Accountancy practices are a high-value target. You hold payroll data, bank details and the authority to act for dozens of clients, and most of it moves by email. If your domain can be spoofed, a criminal can impersonate your practice to every client on your list.

How Accountants get targeted

Payroll and bank-change fraud

A client gets an email that looks like it is from your practice asking to update payroll or supplier bank details. Or you get one that looks like it is from a client. Either way, money moves to a criminal.

Deadline-season impersonation

Around filing deadlines, fake HMRC and "your accountant" emails spike. Staff working under pressure click, and credentials or payments are lost.

Client data as a processor

You are a data processor for your clients. A breach through a compromised inbox is your notifiable incident, with your professional reputation attached.

Silent account compromise

Criminals sit in a mailbox for weeks reading correspondence, then strike at the moment a real payment is due, when their fake email is most believable.

What this looks like in practice

A practice manager receives an email from a long-standing client: "please pay our VAT refund into this account." The address and signature are perfect. It was a spoof, sent because the practice domain had no DMARC enforcement. The refund went to a criminal, and the client held the practice responsible for acting on an email it should never have trusted.

Your quick checklist

  • DMARC set to reject on your practice domain
  • SPF covering your email platform, payroll and practice software
  • MFA on every mailbox, including admin accounts
  • A policy to verify any bank or payroll change by phone
  • Staff trained to spot deadline-season phishing

Questions we get asked

We use IRIS, Xero or Sage. Is email security their job?

No. Those platforms secure their own logins. Email authentication is set on your practice domain DNS records and is separate. The free check shows what your domain has in place whatever software you run.

We already have Cyber Essentials. Does that cover email?

Cyber Essentials requires MFA and email filtering, but it does not mandate SPF, DKIM or DMARC. Plenty of certified practices are still spoofable. Run the check to see your actual exposure.

If a client is defrauded by a fake email in our name, is that our problem?

Commercially, often yes, especially if your domain could be impersonated. Being able to show your domain is locked down, and that you verify bank changes by phone, is the difference between a near-miss and a claim.

Run the free check above to see whether your practice domain can be impersonated, and get a plain-English fix list for your IT team.