Cyber Crime: 5 Lessons for Accountants (2025)

The increase in cyber crime has established five critical lessons for Australian accounting practices: treat identity and bank-details changes as high-risk events, assume email is compromised unless proven otherwise, harden ATO and banking access with layered controls, make cyber resilience a core compliance and governance obligation (not “IT”), and prioritise rapid detection and response to minimise financial loss, ATO account abuse, and reportable data breaches. From an Australian practice perspective, cyber crime is now inseparable from BAS/IAS/ITR lodgment workflows, ATO portal access, payroll processing, trust accounting, and client money handling—meaning the control environment must be designed around fraud prevention, privacy law obligations, and evidentiary record-keeping.

Why is cyber crime increasing—and why does it matter specifically for Australian accounting practices?

Cyber crime is increasing because criminals have industrialised credential theft, social engineering, and ransomware, and accounting firms sit at the centre of high-trust financial workflows. Accounting practices hold TFNs, bank details, identity documents, payroll data, and ATO access pathways—making them a preferred target for both monetisation (fraud) and leverage (extortion).

• ATO systems misuse risk (agent and client account compromise).
• Fraudulent bank account changes for refunds, supplier payments, or payroll.
• Integrity of BAS reconciliation, working papers, and evidence files.
• Privacy and confidentiality duties under Australian law and professional standards.

• Australian Taxation Office (ATO) guidance on keeping client data secure and recognising scams (ATO scam alerts and security guidance for Online services for agents).
• OAIC guidance on Notifiable Data Breaches (NDB) under the Privacy Act 1988 (Cth) (where applicable).
• The SOCI framework and cyber expectations for critical sectors (contextual relevance for governance maturity even if not directly applicable to most practices).

What are the five critical lessons from the increase in cyber crime?

The five lessons are practical control themes that should be implemented as non-negotiable practice standards, not optional “IT improvements”.

Lesson 1: Why must accountants treat identity and bank-detail changes as “high-risk transactions”?

Identity and bank-detail changes must be treated as high-risk because the most common, highest-impact fraud in professional firms is authorised-payment fraud driven by impersonation. This includes criminals posing as clients, directors, bookkeepers, or even staff to redirect funds.

• A “client” emails new bank details for a tax refund, dividend, trust distribution, or loan repayment.
• A director requests an urgent supplier payment from trust funds or an operating account.
• A payroll officer receives a “new employee bank form” that is actually fraudulent.

• Independent verification using a second channel:
• Dual approval for bank detail changes:
• Evidence retention:

• Breach of confidentiality and client funds mishandling may trigger professional and legal exposure.
• If a practice holds personal information, the Privacy Act 1988 (Cth) and NDB scheme may apply depending on the entity and circumstances.

• A practice processes a GST refund and receives an “updated bank account” email. Funds are redirected. The client disputes the loss. The firm cannot evidence independent verification. The matter escalates to insurer notification, dispute resolution, and potential OAIC considerations if data exposure occurred.

Lesson 2: Why should practices assume email is compromised—and move sensitive workflows off email?

Email should be assumed compromised because Business Email Compromise (BEC) does not require malware; it relies on convincing messages, thread hijacking, and lookalike domains. In accounting, email is heavily trusted for tax, payroll, and payment instructions—making it an ideal attack surface.

• Replace email attachments with secure portals and expiring links:
• Implement “no bank details by email” policies:
• Enforce DMARC/SPF/DKIM at the domain level:
• Use secure e-signing processes for engagement letters and authorities:

• ATO interactions often rely on accurate identity assurance and secure handling of client information. ATO scam guidance repeatedly warns against links, attachments, and credential harvesting that mimic ATO communications.

• MyLedger’s secure-sharing approach (token-based secure access with controlled verification) supports shifting sensitive reconciliation views and collaboration away from uncontrolled email threads, reducing the probability of BEC-led manipulation of financial records and approvals.

Lesson 3: How does ATO credential abuse change the “minimum” cyber controls for tax agents?

ATO credential abuse changes the minimum controls because compromised agent access can enable widespread damage across many clients. Tax agents and practices operate high-privilege environments: one compromise can scale.

• Multi-factor authentication (MFA) everywhere:
• Least privilege access:
• Strong onboarding/offboarding:
• Device hygiene and patching:
• Credential and secret management:

• The ATO publishes security guidance and scam warnings for Online services and agents; practices should treat these as minimum operational requirements, not general advice.
• Where client data is accessed via ATO systems, auditability and access control are central to defensible governance.

• A compromised mailbox leads to a password reset attempt across linked services. The attacker gains access to the ATO portal, extracts client identifiers, and uses that information for downstream identity fraud. The incident becomes materially larger than an “IT issue” and triggers legal, insurer, and client notification pathways.

Lesson 4: Why must cyber governance be treated as a compliance and director-level risk issue (not an IT project)?

