Contents
- Why Tax Season Creates Heightened Cyber Risk
- 1. Reinforce Phishing Defences Before Deadlines Peak
- 2. Lock Down Email Accounts
- 3. Review Access to Financial and Tax-Related Data
- 4. Increase Monitoring During Peak Filing Weeks
- 5. Revisit Ransomware Preparedness
- 6. Protect Against Payment Diversion Fraud
- 7. Secure Remote and Hybrid Working
- 8. Run a Seasonal Risk Check in October or November
- The Real Cost of Getting It Wrong
- Conclusion
Tax season is not simply a busy period for law firms. It is one of the most exploitable windows in the legal calendar, and cybercriminals know it.
At the start of each year, firms exchange large volumes of sensitive financial data under deadline pressure, relying heavily on email to communicate with clients and accountants. That combination creates ideal conditions for a breach.
According to NetDocuments’ analysis of ICO data, breaches in the UK legal sector grew by 39% in the 12 months to mid-2024, with data on 7.9 million people compromised. Here is what firms can do about it.
Why Tax Season Creates Heightened Cyber Risk
At the start of each year, law firms handle payroll records, dividend documentation, trust accounts, and tax planning files. Attackers see this period as offering three key advantages: higher phishing success rates, greater tolerance for urgent requests, and access to more financially valuable data.
The NCSC’s threat guidance for the legal sector makes clear that law firms are considered high-value targets. They hold privileged financial data, often operate with stretched IT resources, and face professional obligations that make downtime particularly costly.
Related Reading: The Pentest Trap in the Legal Sector: What Law Firms Need to Know
1. Reinforce Phishing Defences Before Deadlines Peak
Phishing remains the leading cause of breaches across professional services. In 2024, 84% of UK businesses that experienced a cyber breach encountered a phishing attempt, according to government figures.
Run a phishing awareness refresher just before tax season kicks off and warn staff about common tax-season themes: HMRC notices, urgent filings, payment corrections, and credential reset requests. Follow it up with a simulated phishing exercise.
Focus areas include email attachments disguised as tax documents, fake DocuSign links, and last-minute requests that mimic the tone of known contacts. Tax-season phishing succeeds because people are busy, not because it is technically sophisticated.
2. Lock Down Email Accounts
Compromising a single mailbox gives an attacker access to confidential matter data, visibility of live transactions, and the ability to impersonate a trusted contact for payment fraud.
Before tax season peaks, enforce MFA on every account, disable legacy authentication protocols, and audit mailbox forwarding rules for any unexpected destinations. Enable impossible travel alerts to flag suspicious login patterns.
Pay particular attention to senior partners and long-serving staff, whose accounts often carry the most access but may have the weakest controls due to legacy configurations.
3. Review Access to Financial and Tax-Related Data
Not everyone needs access to payroll records or client tax planning folders. Without proper controls, the volume of sensitive documents in circulation during tax season dramatically expands the blast radius of any breach.
Apply least-privilege permissions, revoke access for leavers and contractors, and audit shared drives for over-exposed data. ICO data shows that 37% of legal sector breaches involve data being shared with the wrong person, often via email or shared drives.
Related Reading: GDPR Compliance Checklist for Law Firms: Avoiding Data Breaches and Regulatory Fines
4. Increase Monitoring During Peak Filing Weeks
Detection speed directly determines breach severity. Firms that identify an intrusion early are far better placed to limit data loss and contain the damage.
During tax season, heighten alerting for unusual login activity, abnormal data download volumes, and privilege escalation attempts. Enable mailbox auditing to capture forwarding, delegation, and access events.
Tax season is precisely when attackers attempt to hide malicious activity inside what looks like normal business behaviour. Tighter monitoring closes that window.
5. Revisit Ransomware Preparedness
Cyber attacks against UK legal firms rose by 77% to 954 successful incidents in 2024, according to analysis by Lubbock Fine. Busy periods create exactly the conditions ransomware actors rely on: distracted staff and slower incident detection.
Most ransomware incidents begin weeks before encryption occurs. Once the tax season starts, it may already be too late to prevent access if controls have not been reviewed.
Confirm backups are recent and stored in an isolated environment, validate restore procedures, patch critical vulnerabilities, and disable any unnecessary Remote Desktop Protocol access.
Related Reading: What is Ransomware-as-a-Service? The Growing Threat to Organisations Worldwide
6. Protect Against Payment Diversion Fraud
Tax season involves regular financial transfers, settlements, and disbursements, making it a prime window for payment diversion fraud. Attackers compromise an email account and use it to intercept or redirect payments.
Reinforce payment verification procedures before the busy period begins. Banking detail changes should never be processed on the basis of an email request alone, and all changes must be verified via a separate, pre-established telephone number.
Remind accounts teams that urgency and apparent authority in an email are classic social engineering signals, not reasons to move faster.
7. Secure Remote and Hybrid Working
Deadline pressure encourages staff to work from home, hotels, and client sites. When people connect from unmanaged devices or unsecured networks, the controls firms put in place centrally are bypassed.
Enforce VPN usage, require MFA for every remote login, block unmanaged devices from accessing matter files, and remind staff of the risks posed by public Wi-Fi networks.
8. Run a Seasonal Risk Check in October or November
The worst time to discover a cybersecurity gap is in February, when tax season is already underway. A lightweight review in October or November gives firms the runway to fix issues before the pressure builds.
A pre-season check should cover MFA coverage, patch status, backup integrity, access controls, email security configuration, and incident response readiness. Addressing these in autumn means any remediation work can be completed calmly, rather than reactively during the busiest months of the year.
Related Reading: 10 Steps to Secure Your Legal Practice in 2025
The Real Cost of Getting It Wrong
A breach rarely stays confined to an IT problem. It triggers SRA scrutiny, client notification obligations under UK GDPR, potential ICO fines, and reputational damage that can take years to repair.
Despite this, 35% of UK law firms still lack a cyber mitigation plan, according to the Law Society. Given the volume and sensitivity of data the sector handles, that figure is difficult to justify.
Conclusion
Tax season is predictable. Breaches are not inevitable. Firms that treat the pre-tax season window as an opportunity for cybersecurity preparation, rather than simply the calm before a workload surge, are significantly better placed to get through it without a security incident.
If your firm would benefit from a structured review ahead of tax season, Fortifi can help. Get in touch to discuss a targeted assessment tailored to your timeline and team.