One of the victims of the W-2 phishing scam discussed previously on this site turned out to be Seagate Technology, the large hard drive maker per a story published by Brian Krebs on March 6 (Seagate Phish Exposes All Employee W-2’s). On March 1, 2016 (the same day the IRS news release on the scam was released) an employee received an email he/she believed was a legitimate request from someone in the company. In response the employee sent off W-2 information for 2015, apparently for all employees of this very large company.
It is likely safe to assume that the IT staff at Seagate is larger than that at most CPA firms and also available around the clock. Most small CPA firms don't have an IT person on staff, but rather use an outside consultant to maintain the network, with security being one of many things this person keeps track of, with the firm being one of many organizations the consultant does work for.
Presumably Seagate's staff had put in place various filters and screens to attempt to block various malware and scams to prevent them from being able to enter the organization’s network—but, clearly, it didn’t stop this particular attack. Unfortunately IT departments have to design protective measures based on threats they anticipate and, as well, have to attempt to insure that their protective measures stay "out of the way" of legitimate activity. Those looking to do harm understand these limitations, constantly revising their attack methods to take advantage of likely "holes" in the defenses based on these constraints.
So, again I must remind CPAs that all staff that use email in their job (which means basically everyone) must be educated with regard to the various scams in place—and to understand that despite the best efforts of whomever is maintaining the firm’s network security at least some of these scams are likely to get through. Thus, anyone who uses email has to take on the ultimate responsibility for assuring that they are not tricked into sending out highly confidential information.
For CPAs who are interested in security issues with technology (which should be all of us), Brain Kreb's website (http://www.krebsonsecurity.com) provides regular coverage on these issues. Brian has also been very active in reporting (and, unfortunately anticipating) the various issues that have arisen with tax based ID theft and ways that the IRS sites will be "misused" to obtain data.