TL;DR

  • Legal, accounting, and management services is consistently in Australia's top 5 most-breached sectors — confirmed by OAIC's July–December 2024 Notifiable Data Breaches report, which listed it alongside health, government, finance, and retail.
  • ATO portal access is your biggest liability: A single compromised tax agent login exposes every client's tax account simultaneously — enabling fraudulent BAS lodgements, redirected refunds, and identity theft at scale. The ATO has significantly increased credential-based attack warnings for tax agents since 2023.
  • Your clients' financial data is worth more than you think: A mid-sized accounting firm holding 200 business clients' tax returns, financial statements, and bank account details is sitting on a dataset that criminals will pay, ransom, and extort to access.
  • Act now: The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) dramatically increased OAIC enforcement powers — civil penalties for serious privacy breaches now reach AUD $50 million, and the ATO can deregister tax agents whose credential management contributed to client data loss.

Why Accounting Businesses Are Cybersecurity Targets

Australian accounting and bookkeeping practices are extraordinarily attractive cybercrime targets because they are simultaneously data-dense and resource-constrained in their approach to security. A typical mid-sized practice serving 200–500 business clients holds: complete tax returns and financial statements (often 3–7 years per client), ATO myGovID credentials and tax agent portal access, Xero/MYOB/QuickBooks login credentials for client bookkeeping systems, bank account details for hundreds of businesses and individuals, payroll data including employee personal information, and business acquisition and financing documentation. This data concentration makes accounting practices a "one breach accesses all" target

— compromise one tax agent's credentials and you gain access to every client's financial world simultaneously. The Office of the Australian Information Commissioner's (OAIC) NDB statistics for January–June 2024 recorded 527 breach notifications — a 9% increase — with legal, accounting, and management services consistently ranked in the top five sectors. Cyber security incidents (phishing, ransomware, credential theft) represented 38% of all reported breaches. For accounting practices, the stakes extend beyond regulatory penalties: the Tax Practitioners Board (TPB) can suspend or deregister tax agents whose negligent security practices enabled client data loss, and professional indemnity insurers are scrutinising security controls before paying breach-related claims.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌

The Top 3 Cybersecurity Threats for Accounting

1. ATO Credential Theft and Tax Portal Fraud

The Australian Taxation Office's Online Services for Agents portal is a prime target for cybercriminals because compromising a tax agent's access provides simultaneous control over every client's ATO account. Attack vectors include: phishing emails impersonating ATO communications (asking agents to "verify" their myGovID or portal credentials), credential-stuffing attacks using leaked username/password combinations from unrelated data breaches, and malware installed on practice computers that silently captures ATO portal session cookies. Once inside a tax agent's ATO account, attackers can: change client banking details to redirect tax refunds and BAS refunds to attacker-controlled accounts; lodge fraudulent BAS statements that generate refunds; access sensitive financial information that enables identity fraud; and harvest data for targeted phishing against the agent's clients. The ATO reported a significant increase in tax agent account compromise attempts in 2023 and 2024, and has introduced enhanced verification requirements (including multi-factor authentication) — but many agents have not yet enabled these protections. A single credential compromise can result in fraud across dozens of client accounts before the attack is detected.

2. Ransomware Targeting Client File Systems

Accounting practices store their core value in client files — financial statements, tax records, workpapers, correspondence, and engagement letters, typically in a Document Management System (DMS), shared network drive, or cloud storage. Ransomware attacks that encrypt these files create immediate practice-crippling crises: you cannot serve active clients (tax lodgements, BAS, payroll processing), meet ATO deadlines, or respond to client queries. The time-pressure is extreme: missing BAS lodgement dates or tax return deadlines has direct financial consequences for clients (penalties from the ATO), creating intense pressure to restore systems quickly — or pay the ransom. Modern ransomware employs "double extortion": simultaneously encrypting files and exfiltrating client data to threaten publication on the dark web. For an accounting practice, publication of client financial records on the dark web is potentially fatal to the business — every client will immediately seek a new accountant and may have grounds to sue. The ASD's ACSC Annual Cyber Threat Report 2024–25 confirmed that ransomware frequency and financial losses both increased throughout FY2024–25, with professional services firms among the consistently targeted sectors.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌

