Accounting and bookkeeping firms occupy an unusual position in the cyber security risk landscape. They hold access credentials — ATO portals, client banking platforms, accounting software — that provide direct pathways to financial systems. They manage payroll, BAS lodgements, and tax affairs for dozens to hundreds of clients. A successful attack on an accounting firm creates simultaneous exposure across its entire client base.
The ATO Credential Risk
Tax agent ATO portal access is among the most sensitive credentials an accounting firm holds. An attacker with valid ATO portal credentials can redirect tax refunds, access client financial information, and make fraudulent lodgements. The ATO's Online Services for Agents platform has MFA available — but it is not always enforced across all staff who access it.
BEC Targeting of Accounting Firms
Accounting firms are specifically targeted for business email compromise. Attackers compromise an email account, observe payment patterns and client relationships, and then intercept or initiate fraudulent payment instructions during periods of high activity — end of financial year, BAS periods. The trusted relationship between the firm and its clients makes fraudulent instructions more credible.
Client Data Concentration Risk
A practice management system containing financial records for 200 clients represents a concentrated high-value target. Access controls within the practice management system — ensuring staff see only clients they are assigned to, with privileged access required to export bulk data — are the primary control for limiting the impact of both insider and external threats.
Priority Actions for Accounting Firms
MFA on ATO portal access for all staff — no exceptions. MFA on all cloud accounting platforms (Xero, MYOB, QuickBooks). Regular security review of email configuration including SPF, DKIM, DMARC. Staff training specifically addressing BEC patterns used against accounting firms. Incident response plan that includes notification procedures for affected clients.
