Phishing is the most common cyber attack method used against accounting firms. It involves deceptive emails, messages, or phone calls designed to trick staff into clicking malicious links, opening infected attachments, providing login credentials, or authorising fraudulent payments. Accounting practices are particularly attractive targets because they hold financial data, have HMRC relationships, and process client funds and payments.

This guide covers the main phishing attack types targeting accounting firms, the technical and organisational defences available, and how to train staff to recognise and report attacks effectively.

Why accounting practices are targeted

Phishing attacks against accounting firms seek several things:

Credential theft: login details for cloud accounting software, practice management systems, HMRC Online Services, and email. Once an attacker has email credentials, they can access historical correspondence, documents, and use the compromised account to launch further attacks against clients.

Invoice modification fraud: intercepting client payment communications and changing bank account details to redirect payments to attacker-controlled accounts. A convincing phishing email impersonating an accounting firm can divert substantial client funds.

HMRC impersonation: fake HMRC emails or calls threatening penalties, demanding urgent payment, or requesting login information. HMRC is one of the most commonly impersonated organisations in UK phishing campaigns.

Client impersonation: emails appearing to come from clients requesting urgent payments, tax document submissions, or information that the attacker can use for identity fraud.

Ransomware delivery: malicious attachments or links that install ransomware when opened, encrypting the firm's data and demanding payment for the decryption key.

Types of phishing attacks

Email phishing: bulk emails sent to many recipients, designed to look like messages from legitimate organisations ā€” HMRC, Xero, QuickBooks, Microsoft, banks. The emails contain links to fake login pages or malicious attachments.

Spear phishing: targeted emails tailored to specific individuals using information gathered from LinkedIn, the firm's website, Companies House, or previous phishing successes. These are more convincing because they reference specific names, clients, or situations.

Whaling: spear phishing targeting senior people in the firm (partners, directors) ā€” or impersonating them to instruct junior staff to make payments or transfer data.

Business email compromise (BEC): the attacker gains access to a legitimate email account (often through phishing) and uses it to send authentic-looking emails from that account ā€” commonly to request changes to payment details, to authorise fictitious transactions, or to instruct staff to transfer funds.

Vishing: voice phishing ā€” telephone calls impersonating HMRC, banks, or technology companies. HMRC does not make unsolicited calls demanding immediate payment; if you or a client receives such a call, it is fraudulent.

Smishing: SMS-based phishing. Less common in a business context but increasingly used for HMRC impersonation targeting individual taxpayers.

Technical defences

Email security: SPF, DKIM, DMARC

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email authentication standards that help prevent attackers from impersonating your domain in phishing emails.

  • SPF: specifies which servers are authorised to send email from your domain.
  • DKIM: adds a cryptographic signature to outbound emails, allowing recipients to verify they came from your domain.
  • DMARC: tells receiving email servers what to do with emails that fail SPF or DKIM checks (quarantine or reject), and provides reporting.

For accounting practices, DMARC is important both to protect your domain from being used in outbound phishing (impersonating your firm) and to reduce the risk of receiving phishing emails that impersonate your domain or common services.

Microsoft 365 and Google Workspace both support SPF, DKIM, and DMARC. Your IT support or email administrator should configure these correctly for your domain.

Anti-phishing filters

Both Microsoft 365 and Google Workspace include anti-phishing filters that identify and quarantine suspicious emails before they reach inboxes. These filters use machine learning to identify phishing patterns and are updated continuously with new attack signatures.

Ensure that your Microsoft 365 or Google Workspace anti-phishing settings are configured at the recommended level. In Microsoft 365, this is within the Microsoft Defender portal; in Google Workspace, within the Admin console's spam and phishing settings.

For additional protection, consider a dedicated email security gateway (Proofpoint, Mimecast, Barracuda) that provides more advanced filtering, URL rewriting (replacing links in emails with proxied versions that are analysed before the recipient reaches them), and sandboxing of attachments.

Multi-factor authentication

MFA is the most effective defence against the use of stolen credentials obtained through phishing. Even if a staff member provides their username and password to a phishing page, the attacker cannot log in without the second factor. Enable MFA on all systems ā€” email, cloud accounting software, practice management ā€” using authenticator apps rather than SMS.

Web filtering

Web filtering tools (available within Microsoft 365 Advanced Threat Protection and as standalone services) can block access to known malicious websites from managed devices. If a staff member clicks a phishing link, the web filter intercepts the connection before the malicious page loads.

Staff training and awareness

Technical controls reduce the attack surface; staff training reduces the human vulnerability. Both are needed.

What to include in phishing awareness training

Train staff to recognise:

Sender address verification: the display name can say anything ā€” check the actual email address. An email appearing to be from "HMRC Customer Services" is phishing if the actual address is a random Gmail account. Legitimate HMRC emails come from @hmrc.gov.uk domains.

