Ransomware Defense for Canadian Accounting Firms in Tax Season (2026 Playbook)

Written for solo CPAs, 3 to 15-preparer firms, and mid-market Canadian practices running CCH iFirm, CaseWare, TaxCycle, ProFile, or TaxPrep. CISSP-led, aligned to the Canadian Centre for Cyber Security ransomware playbook (ITSM.00.099), and built around the practical reality that the worst day to discover your backup has never been restore-tested is April 28.

Feb-Apr Peak ransomware window
$5.08M Avg ransomware incident cost
CISSP-Certified Security leadership
4-hour IR activation runbook
Book a Consultation
CRA EFILE IT Controls →

Best fit for Canadian CPA firms preparing or renewing CRA EFILE for the 2026 program year.

50 Best Managed IT Companies in CanadaBest Managed IT 2025 awardCISSP4.9
MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

Why tax season is the high-risk window for Canadian CPA firms

“Tax season is the one window where a CPA firm cannot afford downtime, and attackers know it. The pattern is predictable: a phishing email in February, dormant access until April, encryption on the busiest week of the year. The defence is boring and it works, MFA, tested backups, and email authentication done before February 1.”

Mike Pearlstein, CISSP, CEO and CISO, Fusion Computing

If your firm is heading into another T1 cycle without a documented incident response runbook and tested immutable backups, talk to a tax-season-aware IT specialist.

The 5 ransomware patterns most often used against Canadian accounting firms

According to Coveware (2025), the Q4 2024 quarterly report places the average ransom payment at $553,959 and the median at $110,890, with only 25 percent of victims paying and data-exfiltration-only victims paying at 41 percent. The five patterns below are the recurring playbooks Coveware and the Canadian Centre for Cyber Security document against small and mid-market professional services firms.

Canadian CPA firms are not targeted by exotic threat actors. The patterns are the same five categories that show up across Canadian Centre for Cyber Security advisories, Coveware quarterly reports, and the incident-response post-mortems published by the Canadian legal and accounting trade press. What changes during tax season is the volume and the success rate, not the playbook.

1. BEC plus wire-fraud comboBusiness email compromise targeting partner or admin mailboxes, often via credential phishing or a forwarding-rule injection. Once inside, the attacker watches for a client banking-detail change, intercepts the request, and substitutes their own account. During tax season, refund-direction changes and trust-distribution wires are the highest-value targets.
2. Practice-management software supply chainCompromise of a tax or practice-management software vendor or one of its update channels. The 2019 Wolters Kluwer (CCH parent) malware incident remains the most-cited Canadian-relevant example, where the vendor’s cloud services were taken offline for days during a U.S. tax-season-adjacent window. Vendor-side incidents are rare, but they remove every customer’s ability to work simultaneously.
3. CRA-themed phishing of tax-prep staffFake CRA notices, fake Represent a Client login pages, and fake EFILE Helpdesk emails sent to junior preparers, admin staff, and seasonal interns. The OPP and other Canadian forces issued public advisories about a 2026 surge in CRA-themed scams. The successful clicks are not on the partner mailbox; they are on a co-op intern who started two weeks ago.
4. Credential stuffing on remote accessReused credentials harvested from unrelated breaches replayed against firm Citrix, RDP, VPN, or Microsoft 365 sign-in surfaces. CPA firms running legacy on-premise practice-management servers with internet-exposed RDP are the highest-risk profile. Conditional access and MFA enforcement are the single most effective control here.
5. Double-extortion with client-data exfiltrationThe 2026 default attack pattern. The ransomware operator exfiltrates a copy of the firm’s engagement files, client tax returns, and T-slip archive before encrypting. Even a firm with immutable backups and a clean restore faces a separate ransom demand to prevent publication of taxpayer data on a leak site. Mandiant M-Trends 2025 reports double-extortion is now the default playbook across observed engagements.