3. Business Email Compromise and Client Fund Redirection

Business Email Compromise (BEC) targeting accounting practices works through two primary vectors. First, attackers compromise an accountant's email account and use it to send fraudulent instructions to clients — directing them to pay invoices to attacker-controlled accounts, providing false banking details for trust account transactions, or impersonating the accountant to authorise financial actions. Second, attackers impersonate clients to send accountants fraudulent instructions — for example, impersonating a business owner to request that the accountant transfer funds from a business account, or to redirect payroll payments. Accounting firms with trust accounts face particular risk: a compromised trust account — even through social engineering rather than direct system access — can result in misappropriation of client funds and immediate regulatory action from the relevant state professional body. The ACCC's Scamwatch data confirms that payment redirection fraud targeting professional services firms costs Australian businesses hundreds of millions annually, with accounting firms disproportionately represented due to their role as trusted intermediaries in financial transactions.

Compliance Requirements for Accounting

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) Accounting firms with annual turnover above AUD $3 million — and all firms that handle tax file numbers (TFNs) — must comply with the Privacy Act. The Tax File Number Rule 2015 imposes specific obligations on any entity that collects, uses, or discloses TFNs. APP 11 requires reasonable security steps to protect client financial data. The Notifiable Data Breaches (NDB) scheme requires notification to the OAIC and affected clients within 30 days of identifying an eligible breach. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) increased maximum penalties to AUD $50 million for serious or repeated breaches.

Tax Agent Services Act 2009 (TASA) and Tax Practitioners Board (TPB) Registered tax agents and BAS agents have obligations under TASA to maintain the security of client tax information. The TPB's Code of Professional Conduct includes obligations to act professionally and in clients' interests — which regulators increasingly interpret to include maintaining adequate cybersecurity controls. The TPB can investigate and take disciplinary action (including deregistration) against agents whose security failures contributed to client data loss or ATO fraud. The TPB has published specific cybersecurity guidance for tax practitioners, citing ATO credential protection as a priority area.

Tax File Number (TFN) Handling Requirements Any accounting firm that handles TFNs (which is virtually all of them) must comply with the Tax File Number Rule 2015, which imposes additional security obligations beyond the general Privacy Act requirements — including specific restrictions on storage, transmission, and access to TFN data.

Australian Financial Services Licence (AFSL) — Financial Planning and SMSF Accounting firms that provide financial advice or self-managed super fund (SMSF) administration services require AFSL authorisation and face ASIC regulatory oversight. AFSL obligations include record-keeping security and breach reporting to ASIC. APRA's prudential standards may also apply if the firm administers superannuation.

ASD Essential Eight The ASD Essential Eight is the minimum security baseline recommended for accounting firms. At a minimum, accounting practices should achieve Maturity Level 1 across all eight controls, with Maturity Level 2 targeted for firms with more than 20 staff or significant government or corporate client exposure. MFA (one of the eight controls) is particularly critical for ATO portal and cloud accounting platform access.

The lilMONSTER Security Checklist for Accounting

Use this checklist to assess your accounting practice's security posture:

  1. Enable MFA on ATO Online Services for Agents — right now, before you do anything else — The ATO's myGovID authentication system supports MFA and the ATO strongly recommends it for all tax agents. This single control blocks the overwhelming majority of ATO credential theft attempts. Set a practice-wide policy that ATO portal access without MFA is not permitted. This takes less than 30 minutes to implement across a practice and is the highest-ROI security action available to any Australian accounting firm.