Cyber governance must be treated as a compliance risk because it affects confidentiality, integrity of financial records, and continuity of service—each of which is fundamental to professional obligations and client outcomes. It should be noted that governance failures often underpin insurance claim denials and regulatory scrutiny.

• Maintain a cyber risk register:
• Adopt and document a recognised control framework:
• Ensure contractual and vendor controls:
• Implement mandatory staff training with phishing simulations:

• Engagement letters and client onboarding include security expectations (e.g., verification requirements for bank details).
• Working papers and evidence files have controlled access, audit trails, and retention policies.
• Change management for chart of accounts, bank feeds, and lodgment settings is logged and reviewable.

• “AI accounting software Australia” solutions must be assessed not only for automation but for security, audit logs, access controls, and resilience. Automation that reduces manual handling can reduce risk, but only if implemented with strong governance.

Lesson 5: Why is rapid detection and incident response now a core capability for accounting firms?

Rapid detection and incident response is core because modern attacks are time-compressed: funds can be moved within minutes, and ransomware can halt operations overnight. The objective is not “perfect prevention”; it is reducing dwell time and limiting blast radius.

• A rehearsed incident plan (runbooks) for:
• A communications tree:
• Evidence preservation procedures:
• Recovery readiness:

• The Notifiable Data Breaches scheme (Privacy Act 1988 (Cth)) may require notification to affected individuals and the OAIC if an eligible data breach occurs (e.g., serious harm likely). Whether the Act applies depends on entity coverage and circumstances, but many practices will either be covered or contractually required to meet equivalent standards.
• Professional duties and client contractual obligations frequently require prompt disclosure and remediation steps.

1. A staff member detects a suspicious “bank details update” email.
2. The practice immediately freezes payment processing and contacts the bank’s fraud team.
3. The firm resets credentials, revokes sessions, and checks mail forwarding rules.
4. Clients potentially affected are identified and contacted with documented steps taken.
5. The event is logged in the risk register and triggers a control uplift (policy plus technical controls).

How do these lessons change daily workflows like BAS reconciliation, payroll, and year-end compliance?

They change workflows by adding verification, segmentation, and secure collaboration at the points where fraud and data leakage occur.

• BAS and GST processes:
• Payroll:
• Year-end and working papers:

• Reducing manual handling reduces opportunities for manipulation, but only if the platform provides:

In practice, MyLedger’s automation approach (AutoRecon, snapshots, controlled sharing) supports the operational aim: fewer emails, fewer spreadsheets, less uncontrolled data movement, and faster exception-focused review.

How does cyber crime affect software selection (MyLedger vs Xero vs MYOB vs QuickBooks) for Australian practices?

Software selection must now be assessed through a cyber-resilience lens, not only features and price. The key question is whether the system reduces risky manual workflows while providing auditable controls.

• Secure collaboration and sharing:
• Working papers automation (reduces spreadsheet sprawl):
• ATO integration accounting software depth:
• Risk reduction via speed and exception handling:

This is not merely efficiency; it is a control improvement. The longer a workflow stays open (manual reconciliation, emailed statements, uncontrolled spreadsheets), the larger the attack window.

What immediate actions should an Australian accounting practice take in the next 30 days?

The immediate actions are to close the most exploited gaps: bank changes, email compromise, and privileged access.

1. Implement a documented “bank detail change” verification policy and script.
2. Enforce MFA on:
3. Disable legacy authentication and apply conditional access (where available).
4. Roll out phishing training focused on:
5. Audit and remove mailbox forwarding rules and suspicious OAuth app consents.
6. Confirm backups are:
7. Establish an incident response checklist and insurer notification process.

Next Steps: How Fedix can help reduce cyber risk while improving compliance speed

Fedix can help Australian accounting practices reduce cyber exposure by reducing manual, email-driven handling of sensitive financial data and by accelerating exception-based review through MyLedger. Where practices are seeking an AI accounting software Australia solution that supports automated bank reconciliation and more controlled collaboration, MyLedger is designed to move work from unsecured spreadsheets and attachments into a governed workflow.

• Review your current reconciliation and working paper workflow for “email and spreadsheet risk points”.
• Pilot MyLedger on a controlled subset of clients to measure:
• Document the control uplift for insurer and governance purposes.

Learn more at home.fedix.ai and assess whether MyLedger’s automation and secure collaboration features align with your practice’s cyber risk register.

Frequently Asked Questions

Q: What are the biggest cyber risks for Australian accounting firms in 2025?

Q: Does the ATO provide guidance about scams and protecting tax agent accounts?

Q: When does the Notifiable Data Breaches (NDB) scheme apply to accounting practices?

Q: How can automated bank reconciliation reduce cyber crime risk?

Q: What is the safest way to handle client bank detail changes?

Disclaimer

This article is general information for Australian accounting practice contexts as of December 2025 and does not constitute legal, tax, or cybersecurity advice. Tax laws, privacy obligations, and ATO guidance are subject to change. Advice should be obtained from appropriately qualified professionals regarding your practice’s specific circumstances.