Urgency and pressure tactics: phishing emails typically create urgency ā€” "you must act within 24 hours or face a penalty." Legitimate organisations do not demand immediate action in ways that prevent verification. Urgency is a red flag.

Unexpected requests: a client asking for urgent payment to a new bank account, HMRC demanding payment via an unusual method, or a supplier asking for credentials should all trigger verification by a separate communication channel (phone, known contact details ā€” not replying to the email).

URL inspection: hover over links before clicking to see the actual URL. A link that shows "hmrc.gov.uk" in the visible text but points to a different domain is phishing.

Attachment caution: do not open attachments from unexpected sources. If a client or supplier sends an unexpected attachment, verify it by phone before opening.

Reporting culture

Create a culture where staff report suspected phishing immediately without fear of criticism. Every reported phishing attempt gives you the opportunity to warn other staff before someone clicks the link.

Use the "Report Phishing" button in Microsoft 365 or the Google Workspace equivalent to report phishing emails directly to Microsoft or Google, which improves their filters. Report significant or targeted attacks to the NCSC's phishing reporting service.

Simulated phishing exercises

Simulated phishing exercises ā€” sending test phishing emails to your own staff to see who clicks ā€” are an effective training tool. Most email security providers and some dedicated security awareness platforms (KnowBe4, Proofpoint Security Awareness Training) include simulated phishing campaigns.

Run simulated exercises quarterly. Staff who click simulated phishing links receive immediate additional training. Over time, click rates typically fall significantly as awareness improves.

Responding to a suspected phishing attack

If a staff member suspects they have clicked a phishing link or provided credentials to a fake site:

  1. Do not wait to see what happens ā€” act immediately.
  2. Change the password for the compromised account right now.
  3. Revoke any active sessions in the account (most cloud platforms provide a "sign out of all devices" option).
  4. Check whether any data has been accessed or messages sent from the compromised account.
  5. Enable MFA if not already active.
  6. Report internally to the designated security contact.
  7. If client data may have been accessed, follow the data breach response procedure.

Speed matters ā€” the faster the response, the smaller the window for the attacker to cause damage. For more on AI tools and technology for UK accountants, including automated security monitoring that can speed up incident detection, see our AI and Tech hub.

Key takeaways

  • Phishing is the most common attack vector against accounting firms; targets include login credentials, payment authorisations, and ransomware delivery.
  • Configure SPF, DKIM, and DMARC for your email domain; enable advanced anti-phishing filters in Microsoft 365 or Google Workspace.
  • MFA on all critical systems neutralises credential theft from phishing ā€” it is your most effective technical defence.
  • Train staff to check sender addresses, be sceptical of urgency, verify unexpected requests through separate channels, and report suspected phishing immediately.
  • Run quarterly simulated phishing exercises to maintain staff awareness and measure improvement over time.

Frequently asked questions

How do I tell if an email is really from HMRC?

Legitimate HMRC emails come from domains ending in @hmrc.gov.uk. HMRC does not send emails asking for payment via bank transfer, does not send emails with clickable payment links requiring immediate action, and does not threaten arrest or legal action by email. If you are uncertain whether an HMRC communication is genuine, contact HMRC directly using the phone numbers published on GOV.UK ā€” not any contact details in the email itself.

What should I do if a client tells me they received an email pretending to be from my firm?

Act immediately: warn all clients that a phishing campaign is impersonating your firm, notify relevant email security services (Microsoft or Google, as appropriate), and assess whether your domain has been spoofed (check DMARC reports if you have DMARC implemented). Report the fraudulent emails to the NCSC's phishing reporting service at report@phishing.gov.uk. If client funds may have been diverted, advise clients to contact their bank immediately and report to Action Fraud.

Is HMRC phishing getting more sophisticated?

Yes. HMRC phishing emails have become significantly more convincing in recent years, correctly referencing the recipient's UTR or NI number in some cases (using data from previous breaches) and mimicking HMRC's visual style closely. The best defences are staff awareness training that emphasises process over visual recognition (always verify unexpected requests through a separate channel), and technical controls including DMARC and anti-phishing filters.

Should I open attachments from clients if I was not expecting them?

Treat unexpected attachments with caution even from known clients ā€” a client's email account may itself have been compromised and used to send you a malicious attachment. If you receive an unexpected attachment from a client, call them on a known number before opening it to confirm they sent it intentionally. This extra step takes thirty seconds and prevents a significant percentage of malware installations.

What is invoice modification fraud and how common is it in accounting?

Invoice modification fraud (also called payment diversion fraud or mandate fraud) involves an attacker intercepting payment-related communications and changing bank account details in supplier invoices or correspondence to divert payments to attacker-controlled accounts. It is relatively common in accounting and legal firm contexts, where payment instructions flow regularly between firms and clients. Defend against it by: always verifying new or changed bank account details by phone using a number from your own records (not one provided in the email), having a firm policy that payment details cannot be changed by email alone.