An independent cybersecurity review across many of Illinois’s largest accounting firms reveals a wide range of results. Firms that prepare returns hold extremely sensitive taxpayer data, yet many show significant gaps in basic email authentication.
Using data from audit.emailmenow.com, we evaluated each firm’s domain across SPF, DKIM, DMARC, transport security (MTA-STS/TLS), and website security headers.
Cybersecurity Scores of Major Illinois Accounting Firms
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Firm | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Plante Moran | plantemoran.com | 84% | Strong |
| 1 | Selden Fox | seldenfox.com | 84% | Strong |
| 3 | Crowe | crowe.com | 80% | Strong |
| 4 | Miller Cooper & Co. | millercooper.com | 71% | Strong |
| 5 | Wipfli | wipfli.com | 66% | Good |
| 6 | ORBA (Ostrow Reisin Berk) | orba.com | 64% | Good |
| 7 | Baker Tilly | bakertilly.com | 60% | Above Average |
| 8 | Porte Brown | portebrown.com | 58% | Average |
| 9 | Mowery & Schoenfeld | msllc.com | 54% | Average |
| 10 | Sikich | sikich.com | 49% | Below Average |
What the Results Reveal
- Illinois leads our accounting-firm reviews: four firms clear 70%, topped by Plante Moran and Selden Fox at 84%.
- Even so, none reach 85%, and the field tails off to 49% — enforced DMARC, strict SPF, and transport protections aren’t universal even among the leaders.
- Weak email authentication fuels the tax-season phishing and client-payment fraud that increasingly target CPA firms.
Why This Matters for Accounting Firms
The IRS (Publication 4557) requires every tax professional to maintain a written information security plan (WISP) to keep a PTIN, and the FTC Safeguards Rule backs it with civil penalties. Tax season is also peak phishing season for tax pros.
Check any firm’s posture at audit.emailmenow.com/?industry=cpa-firms.
See also — national audit
- Major U.S. CPA Firms (national)
- Major U.S. Tax Preparers (national)
- National Payroll Providers (national)
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Document your WISP and run recurring security awareness training before filing season.
Protect your firm and your clients. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=cpa-firms.
Contact EmailMeNow IT Consulting for help with your IRS-ready written security plan and email hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.