

Question urgency: 
If a message demands immediate action (payment, verification, document upload), pause. Scammers rely on urgency to bypass your judgment. 

Enable multi-factor authentication everywhere always: 
Even if your credentials are stolen, MFA stops attackers from accessing your accounts. 


BULLETPROOF YOUR BUSINESS 

6 Security Essentials Every Accounting Firm Must Have 

If clients are asking the questions from our feature article, your firm needs strong answers. Here are the six non-negotiables:

  1. Email Authentication (SPF, DKIM, DMARC) 
    Configure these protocols to prevent domain spoofing. Without them, scammers can send fake emails appearing to come from your firm. Check your domain security here.
  2. Encrypted Data Storage & Transmission
    Client files must be encrypted at rest and in transit. Use secure client portals or encrypted email—never standard email for sensitive documents.
  3. Multi-Factor Authentication (MFA) Everywhere
    Every employee must use MFA for all systems containing client data. This blocks 99.9% of automated attacks.
  4. Written Incident Response Plan
    Document your breach response procedures, including client notification and regulatory reporting. Back this up with cyber liability insurance.
  5. Regular Security Training
    Conduct quarterly cybersecurity training. Your staff must recognize AI-generated scams, especially during tax season.
  6. Access Controls & Audit Logs
    Implement role-based access so employees only see necessary data. Maintain and regularly review audit logs. 

The Bottom Line: These six practices are the baseline for professional data protection in 2026. 

Need help implementing these security measures? Contact allCare IT for a free accounting firm security assessment. 


TOOL SPOTLIGHT 

Keeper Password Vault: Your Defense Against Credential Theft 

The Problem: Tax season means multiple sensitive logins—CRA My Account, banking portals, payroll systems. Reused passwords create a domino effect – one breach compromises everything – yet 65% of Canadians still recycle passwords (Okta 2025).  

The Solution: Keeper Password Vault generates, stores, and autofills unique passwords for every account. You only need to remember one master password; Keeper handles the rest with military grade encryption.  

The Benefits:

  • Eliminate weak and reused passwords
  • Integrates with MFA—stores authentication codes
  • Breach monitoring and alerts
  • Supports Biometrics and Passkeys
  • Syncs across all your devices 

Who It's For: Everyone using online accounts. Especially beneficial for those with multiple financial accounts, accounting firms, and businesses protecting employee credentials. 

The Bottom Line: Using unique passwords for every account isn't optional—it's essential. Keeper makes it effortless. 

→ Questions about password management? Contact us.