Practical defenses for a 5 to 15-staff CPA practice

According to the Canadian Centre for Cyber Security (2021), the Ransomware Playbook (ITSM.00.099) recommends a defense-in-depth model that layers security controls across networks, devices, and information, with logging, alerting, and network segmentation applied at every layer. The defensive stack below operationalizes that playbook for a 5 to 15-staff Canadian CPA practice.

The defensive stack for a small Canadian CPA firm is not exotic. The discipline is having all of it documented, deployed, and active simultaneously before T1 season opens, with evidence a CRA reviewer or a cyber-insurance underwriter can read.

Microsoft 365 advanced phishing protectionMicrosoft Defender for Office 365 (Plan 1 minimum) on every mailbox, with Safe Links, Safe Attachments, and anti-impersonation policies tuned for the CRA-themed phishing patterns. The investment is per-user and small. The payoff is intercepting the fake-CRA-notice and fake-EFILE-Helpdesk emails that drive most tax-season compromises before they reach a preparer’s inbox.
Conditional access on practice-management softwareMicrosoft Entra ID conditional access policies requiring MFA on every sign-in to the firm tenant, plus device-compliance and geographic restrictions on CCH iFirm, CaseWare Cloud, TaxCycle Connect, and any cloud practice-management system that honours Entra. Legacy mail protocols (IMAP, POP3, basic-auth SMTP) blocked outright. Sign-ins from outside the firm’s operating geography blocked by default.
MDR for ransomware-pattern detectionManaged Detection and Response on every workstation and server. Twenty-four-by-seven monitoring with human analyst response, tuned for the early-stage indicators of ransomware deployment (mass file encryption, shadow-copy deletion, lateral movement, credential harvesting). The Canadian Centre for Cyber Security flags MDR as a game-changer for SMBs that cannot staff a security operations centre, and most 2025 cyber-insurance underwriters now accept EDR or MDR coverage as a baseline requirement.
Immutable backups with tested restoreEncrypted backup of Microsoft 365, the practice-management database, and any on-premise file shares. Crucially, the backup target supports immutability (write-once, cannot be altered or deleted within the retention window, even by an attacker with domain-admin credentials). Coveware notes 94 percent of organizations hit by ransomware saw threat actors attempt to destroy backups, which is why insurers and cyber-defence frameworks now treat immutability as table-stakes. Quarterly restore tests, with the result documented.
BCP playbook with 4-hour activation runbookWritten business continuity plan covering a ransomware-style outage during tax season. The activation runbook specifies who decides to declare an incident, who calls the CRA EFILE Helpdesk, who contacts the firm’s cyber-insurance breach line, who notifies clients, and who runs the alternate-workflow path (e.g., a clean laptop pool, an emergency client-portal substitute, a CRA filing-extension procedure). The runbook is rehearsed once a year, ideally in November ahead of the next T1 season.

Tax-season operational continuity: what to do if hit on April 15

Hours 0 to 4: IsolateDisconnect affected devices from the firm network. Disable all sign-in to Microsoft 365 and the practice-management tenant. Preserve forensic state: do not power off the affected machines until the cyber-insurance breach line and the MDR provider have confirmed the imaging procedure. Contact the cyber-insurance breach hotline first; most policies require notification within a specified window for full coverage. Engage the MSP’s incident-response team. Begin documenting the timeline.
Hours 4 to 24: Assess and decide on CRA contactDetermine scope: which engagements are affected, whether client data was exfiltrated, whether the practice-management database is recoverable from immutable backup, and whether CRA EFILE credentials were exposed. If EFILE credentials are at risk, contact the CRA EFILE Helpdesk to suspend the account pending review (the EFILE Helpdesk has a documented notification path for security incidents). Begin PIPEDA breach assessment under the “real risk of significant harm” threshold. Prepare an internal partner-board briefing.
Hours 24 to 72: File extensions, communicate, restoreFor client returns at risk of missing the April 30 deadline, file the formal request for relief from penalties and interest where the criteria are met (CRA accepts extraordinary circumstances including system outages outside the taxpayer’s control). Communicate with affected clients in writing, with counsel review on the wording where significant exposure exists. Begin the immutable-backup restore, ideally onto a clean infrastructure tenant so the original compromised environment can be preserved for forensic review. Resume EFILE transmissions only after the CRA EFILE Helpdesk confirms the account is back in good standing and the firm’s controls have been re-validated.

