Accountancy practices are a high-value target. You hold payroll data, bank details and the authority to act for dozens of clients, and most of it moves by email. If your domain can be spoofed, a criminal can impersonate your practice to every client on your list.
A client gets an email that looks like it is from your practice asking to update payroll or supplier bank details. Or you get one that looks like it is from a client. Either way, money moves to a criminal.
Around filing deadlines, fake HMRC and "your accountant" emails spike. Staff working under pressure click, and credentials or payments are lost.
You are a data processor for your clients. A breach through a compromised inbox is your notifiable incident, with your professional reputation attached.
Criminals sit in a mailbox for weeks reading correspondence, then strike at the moment a real payment is due, when their fake email is most believable.
A practice manager receives an email from a long-standing client: "please pay our VAT refund into this account." The address and signature are perfect. It was a spoof, sent because the practice domain had no DMARC enforcement. The refund went to a criminal, and the client held the practice responsible for acting on an email it should never have trusted.
No. Those platforms secure their own logins. Email authentication is set on your practice domain DNS records and is separate. The free check shows what your domain has in place whatever software you run.
Cyber Essentials requires MFA and email filtering, but it does not mandate SPF, DKIM or DMARC. Plenty of certified practices are still spoofable. Run the check to see your actual exposure.
Commercially, often yes, especially if your domain could be impersonated. Being able to show your domain is locked down, and that you verify bank changes by phone, is the difference between a near-miss and a claim.
Run the free check above to see whether your practice domain can be impersonated, and get a plain-English fix list for your IT team.