Phishing Scams And Fraud:Why Accounting Firms Are In The Crosshairs
This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.
Let’s be honest, South African accounting practices aren’t getting hacked because someone “clicked carelessly.” They’re getting hacked because the job is a pressure cooker, and criminals know exactly when to strike.
Running an accounting practice in South Africa means operating in survival mode 90% of the time. Tight deadlines. Broken eFiling portals. Clients who want “five minutes of your time” that somehow turn into an hour. Month-end that bleeds into SARS season that bleeds into provisional tax. You work across emails, WhatsApps, SMSes, tax platforms, payment gateways, and shared client folders, all before your second cup of coffee.
Cybercriminals don’t need elite hacking tools to break you.
They just need you tired.
They know you’re juggling refunds, chasing approvals, patching cash flow gaps, and responding fast because clients expect instant service. They know most small practices run on late payments, thin margins, and even thinner patience. They know you’re doing the work of three people.
So when an email lands saying:
“Payment release required”
“Client instruction attached”
“Urgent SARS confirmation needed”
…you react. Because you have to. Because that’s how you keep the practice alive.
That moment, the one between “almost done” and “just need to clear this last thing”, is where phishing wins.
Not incompetence.
Not negligence.
Just pressure.
Just timing.
Just human workload.
And attackers exploit it with surgical accuracy.
For CBAP’s, phishing isn’t an IT problem, it’s a business survival issue. It hits your credibility, your clients’ trust, and your already fragile cash flow. It’s the cost of being overworked in a system that demands everything and gives very little back.
Why are accounting firms being targeted
South African accounting firms are targeted not because they’re “vulnerable,” but because they deal with money, identity documents, banking details, tax profiles, payroll information, and urgent instructions every single day. A single compromised email account can give criminals access to client files, invoice flows, tax portals, and payment authorisations.
If someone gains access to your email, they don’t just see your inbox. They see how you communicate. They see your tone, your clients’ tone, your working rhythm, your invoice patterns. They observe. They study. Then they mimic, perfectly.
This is why every practice (even a one-person firm) needs to treat phishing as a core business risk, not an IT problem that can be outsourced, postponed, or ignored.
The New Threat Landscape: More Sophisticated, More Personal
Cybercrime has evolved dramatically. Gone are the days of badly written scam emails full of spelling errors. Today’s attacks are designed with precision, patience, and data intelligence.
Modern attackers use:
AI-Generated Email Content
Tools available freely online allow criminals to write emails in perfect English, with accurate terminology and industry-specific language. The email “sounds” like your client. It looks like a real instruction. It triggers quick compliance.
Deepfake Voice Notes and Calls
Criminals can now clone a voice using 10 seconds of audio from WhatsApp or a webinar. Suddenly, you receive a voice note that sounds like your client or partner:
“Please pay this supplier urgently. I’m in a meeting.”
Domain Spoofing
They create email domains that differ by a single letter:
@abcconsulting.co.za vs @abc-consulting.co.za
To a tired accountant at month-end, they look identical.
Data Scraping and Reconnaissance
Attackers quietly collect information from:
Your website
Your LinkedIn profile
Your CIPC records
Your client testimonials
Your staff pages
They know who your biggest client is. They know when you posted about tax season chaos. They know your firm’s turnaround time.
With this information, they craft personalised messages that feel authentic.
This is why modern phishing has a scary success rate: The messages no longer look “fake.” They look exactly like your everyday workflow.
Common Scams Targeting South African Accounting Practices
Phishing campaigns targeting accountants follow predictable patterns, because they work. Here are the most common ones:
1. Credential Harvesting
Scammers also love impersonation and they know the exact brands you trust.
They’ll mimic your accounting software provider, your bank, or even SARS with chilling accuracy:
“Your password has expired.”
“Your eFiling access requires reauthentication.”
“Your profile has been suspended — click to restore.”
Everything looks real.
The logo is correct.
The colours match.
The link feels familiar, even the landing page looks like the one you use every single day.
But it isn’t.
And the moment you type in your username and password, the game is over.
You’ve just handed attackers the digital keys to your practice.
