Most accountants underestimate just how attractive their email systems are to criminals who see them as an easy route to money and sensitive client data, such as payroll, tax returns and confidential company information.  

For Daniel Teacher, CEO of T‑Tech, which provides IT Support and cybersecurity services to finance and accounting firms, this is now one of the biggest risks firms face. “We live in a world where humans are still the weakest link in the loop,” Teacher says. “People are busy at their desks. They’re under pressure and they’re not always paying attention, there are so many different forms of communication. It’s easy to make a mistake.” 

Email phishing is a multi-billion dollar industry 

Attackers are not starting from scratch. The Dark Web has pretty much every single person’s email address on the planet. You also no longer need to be a sophisticated hacker to take part: “And there are lots of tools out there that will let you hoover up all this information,” Teacher adds. “It’s a multibillion‑dollar industry.” 

Email phishing is central to that game, with attackers sending cleverly worded emails that look like SharePoint or a Microsoft Teams message. “Statistically between 2% and 5% of people will fall for those emails. So if they send 10,000 emails, it’s just a numbers game.” 

Once someone has clicked, the next step is often to steal login details and bypass things like multi‑factor authentication. “The latest attack vector is they get you to click on the link, then this takes you to a fake Office 365 web page and it tricks you to give your password away,” Teacher says. “Then it asks for your two‑factor authentication like your real login. So then you give away your two‑factor authentication. Now they’re into your Office 365 account.” 

Attackers will exploit your trust 

Once inside a mailbox, attackers immediately start exploiting the trust you have with clients and colleagues. “They might send an email from you with the fake link to all of your contacts,” Teacher explains, “Then it looks like a legitimate email from a legitimate person. It’s not even coming from a fake address anymore. If a professional gets their inbox hacked, which regularly happens, they can then email all of the firm’s clients from within the firm.” 

It gets worse. If that is not spotted, they settle in. “If you still haven’t noticed they’re in your inbox, they can then watch out for interesting emails to come in, or they do keyword searches for things like payroll or payment or BACS or approval,” Teacher says. “And then eventually, when they see something interesting enough, they then just start replying on your behalf.”  

Payroll and HMRC will be targets 

The ultimate goal is, usually, to extort money. Hackers might try to get on your servers and encrypt your data and then demand a crypto payment to decrypt them,” Teacher says, “They’ll change payment details on invoices or they might get someone added to a payroll.”  

One particularly stark example involves HMRC. “They might log into the HMRC portal with your email address and they will file a fake tax return rebate, and then they’ll change the bank details with HMRC,” he says. “HMRC will send the money to the wrong bank account, and then your accountant will go in to file your actual tax return and say, ‘Hang on a second, someone’s filed your tax return and they’ve paid out £50k,’ and then you have to pay £50k back to HMRC, because it’s your tax return.” 

To make matters worse, attackers are benefiting from new technology. And AI has only made it easier. For example, “They don’t make spelling mistakes any more.” 

How to spot an email lurker 

So how can firms tell if someone is lurking in their email? “When you spot it, it’s often too late,” Teacher says. 

For Teacher, the answer is a mix of technology, monitoring and culture change. He is unapologetic about the need for firms to invest properly. 

Good cyber monitoring, or a Security Operation Centre (SOC) run 24/7, will notify a dedicated security team when someone has clicked on a link and given away their password. These systems use context to flag unusual activity, such as someone logging in from abroad.  

For example, Teacher says managed security services, which reduce your cyber risk by 99%, can cost around £20 pounds per user per month. “That’s not a crazy amount of money, given the average salary. Firms are still questioning that spend but I can tell you, the cost of it happening is far, far higher.” 

Training is essential 

Alongside tech, Teacher sees people and behaviour as critical. Training is essential. “The best way for people to learn is to let people fail,” says Teacher, “then you can say, ‘Last Tuesday you got this email. It was a simulation. It creates a memorable and impactful learning experience. This works quite well.” 

For example, a simulation platform might send a slightly different phishing email to everyone. Staff might see messages such as “Server notification – to keep your account safe, we recommend you add your mobile number. Click here to add your number,” or “Your password is going to change in less than 24 hours. Please go to the self‑service web page,” or “You’ve run out of storage. Click here to free up some space.” If the staff member clicks the link, they are sent to mandatory training.  

For accountants who still feel this is all a bit remote, Teacher has some advice: “Take this stuff seriously. If you don’t understand it, get some advice and just because you don’t understand it doesn’t mean you shouldn’t think about it.” 

ISQM puts cyber on the agenda 

And increasingly, this is not just a technology issue, it’s a compliance one. With ISQM now firmly on the agenda for accountancy firms, cybersecurity is no longer something that sits in the background. It’s part of how firms demonstrate they are identifying and managing risk properly. “ISQM is all about understanding where your risks are and putting the right controls in place,” Teacher says. 

For firms, that means being able to show they have thought about cyber risk, trained their people, and put appropriate protections in place. “It’s not about ticking a box,” Teacher adds. “It’s about being able to evidence that you’re taking reasonable steps to protect your firm and your clients. And in today’s world, if cyber isn’t on that list, you’ve got a gap.”