Most cyber incidents in Australian accounting firms are not caused by advanced hacking. They are caused by predictable weaknesses in email, access, and everyday workflows.
1. A single stolen email password gives attackers a foothold
An attacker does not need to breach your network if they can log in as a real person.
Most incidents start with a staff member entering their credentials into a fake login page. Nothing breaks. No warning appears. Hours later, someone else is reading their inbox, resetting passwords, and impersonating them to clients.
Email is powerful because it is identity, communication, and account recovery all in one place. Once an attacker controls a mailbox, everything downstream becomes easier.
Fix
- Enforce multi-factor authentication on every mailbox, including partners.
- Treat single-factor email logins as unacceptable risk.
2. Shared logins make compromises invisible and uncontainable
Shared “accounts@” or “admin” logins are common in small firms because they feel convenient.
When one of those passwords is compromised, the attacker blends in. Logins look normal. Audit trails are useless. When something goes wrong, no one can confidently say who accessed what or when.
This delays response and expands damage.
Fix
- Give every staff member an individual login.
- Use shared mailboxes with delegated access, not shared passwords.
3. Password reuse lets old breaches become new incidents
Many compromises do not start with phishing at all.
Attackers routinely take credentials from unrelated breaches and test them against business email and cloud services. If staff reuse passwords, the login simply works.
There is often no obvious trigger email to point to, which is why firms are surprised by how attackers “got in”.
Fix
- Require a password manager for all staff.
- Enforce unique random generated passwords across all systems.
4. Inbox rules and forwarding let attackers stay hidden for weeks
Once inside a mailbox, attackers aim to become invisible.
They create inbox rules to hide or forward emails mentioning invoices, payments, or security alerts. The user keeps working, unaware that important messages never reach them.
This tactic is common in fraud and data theft cases because it buys attackers time.
Fix
- Disable or tightly restrict external email forwarding.
- Enable alerts for new inbox rules and forwarding changes.
5. Malicious attachments exploit normal work habits
Most malware arrives disguised as routine work: invoices, statements, or scanned documents.
When staff enable macros or open untrusted attachments on unpatched systems, attackers gain a way to run code, install remote access tools, or deploy ransomware later.
This is not user stupidity. It is attackers exploiting predictable behaviour.
Fix
- Enable automatic OS and application updates.
- Block or restrict macros from internet-sourced documents.
- Use basic application controls where possible.
6. Lost or stolen devices expose data without any hacking
A laptop left in a car or cafe does not feel like a cyber incident, but it often is.
If the device is unencrypted, anyone with physical access can read the drive, access cached sessions, and retrieve client data. No malware or network access is required.
Fix
- Enable full disk encryption on all laptops and mobile devices.
- Enforce screen locks and strong device passwords.
- Ensure lost devices can be remotely wiped.
7. Email-based bank detail changes enable direct theft
Payment redirection fraud remains one of the most financially damaging incidents for accounting firms.
Attackers impersonate clients or suppliers and request bank detail changes. The emails look legitimate because they often come from compromised accounts or well-crafted impersonations.
Trust and urgency do the rest.
Fix
- Never accept bank detail changes via email alone.
- Require out-of-band verification using a known phone number.
- Document verification steps in your practice system.
8. Excessive access turns small mistakes into firm-wide incidents
When user accounts have broad or admin-level access “just in case”, a single compromise can cascade across systems.
Attackers prioritise accounts with elevated privileges because they allow lateral movement, persistence, and suppression of alerts.
Fix
- Apply least privilege across systems.
- Remove standing admin access from day-to-day accounts.
- Review access when roles change.
9. Untested backups collapse under real pressure
Many firms discover the truth about their backups only after ransomware strikes.
Backups may be incomplete, accessible to attackers, or never tested for real restoration. When recovery is slow or uncertain, attackers gain leverage.
Fix
- Maintain at least one offline or immutable backup.
- Test restores of critical systems, not just files.
- Know your realistic recovery time.
10. No incident plan means the first hour is wasted
When something feels wrong, uncertainty is the enemy.
Firms without a basic incident plan lose time deciding who should act, what to shut down, and who to notify. During that delay, attackers continue to access systems or exfiltrate data.
Fix
- Create a simple, one-page incident response plan.
- Define who does what in the first hour.
- Keep it accessible and up to date.
Useful links and further reading
-
ACSC Essential Eight The Australian Government’s baseline cyber security controls for stopping common attacks like phishing and ransomware. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
-
ACSC Small Business Cyber Guidance Plain-English cyber security advice for organisations without dedicated IT teams. https://www.cyber.gov.au/protect-yourself
-
OAIC - Notifiable Data Breaches When and how data breaches must be assessed and reported in Australia. https://www.oaic.gov.au/privacy/notifiable-data-breaches
-
ATO - Cyber security for tax professionals Guidance for tax and BAS agents on protecting client data and reporting incidents. https://www.ato.gov.au/Tax-professionals/Prepare-and-lodge/Tax-and-BAS-agent-security/