Pre-season hardening checklist (do these by February 1)

The 10 actions below are what we run with every Canadian CPA-firm client between mid-November and the end of January. They are deliberately specific. Half of them cost nothing beyond an afternoon of admin time.

  1. Rotate every shared and service-account password in the firm tenant, the practice-management software, and the cloud file store. Move any remaining shared logins to named-individual accounts.
  2. Audit Microsoft 365 sign-in logs for the prior 90 days for anomalous geographies, impossible-travel events, and successful sign-ins from unmanaged devices. Investigate every flagged event before tax season opens.
  3. Confirm MFA enforcement on every CRA Represent a Client account and every EFILE-touching workstation. Verify the backup MFA option is configured (CRA is prompting individual users to add a backup MFA factor beginning February 2026).
  4. Perform a full restore test of one critical dataset (the practice-management database or a representative SharePoint engagement site) onto a non-production target. Document the test result, the time-to-restore, and any gaps.
  5. Verify immutability on the backup target. Confirm the retention window, the immutability lock, and that a domain-admin account cannot delete or alter backups within the lock window.
  6. Review and update the incident-response runbook, with the current cyber-insurance breach line, current CRA EFILE Helpdesk contact, current MSP IR contact, current partner-board notification list, and current client-communication template on file.
  7. Run a 60-minute tabletop exercise simulating a ransomware incident on April 25. Walk the partner-board through the first 24 hours of decisions. Identify any gap in authority, communication, or technology.
  8. Confirm conditional access policies are active and tested: device compliance required, legacy auth blocked, geographic restrictions in place. Test from an unmanaged device to confirm the block fires.
  9. Reconcile the tax-software inventory against the CRA EFILE-registered software list post-February 2026. Any unregistered software on a preparer workstation is a transmission-refusal risk and an unmanaged-software attack surface.
  10. Brief every preparer and intern on the current tax-season phishing patterns, particularly the fake-CRA-notice and fake-EFILE-Helpdesk variants. A 20-minute live briefing in late January outperforms most generic security-awareness platforms during the season.

For a pre-season hardening sprint scoped to your stack, request a costed scoping conversation.

What ransomware insurance covers (and what it doesn’t) for Canadian CPA firms

The shift in claims practice during the past two years has been less generosity on the “we said MFA was on; turns out it wasn’t on the accounting server” class of denial.

What ransomware-resilient IT costs for a CPA practice

Tax-season ransomware resources

“We got hit eight days before T1 deadline and lost access to every CaseWare file. Fusion’s MDR team isolated the breach in eleven minutes and our immutable backups had us filing again by noon. We submitted every return on time and not one client moved their business. The dual-approval wire workflow they built has caught two BEC attempts since.”

Managing Partner, 19-person CPA firm, Niagara Region.

Talk to a tax-season-aware IT specialist

Thirty-minute walk-through of your firm’s current stack, the ransomware-resilience gaps to close before T1 season opens, and what tax-season-ready cyber-insurance posture actually looks like at your firm size. No charge, no obligation.

Book a Consultation

Frequently asked questions about tax-season ransomware for CPA firms

When does ransomware risk peak for Canadian accounting firms?
What practice-management software (CCH iFirm, CaseWare, TaxCycle) vulnerabilities should we watch?
If we get hit during tax season, do we tell CRA?
How does cyber insurance work for a CPA firm hit mid-tax-season?
Does the February 2026 CRA EFILE update actually reduce ransomware risk?
Should our firm use AI / Microsoft Copilot during tax season?
What’s the difference between MDR and antivirus for a CPA firm?

Updated