You did everything right. You switched on multi-factor authentication for your client portal, your tax software, and your Microsoft 365 accounts. So why do CPA firms keep getting their client data stolen anyway?
Because MFA is not a wall. It is a speed bump, and a prepared attacker knows exactly how to drive over it. The same prompts and text-message codes that stop opportunistic password-guessing do very little against a criminal who is targeting your firm on purpose.
That matters more for accounting firms than for almost any other small business. Your portal holds Social Security numbers, EINs, bank-account details, and complete tax returns - everything needed to commit identity theft and refund fraud, gathered in one place.
This guide breaks down exactly how attackers bypass MFA on CPA client portals - adversary-in-the-middle phishing, push bombing, SIM swaps, and help-desk social engineering - and the specific, affordable changes that actually stop them.
Key Takeaways
- MFA blocks more than 99.9% of automated account-compromise attacks - but targeted attackers have well-documented ways to get around it. (Microsoft, 2019)
- Adversary-in-the-middle (AiTM) phishing steals your authenticated session cookie and skips the login entirely; one campaign tried to bypass MFA at more than 10,000 organizations. (Microsoft, 2022)
- Push bombing, SIM swaps, and SS7 interception all defeat app-prompt and SMS-based MFA, according to CISA. (CISA, 2022)
- The FTC Safeguards Rule requires MFA for anyone accessing customer information at a tax or accounting firm. (FTC, 2023)
Why CPA Firms Are a Prime Target for MFA Bypass
Attackers follow the data, and accounting firms are a concentration of the most valuable data there is. Compromising a single portal can expose hundreds of clients at once.
- Americans reported a record $16.6 billion in cybercrime losses in 2024 - a 33% jump over the prior year. (FBI IC3, 2024)
- Business email compromise alone accounted for more than $2.77 billion of those losses, much of it diverted client payments and fraudulent wire transfers. (FBI IC3, 2024)
- The global average cost of a data breach hit $4.88 million in 2024. (IBM, 2024)
- Stolen or compromised credentials were the single most common way attackers got in, accounting for 16% of breaches. (IBM, 2024)
The IRS sees the fallout every filing season. Its Security Summit has repeatedly pressed tax professionals to switch on MFA, noting that "use of the multi-factor authentication feature is a free and easy way to protect clients and practitioners' offices from data thefts." (IRS, 2021)
MFA Works - Until a Human Is in the Loop
Let's be clear: MFA is one of the highest-value security controls you can deploy. Microsoft has found that it blocks more than 99.9% of account-compromise attacks. (Microsoft, 2019)
But that figure describes automated, password-only attacks - bots spraying stolen passwords across millions of accounts. A criminal who has chosen your firm as a target plays a different game. They do not try to guess your second factor; they trick the person holding it or steal the session it creates. As CISA puts it, "not all forms of MFA are equally secure." (CISA, 2022)
Adversary-in-the-Middle: Stealing the Session, Not the Password
The most effective MFA bypass in use today does not crack your code - it sits between you and the real login page and relays everything in real time. Security researchers call this adversary-in-the-middle (AiTM) phishing.
You click a link in a convincing email and land on a page that looks exactly like your Microsoft 365 or portal sign-in. A proxy behind it forwards your username, password, and even your MFA code to the genuine site, then captures the authenticated session cookie the site hands back.
- "Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target's MFA is enabled," Microsoft's threat researchers reported. (Microsoft, 2022)
- A single AiTM campaign attempted to target more than 10,000 organizations beginning in September 2021. (Microsoft, 2022)
- Attackers then used the stolen credentials and session cookies to read mailboxes and launch follow-on business email compromise fraud. (Microsoft, 2022)
For a CPA firm, the danger is obvious. Once an attacker is sitting in a partner's inbox, they can wait for a wire instruction or a client refund and quietly redirect it - the exact pattern behind billions of dollars in BEC losses each year.
