Skip To Main Content
Close up view of the various email boxes on a computer screen

Keep your emails between you and your client

‘The information that is stored within an accountant’s office for an average client would be a hacker’s dream,’ CPA says

Close up view of the various email boxes on a computer screenCyber attackers are always looking for new ways to access your personal information, and email remains the easiest point of entry, say experts. (Getty Images/Epoxydude)

Just how comfortable should you feel sending personal information over email? It’s so ubiquitous that most don’t think twice after hitting send on dozens of emails every day. Last year alone, there were roughly 281 billion emails sent and received each day. 

But the circuitous route they take—including travel across multiple networks and servers—means emails can be exposed by unsecure networks, vulnerable servers and cyber attackers. Because many CPAs are handling sensitive client information, the risks can be even greater. 

“The information that is stored within an accountant's office for an average client would be a hacker’s dream,” says Brian Ludwig, CPA, of Crown Tax Services in Regina, Sask. “We tend to have, at minimum, the client’s name, the names of their family members, their address, their phone number, their birth date, and most damaging, their Social Insurance Number.” 

In the case of a breach, accountants would need to report this type of data breach to the appropriate government agency, inform all their clients and potentially have to pay for credit monitoring or deal with client lawsuits, Ludwig says.  

Canadians certainly aren’t taking cybersecurity lightly—a 2018 CPA Canada poll showed increased concerns about data privacy. Ludwig, too, says he’s constantly thinking about digital security.  

“The sharing of information has considerably made it easier to communicate with clients, but it also has opened up a multitude of opportunities for hackers to access this information and misuse it.” 


Cyber attackers are always looking for new ways to get access to your personal information, commonly known as phishing. And while new technology brings new methods of scamming, emails remain the easiest point of entry, according to business lawyer Imran Ahmad, author of A Handbook to Cyber Law in Canada.

“They’re taking advantage of people’s curiosity [to click on a link] or being busy and not noticing small tweaks to the URL or the domain so they can trick people into doing something like share credentials,” he says.

It can be something as simple as getting an email from a common e-commerce vendor you use.

“You get an email pretending to be your retailer that says your product has arrived or they’re updating your credentials,” Ahmad says. “If you click on a link or enter your username and password, now they have a way to get into your system potentially—either your account at the retailer or having downloaded some kind of malware onto your computer.”


CPAs should naturally be concerned, Ahmad says. “Electronic communication is inherently a non-secure way of sharing information. You can never say, 100 per cent, that the information hasn’t been intercepted.”

But instead of renouncing email forever, here are some ways to minimize the risk: 

Email encryption: If you’re sharing sensitive files, consider having them password-protected. “Even if the email gets intercepted, the password does provide some level of security,” Ahmad says. Download free software like 7-Zip to compress, encrypt and password protect any type of file. Utilizing email encryption will also help protect not only the attachment, but the content of the message itself. 

Secure Log-in: Some common-sense approaches get easily overlooked. Change your passwords frequently, never share them with anyone and, most importantly, choose something stronger than “password”. You should also be using different passwords for each of your accounts. Use a password manager to keep track of unique and strong passwords and consider enabling two- or multi-factor authentication for even tighter security.

Verify Origin: Received an email from a client that seems a bit odd? Pick up the phone and call them, Ahmad says. “Ask them: did you ask me to transfer banking details to this account? That doesn’t take much time, but it will save you a lot of grief when a lot of funds are involved.”

Skip email: For sensitive communication, you may opt to skip email entirely and use a file-sharing platform, such as Microsoft’s OneDrive for Business, instead. “You basically create a workspace on a third-party platform and you collaborate or share information there,” Ahmad says. “Now whenever you exchange documents, it’s going to be in a safe space because you’ve created an account, you have a username and password, you may have two-factor (or multi-factor) authentication, and so on.” 


An estimated 65 per cent of data leaks are the result of malicious malware or phishing attacks. Read more on what to watch for so you don’t fall victim to the new wave of phishing scams. And get to know the latest in cybersecurity from a CPA perspective.