  2. Enable MFA on all cloud accounting platforms — Xero, MYOB, QuickBooks Online, and all client-facing accounting platforms should require MFA for every user. Most platforms offer this as a free feature. Implement it for all staff, not just partners and principals. A junior bookkeeper's compromised credentials can expose every client account on the platform.

  3. Adopt a client banking change verification process — For any change to a client's banking details in your systems — regardless of how the request arrives — implement a mandatory verification step: call the client on their existing phone number (not any number in the request) and verbally confirm the change. This prevents the majority of trust account and payment redirection fraud.

  4. Implement encrypted, tested, offsite backups of all client files — Back up all client files (tax workpapers, financial statements, correspondence) daily, with at least one copy stored offline or in an isolated cloud backup that ransomware cannot reach from your network. Test restoration monthly. Many practices discover their backups are incomplete or corrupted only after a ransomware event. For practices using Xero/MYOB/QuickBooks, also configure regular data exports or API-based backups of client data from cloud platforms.

  5. Apply strict access controls to client files — Staff should access only the client files relevant to their work. Use role-based access controls in your Document Management System: a junior bookkeeper should not have access to every client's files. Review and revoke access when staff leave, change roles, or when client engagements end. This limits the blast radius when a staff account is compromised and reduces insider threat risk.

  6. Conduct annual phishing simulation and ATO-themed awareness training — ATO-themed phishing is among the most convincing in the cybercrime ecosystem because every Australian accountant receives legitimate ATO communications regularly. Run annual simulations using ATO-themed phishing templates to test staff awareness. Train all staff — including administrative staff — on how to verify ATO communications, how to spot payment redirection fraud, and what to do when they receive suspicious requests.

  7. Notify the ATO and OAIC promptly if you suspect a credential compromise — If you believe an ATO portal credential has been compromised, contact the ATO's emergency line (1800 467 033 for tax professionals) immediately. The ATO can restrict access to your client accounts and investigate fraudulent transactions. Delay in reporting enables additional fraud across your entire client base. Simultaneously, engage your professional indemnity insurer and begin your data breach response process under the NDB scheme.

How Much Does Cybersecurity Cost for an Accounting Business?

Prevention costs for a small-to-mid Australian accounting practice (5–30 staff):

  • MFA and email security (Microsoft 365 Business Premium): AUD $6,000–$20,000 per year (subscription cost includes email security, MFA, endpoint management, and business-class cloud storage). This is not purely a security cost — it replaces other IT costs.
  • Cloud accounting platform security: AUD $0 additional (MFA and access controls are included in Xero/MYOB/QuickBooks subscriptions).
  • Endpoint protection and monitoring: AUD $3,000–$12,000 per year for a managed endpoint detection and response service.
  • Encrypted backup solution: AUD $2,000–$8,000 per year.
  • Annual phishing training platform: AUD $1,500–$5,000 per year.
  • Annual security assessment: AUD $3,000–$10,000.
  • Total annual investment: AUD $15,000–$50,000 for a solid security baseline.

The cost of a breach is far higher. A ransomware event at an accounting firm typically results in:

  • Incident response and recovery: AUD $20,000–$100,000.
  • Client notification and legal costs: AUD $10,000–$50,000.
  • ATO fraud losses across client accounts: Variable but potentially hundreds of thousands.
  • Client attrition: Loss of even 10% of clients due to reputational damage can represent AUD $100,000+ in annual fees lost permanently.
  • OAIC penalties: Up to AUD $50 million for serious privacy breaches.
  • TPB disciplinary action: Up to deregistration, ending the practice.

Cyber insurance for accounting practices typically costs AUD $3,000–$10,000 per year and is strongly recommended — it covers incident response costs, notification expenses, and some regulatory defence costs.

FAQ

For a small accounting practice (under 10 staff), a solid security baseline costs AUD $5,000–$15,000 per year, covering MFA on ATO and cloud accounting platforms, endpoint protection, encrypted backups, and annual staff training. For mid-sized practices (10–30 staff), budget AUD $15,000–$50,000 per year. The most impactful controls — MFA on ATO and cloud platforms — are free to enable and take under an hour to implement. The question is not the cost; it's the risk of not acting: one ransomware event can cost more than a decade of security investment.