Push Bombing (MFA Fatigue): Wearing the User Down
If your MFA simply asks you to "approve this sign-in," an attacker who already has your password has an easy play: request approval over and over until someone gives in.
- CISA describes push bombing as actors who "bombard a user with push notifications until they press the 'Accept' button, thereby granting threat actor access to the network." (CISA, 2022)
- This is not theoretical. The Scattered Spider group - behind several major 2023 breaches - uses push bombing alongside SIM-swap attacks to obtain credentials. (CISA, 2023)
SIM Swaps and SS7: Hijacking Your Text-Message Codes
Text-message codes are the most common and the weakest form of MFA, because the attacker does not need your phone - only your phone number.
- In a SIM swap, criminals "convince cellular carriers to transfer control of the user's phone number to a threat actor-controlled SIM card," CISA explains - after which every SMS code is delivered to the attacker. (CISA, 2022)
- Attackers can also exploit weaknesses in the SS7 telecom protocol "to obtain MFA codes sent via text message (SMS) or voice to a phone." (CISA, 2022)
- SIM-swap fraud cost reported victims nearly $26 million in 2024 alone. (FBI IC3, 2024)
Help-Desk Social Engineering: Resetting MFA Through Your Own Team
Why defeat MFA at all when you can simply ask someone to turn it off? Increasingly, attackers skip the technology and target the people who manage it.
- CISA reports that Scattered Spider actors "conduct spearphising calls to convince IT help desk personnel to reset passwords and/or transfer MFA tokens." (CISA, 2023)
- They pair that social engineering with SIM swaps and harvested personal data to pass identity checks and take over accounts. (CISA, 2023)
Client portals are especially exposed here. A self-service "lost my device" reset, or an outsourced help desk that re-enrolls MFA after a friendly phone call, can hand an attacker the keys without a single password being phished.
What the FTC and IRS Require of Your Firm
For accounting firms, MFA is no longer just good hygiene - it is a legal obligation. Under the Gramm-Leach-Bliley Act, tax and accounting practices are treated as "financial institutions" and fall under the FTC Safeguards Rule.
- The Rule's plain-language guidance tells firms to "implement multi-factor authentication for anyone accessing customer information on your system." (FTC, 2023)
- It defines MFA as "authentication through verification of at least two" factors - something you know, something you have, and something you are. (FTC, 2023)
- The IRS Security Summit urges every tax professional to enable MFA on tax software, calling it "a free and easy way to protect clients and practitioners' offices from data thefts." (IRS, 2021)
How CPA Firms Can Actually Stop MFA Bypass
The fix is not to abandon MFA - it is to use MFA that cannot be phished and to close the human gaps attackers exploit. A handful of targeted changes neutralize nearly every technique above.
- Move to phishing-resistant MFA. CISA calls FIDO2/WebAuthn security keys and passkeys the "gold standard," because push bombing, SS7, and SIM-swap attacks simply do not work against them. (CISA, 2022)
- Retire SMS and voice codes as a primary factor - they are the easiest to intercept. (CISA, 2022)
- If you cannot deploy keys everywhere yet, turn on number matching so a user cannot approve a push by reflex. (CISA, 2022)
- Add conditional access. Microsoft notes that requiring a compliant device or trusted IP address means a stolen session cookie alone is not enough to get in. (Microsoft, 2022)
- Lock down help-desk identity verification and disable self-service MFA resets that rely only on a phone call or a texted code. (CISA, 2023)
Final Thoughts
MFA is still essential - turning it off would be a serious mistake. But treating it as a finish line is exactly the assumption attackers are counting on. The firms that get breached this year will not be the ones without MFA; they will be the ones that set it up once, assumed they were done, and left SMS codes and a chatty help desk wide open as the back door.
Tech Advisors helps CPA and accounting firms move to phishing-resistant MFA, tighten conditional access, and meet their FTC Safeguards Rule obligations - without disrupting tax season. If you are not sure where your firm's gaps are, a short conversation is a good place to start.
