This is not a threat unique to the accountancy profession. The NCSC's Annual Review 2025 recorded a 130% increase in cyber incidents, identifying artificial intelligence as a key driver. In a separate report, Impact of AI on cyber threat from now to 2027, the NCSC warns that AI is already tipping the scales toward attackers by lowering the skill threshold needed to run sophisticated campaigns across any sector, shrinking the window between vulnerabilities being discovered and exploited.
Statistics like these make it clear that AI is accelerating cyber threats – and accountancy practices and finance teams must strengthen their defences.
How criminals are using AI against the accountancy profession
Phishing emails used to be easier to spot – poor grammar, odd phrasing, something slightly off. That is no longer the case. AI can now generate grammatically perfect, convincing messages that replicate the writing style of colleagues, partners or clients, complete with the right logos and tone. For accountancy practices and finance teams managing client correspondence and financial transactions, this significantly increases the risk of convincing payment diversion or email account takeovers.
Phishing is already the most common form of cyber attack facing firms. The UK Government's Cyber Security Breaches Survey 2025 found that 79% of UK businesses experienced phishing attacks, making it the most widely reported cyber incident. According to the Microsoft Digital Defense Report 2025, AI is making this method more effective, with AI-generated phishing achieving significantly higher click-through rates than human-crafted attacks.
Then there are deepfakes. In 2024, a finance worker transferred $25 million after a video call in which every participant – including the CFO – was a deepfake. This tactic could easily target those handling payroll runs, client tax payments or business transactions. A convincing deepfake posing as a client, business owner or senior partner is simply all it takes.
The repercussions are severe – and most are not ready
A successful cyber attack doesn't just take down your systems. It can end your business.
For accountancy firms, the impact goes far beyond immediate disruption – including downtime, recovery costs, and lasting reputational damage. As ICAEW makes clear, accountancy firms are legally obliged to protect the personal and financial data they hold. The ICO can issue significant fines under GDPR Article 32 where they fall short. Understanding your exposure before an incident occurs has never been more critical.
Yet the gaps are stark. The UK Government's Cyber Security Breaches Survey 2025 found that only 19% of businesses have any cybersecurity training programme in place, and 78% have no incident response plan. Board-level responsibility for cyber risk has fallen to just 27% of organisations.
Too many practices and finance teams assume their IT provider is managing this. They are not.
Cyber risk management and IT support are not the same thing – and those that recognise this are the ones best placed to respond.
What you need to do
Cyber attacks are inevitable. What you do now is what matters. The right response comes down to three things: assess your exposure, act on the gaps, and assure ongoing resilience.
- Assess: Start with an independent risk assessment – covering people, processes and governance, not just technology. Your IT provider cannot do this objectively. With AI lowering the bar for attackers, gaps that once seemed minor are now critical for accountancy practices and finance teams.
- Act: Build and test an incident response plan. If your practice or finance function suffered a cyber attack tomorrow – AI-driven or otherwise – would you survive? Furthermore, if your staff are using AI tools such as Copilot or ChatGPT, ensure clear policies are in place on what client data is being shared.
- Assure: Board-level accountability is no longer optional – cyber risk is a leadership issue, not an IT one. Treat it as an ongoing discipline, not a one-off exercise. That means regular assessments, continuous oversight, and working with a specialist cyber risk partner.
Firms should also independently validate their controls through recognised certifications such as Cyber Essentials Plus, alongside regular penetration testing. This provides clear, external assurance to clients, regulators and stakeholders that controls are effective, and security is proven in practice – not just documented.
Take control of your cyber risk
Mitigo is the trusted cyber risk management partner to ICAEW. We help accountancy firms understand their exposure, close critical gaps and build lasting resilience. ICAEW members can access a free, no-obligation consultation and a 10% discount on services.