ATO credential theft is the most uniquely devastating threat for Australian accounting firms. Because a registered tax agent's credentials provide simultaneous access to every client's ATO account, a single phishing click can enable fraud across your entire client base. Fraudulent BAS refunds and redirected tax refunds can occur within hours of credential compromise. Enabling MFA on the ATO Online Services for Agents portal is the single most important security action any Australian accountant can take.

ISO 27001 is not legally required for most Australian accounting firms, but it is increasingly expected for: large corporate clients with vendor security requirements, government accounting contracts, and as evidence of reasonable steps under the Privacy Act. For practices that wish to attract mid-market and enterprise clients — who increasingly conduct vendor due diligence — ISO 27001 certification is a competitive differentiator. It also provides a structured framework that helps practices of all sizes systematically manage client data security. lilMONSTER recommends ISO 27001 for accounting firms with over 20 staff or significant corporate/government client exposure.

Annual penetration testing is recommended for accounting practices, with scope covering: email systems (phishing and BEC vectors), cloud accounting platform configurations, ATO portal access paths, and internal network access controls. A penetration test will identify whether your email security controls would block ATO-themed phishing, whether access controls on client files are properly configured, and whether there are any paths that an attacker could use to escalate from a compromised staff account to administrator-level access across client systems. This is also increasingly required by professional indemnity insurers.

The consequences are immediate and multi-dimensional. First, contact the ATO emergency line (1800 467 033) if ATO credentials were compromised — they can freeze access and investigate fraud. Second, notify your professional indemnity insurer. Third, assess whether the breach is an eligible data breach under the NDB scheme — if so, you must notify the OAIC and affected clients within 30 days (penalties up to AUD $50 million for failure to notify). Fourth, engage legal counsel to manage your obligations to affected clients. Fifth, notify the Tax Practitioners Board if client data or ATO access was compromised — they may investigate your security practices. The reputational consequences — losing client trust — are often more damaging than any regulatory penalty for a practice whose business model depends on being trusted with clients' most sensitive financial information.

References

[1] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Report: January to June 2024," OAIC, September 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024

[2] Pinsent Masons, "OAIC data confirms cybersecurity threats in Australia are escalating," Out-Law, December 2025. [Online]. Available: https://www.pinsentmasons.com/out-law/news/oaic-data-confirms-cybersecurity-threats-australia-escalating

[3] Australian Signals Directorate, "Annual Cyber Threat Report 2024–25," ASD/ACSC, Canberra, Australia, October 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[4] Australian Taxation Office (ATO), "Cyber security for tax professionals," ATO, 2024. [Online]. Available: https://www.ato.gov.au/Tax-professionals/Prepare-and-lodge/Online-security/Cyber-security-for-tax-professionals/

[5] Tax Practitioners Board (TPB), "Cyber security and your obligations as a tax practitioner," TPB, 2024. [Online]. Available: https://www.tpb.gov.au/cyber-security

[6] Australian Government, "Tax File Number Rule 2015," Federal Register of Legislation, 2015. [Online]. Available: https://www.legislation.gov.au/Details/F2015L00249

[7] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] Australian Government, "Privacy and Other Legislation Amendment Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[9] Australian Government, "Tax Agent Services Act 2009 (Cth)," Federal Register of Legislation, 2009 (as amended). [Online]. Available: https://www.legislation.gov.au/Details/C2022C00124

[10] Australian Competition and Consumer Commission (ACCC), "Scamwatch Annual Report 2023–24," ACCC, 2024. [Online]. Available: https://www.scamwatch.gov.au/research-and-resources/statistical-data

Need help securing your Accounting practice? Book a free consultation with lilMONSTER — we specialise in cybersecurity for Australian accountants, bookkeepers, and tax agents.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation