Skip to content
Tax Season, Their Favorite Time of Year: How Cybercriminals Capitalize on Stressed Firms

Tax Season, Their Favorite Time of Year: How Cybercriminals Capitalize on Stressed Firms

Published: May 5, 2026
We’ve all been there — working well into the night, clearing out inboxes, following up with clients who still haven’t submitted their documents, and stressing over the stack of returns that need to be filed within the next two days.

You feel like Taz from Looney Tunes, rushing through everything, moving at record pace in every which direction. The result? Unintentionally moving too fast without the guardrails that prevent costly mistakes.

And that’s why tax season is a cybercriminal’s favorite time of year. You’re distracted, busy, and just trying to get everything done — without looking too closely at phishing emails or other attempts to harm your business.

Your busyness is a cybercriminal’s opportunity.

In our recent webinar, SmartVault Chief Information Security Officer Luke Kiely — a former cybercrime investigator — and our VP of Growth, Jonathan Young, broke down why tax season is perfectly primed for cyberattacks.

Kiely introduces the concept of situational vulnerability, which occurs when sustained pressure quietly overcomes judgment, compromising business operations.

He explains that cybercriminals are “going to do it when you’re having to make split-second decisions. Do I open that email? Do I wait for that software update? That request to change bank details seems legit enough. All those things happen under sustained pressure.

The result? Even the most careful professionals make dangerous mistakes — not out of negligence, but from sheer cognitive overload. As Kiely puts it, “You are under a lot of strain. Your attention isn’t going to be 100%.

How do you react when you’re under that sustained workload? This is the reason why, when you look at the cyberattacks, you see the same attack types every single year, time after time. – Luke Kiely, Chief Information Security Officer, SmartVault

We’re unpacking why this matters, the risks of working without guardrails, and what happens when security gets jeopardized for speed.

The Cost of Taking Shortcuts

Simply put, shortcuts might be convenient, but they are costly. In 2025 alone, the global average cost of a breach reached a staggering $4.4 million. And according to Verizon’s 2024 Data Breach Investigations Report, 68% of breaches involve a non-malicious human element, like taking shortcuts or falling for phishing.

But perhaps the most illuminating stat about breaches and cyberattacks comes from Proofpoint’s 2024 State of the Phish – Today’s Cyber Threats and Phishing Protection Report. 71% of employees admitted to taking risky actions — with 96% understanding the inherent risks. Why?

  • Convenience (44%)
  • Save time (39%)
  • Urgency (24%)

Sound familiar? Convenience, time-saving, and urgency are almost synonymous with tax season, which is exactly why this time of year is so dangerous.

Kiely breaks it down:

I’m just going to send something from a personal email. I’m just going to send an unprotected Excel document with all this sensitive information. I’ll deal with that software update later. I’ll run that backup when I’ve got time.

These actions don’t mean your team’s careless — they’re busy. But Kiely warns that those seemingly harmless shortcuts are just putting off the inevitable. And that’s what cyberattackers are waiting for.

Phishing emails are a highly successful tactic bad actors use because they don’t have to be sophisticated to be effective — they just need to be well-timed.

A spoofed email that might raise an alarm on a slow day in July looks more convincing when you’re juggling all the admin work and trying to make deadlines. It’s less about being clever and more about proper timing.

The Human Element: A Cybercriminal’s Target

No matter how careful or competent your team is, they’ll likely make a few mistakes when operating at a fast pace for long periods of time (like tax season). It’s simply human psychology.

It’s also what cybercriminals understand better than most and why they target the human-in-the-loop element of your process. They understand human error and how it amplifies under stress. You’re vulnerable, and they know it.

Technology can be patched, updated, and hardened. People are harder to protect, especially when they’re exhausted, overloaded, and making split-second decisions all day long.

Your security controls need to be predictable even when your team isn’t operating at 100%. You can’t rely on everyone catching every red flag during the busiest weeks of the year. But you can build a framework that holds up when you’re most vulnerable.

Following the FTC Safeguards Rule and creating a Written Information Security Plan (WISP) is your best bet.

The FTC Safeguards Rule covers the basics that matter most: multi-factor authentication on every device and cloud platform that houses sensitive information, anti-malware and security monitoring, vulnerability scanning, and a designated person responsible for running your information security program.

The FTC Safeguards Rule is the one that I implore everybody to listen to and watch,” Kiely says. “There’s a big difference between a program and a plan. The plan is a document. The program is the thing you live and breathe.

It sets out the minimum expectations for running a secure firm — but strip away the compliance language, and you’re left with a practical blueprint for protecting your firm.

Combatting Cybercriminals Comes Down to Basics

No one wants to admit that they’re not 100% secure. But the reality is that 100% secure simply isn’t achievable for anyone. What is possible? Getting the basics right. And according to Kiely, the basics are more than enough to help combat cyberattacks.

The basics account for 90% of attacks on small businesses. We’re “talking about anti-malware, vulnerability scans, multi-factor authentication, and some level of training,” he explains. It’s about knowing what to expect and how to react when you see suspicious activity.

Building a Security Foundation with SmartVault:
A document management system like SmartVault becomes part of your security foundation by centralizing your document workflows, so your team doesn’t have to take shortcuts under pressure. With built-in access controls, audit trails, and SOC 2 Type 2 certification, SmartVault helps you keep client data protected — even when your attention’s stretched thin.

That’s it. Consistent fundamentals you can trust under pressure. The firms that weather cyberattacks aren’t necessarily the ones with the biggest budgets. But they are the ones that showed up consistently and followed the right practices, even when things got hectic.

Predictability Is Your Best Defense Against Cyberattacks

No, cybercriminals aren’t more sophisticated than you. But they are more patient and strategic about when to attack. The good news? You can prevent cyberattacks — especially during tax season.

You don’t need to be 100% secure, have a million-dollar security budget, or a dedicated IT team to protect your firm. Preventing attacks is about awareness, consistency, and the right practices in place before the pressure hits.

If you know you’re vulnerable during busy season, you can build in the guardrails that protect you when your attention’s stretched and your team’s running on fumes. These guardrails provide predictability.

They ensure your security habits are just as consistent as the seasonal pressure you face every year.

Want to learn more about protecting yourself from costly cyberattacks?
Watch the full webinar to hear our Chief Information Security Officer and former cybercrime investigator — Luke Kiely — break down how cybercriminals think (and what you can do about it).