Cyber Security for Accountants and Bookkeepers: Protecting Client Financial Data
Australian accountants and bookkeepers handle some of the most sensitive data a business holds — here's how to protect it from the threats specifically targeting your profession.
Accountants, bookkeepers, BAS agents, and tax agents sit at the centre of some of the most sensitive information a small business or individual will ever share. Tax file numbers, bank account details, payroll records, ATO portal access, client financial statements — if you work in this profession, you're holding data that cybercriminals specifically target.
This isn't a theoretical risk. The ATO regularly publishes warnings about attacks targeting tax agents, and Australian accounting firms of all sizes have been hit by ransomware, business email compromise, and ATO credential theft. Understanding the specific threats to your profession — and the controls that actually reduce risk — is now a core part of running a practice.
Why Accountants and Bookkeepers Are Prime Targets
Your position in the financial ecosystem makes you uniquely attractive to cybercriminals. Through your ATO Online Services for Agents account, you can view and interact with the tax affairs of every client in your practice. That single set of credentials is a master key. If an attacker gets into your ATO agent account, they can redirect tax refunds, change client bank details, and lodge fraudulent returns — at scale, across your entire client list.
Beyond ATO access, you typically hold:
- Client tax file numbers (TFNs) — among the most sensitive identifiers in Australia
- Business and personal bank account details
- Payroll records including employee TFNs and superannuation information
- Access to cloud accounting platforms like Xero, MYOB, and QuickBooks — often with the ability to create or approve payments
- SMSF data through platforms like Class and BGL
A compromise of your systems doesn't just expose one client — it can expose your entire book.
The Threats You're Most Likely to Face
ATO Impersonation Scams
Attackers send emails or make phone calls pretending to be the ATO, targeting both you and your clients. A common approach is to email you a "secure message" that requires you to log in — the login page is fake, and your credentials are captured instantly. The ATO will never ask for credentials or payment details by email or unsolicited phone call.
Business Email Compromise Targeting Client Payments
Business email compromise (BEC) is where an attacker either hacks your email account or impersonates your email address, then contacts your clients to change payment details. In an accounting context, this might mean a client receives an email appearing to come from you, asking them to update the bank account they use for tax payments or invoice remittances. The funds go to the attacker's account. These attacks are sophisticated — the emails often reference real matters and use correct names.
Tax Refund Fraud
With access to your ATO agent account, criminals can alter client bank details in the ATO system so that legitimate tax refunds are redirected to fraudulent accounts. By the time anyone notices, the money is gone and recovery is difficult.
Essential Security Controls for Accounting Practices
Multi-Factor Authentication — Mandatory and Non-Negotiable
MFA on your ATO Online Services for Agents account has been mandatory since November 2022. But MFA should extend to every system in your practice: Xero, MYOB, QuickBooks, Class, BGL, your email account, and your practice management software. If any of these systems offer MFA and you haven't turned it on, do it today. A stolen password alone will not be enough to get in if MFA is enabled.
Strong Access Controls on Client Files
Not everyone in your practice needs access to every client's files. Apply the principle of least privilege — staff should only be able to access the clients they actively work on. In Xero Practice Manager and similar tools, this is configurable. When staff leave, revoke their access immediately across every system, including ATO delegations.
Secure Document Sharing
Sending tax returns, financial statements, and documents containing TFNs as email attachments is a significant risk — email is not a secure channel. Use a dedicated client portal for document exchange. Most major accounting platforms include one, or you can use a standalone tool. Ensure the portal uses encryption and requires client authentication before documents can be accessed.
Staff Training on ATO Impersonation
Every person in your practice who handles email or phone calls needs to know how ATO impersonation scams work. Train them to pause before clicking any link that asks for ATO credentials, and to verify unexpected requests by calling the ATO directly using the number on ato.gov.au — not a number provided in the suspicious message.
Your Obligations Under the Tax Practitioners Board Code
The TPB Code of Professional Conduct includes obligations to act with integrity and to protect confidential client information. While the Code doesn't specify technical security controls in detail, it's well established that a failure to take reasonable steps to protect client data — resulting in a breach — can constitute a breach of the Code. The TPB has the power to investigate and sanction registered practitioners.
Additionally, your obligations under the Privacy Act 1988 require you to take reasonable steps to protect personal information you hold. If you experience a data breach that is likely to result in serious harm to any individual, you may have mandatory notification obligations under the Notifiable Data Breaches scheme — including notifying both the Office of the Australian Information Commissioner and affected individuals.
What to Do if Your ATO Account Is Compromised
- Call the ATO tax agent and BAS agent phone line immediately and report the incident
- Change your password and any associated credentials right away
- Ask the ATO to lock your account and review recent activity for unauthorised changes
- Notify the Tax Practitioners Board
- Review your client accounts for any unauthorised lodgements or bank detail changes
- Notify affected clients as soon as you can confirm what data was accessed
- Engage a cybersecurity professional to assess how the compromise occurred
The consequences of a credential compromise in an accounting practice can be severe — financially, reputationally, and professionally. The good news is that most of the controls that prevent it are straightforward. MFA, access controls, and staff training are within reach for any practice, regardless of size.
Free tool
Know your cyber risk in 15 minutes
50 plain-English questions. Prioritised recommendations. Free PDF report. No sign-up.
Start free assessment →Frequently asked questions
Is MFA mandatory for tax agents in Australia?
Yes. The Australian Taxation Office made multi-factor authentication mandatory for all registered tax agents and BAS agents accessing ATO Online Services for Agents from November 2022. This applies to every login, not just certain actions. If you haven't enabled MFA on your ATO account, you're not compliant — and you're leaving a significant door open to fraudsters who target tax agent credentials specifically.
How should I securely share financial documents with clients?
You should avoid emailing documents containing tax file numbers, bank details, or financial statements as unprotected attachments. Instead, use a secure client portal — most major accounting platforms like Xero Practice Manager, MYOB Practice, or Class offer this built in. If you use a third-party tool like ShareFile or Cliniko, ensure it's encrypted in transit and at rest. Always send a link to the portal rather than the document itself, and make sure clients use a password to access their files.
What should I do if I suspect my ATO Online Services account has been compromised?
Act immediately. Contact the ATO's tax agent and BAS agent phone line and report the suspected compromise — the ATO has a dedicated fraud team who can lock down your account and review recent activity. Change your password and revoke any linked credentials straight away. Notify the Tax Practitioners Board, as you may have obligations under the Code of Professional Conduct to report incidents that affect client data. Check whether any lodgements, bank account changes, or refund requests were made without your authorisation, and contact affected clients as soon as possible.
Tags