For accountants, this hits even harder because the tools being impersonated aren’t optional, they’re the core of your business. You must keep your eFiling active. You must keep your accounting software running. You must respond to your bank alerts.
Scammers exploit that urgency. They weaponise the trust you place in these platforms and the pressure you’re under to keep everything compliant and up to date.
One click.
One login.
And they’re inside not because you were careless, but because the fake looked exactly like the real thing at the worst possible moment.
2. Invoice Interception and Payment Redirection
This is the silent killer, the scam that drains real money, destroys trust, and can sink a small practice overnight.
This is the most financially devastating attack because it doesn’t rely on panic-clicking or fake login pages. It relies on patience. Attackers break into a mailbox, sometimes yours, sometimes a client’s, sometimes a supplier’s, and then they wait.
They watch your real conversations.
They read real invoices.
They learn your billing patterns, your tone, your turnaround time.
Then, at exactly the right moment, they strike.
A legitimate invoice comes in. The attacker quietly swaps the banking details. Everything else stays identical: The format, the wording, the amounts, even the signatures.
The staff member processing the payment sees a normal email from a familiar contact. No red flags. No spelling errors. No “urgent” tone.
They load the payment.
They process it.
They move on to the next task.
Hours later, the client calls:
“We never received the money.”
By then, the funds have vanished into a mule account.
And the worst part?
The scam is so clean, so believable, that the blame game begins immediately:
“Who approved this?”
“Why didn’t you check?”
“Who’s liable?”
Relationships crack. Trust evaporates. And for small practices already juggling thin margins and tight client relationships, this kind of breach can undo years of hard-earned credibility.
This scam doesn’t just steal money.
It steals peace of mind and it hits where accountants are most vulnerable: Responsibility without control.
3. CEO / Partner Impersonation (Business Email Compromise “BEC”)
Scammers know exactly which emotional buttons to press and urgency, authority, and secrecy are their favourite weapons.
They’ll send an email that looks like it’s from your senior partner, a big client, or even your own boss:
“Process this payment immediately.”
“Do NOT call me. I’m in a meeting.”
“Send the POP now — this is delaying the deal.”
And because accounting practices run on hierarchy, deadlines, and client expectations, staff don’t question it. They react. Fast.
Not because they’re careless.
Because the culture of compliance inside most small firms teaches them to avoid slowing things down.
In many practices, junior staff are scared to “bother” a manager. Admin teams don’t want to be blamed for holding up payments. Bookkeepers know that one delay can trigger a chain reaction: An angry client, a missed deadline, a late penalty, or a WhatsApp voice note at 9pm.
Scammers study this dynamic.
They mimic the tone your superiors use when they’re under pressure.
They copy the phrasing your clients use when they’re frustrated.
They rely on the fear of reprimand and the unspoken rule in every practice:
“Don’t be the one who slows things down.”
That’s why these emails work so well. They’re not targeting your systems.
They’re targeting your workplace psychology and for many accountants, that’s the weakest point in the entire practice.
4. Ransomware Through Attachments
And then there’s the nightmare nobody wants to talk about: the malicious attachment.
It doesn’t scream danger.
It doesn’t look suspicious.
It arrives as a PDF, a payment confirmation, a supplier statement, or a “draft invoice.”
One click, that’s all it takes.
In seconds, ransomware spreads through your practice like a fire in a paper archive.
Files lock.
Folders vanish.
Your accounting system refuses to open.
Your deadlines evaporate along with your access.
And suddenly your entire practice is frozen.
Not slowed down. Not inconvenienced.
Frozen.
With no offline, isolated, tested backups, recovery becomes a near-impossible task. Attackers know most small firms don’t have enterprise-level IT or dedicated cybersecurity teams. They know you’re storing client data, financial records, and confidential documents on machines that are busy 24/7 and almost never backed up properly.
So the criminals step in with their demand:
“Pay us, or lose everything.”
For a small practice already navigating cash flow stress, late client payments, and endless regulatory deadlines, this isn’t just a technical problem. It’s an existential one.
Ransomware doesn’t just stop your work.
It stops your revenue.
It stops your client trust.
It stops your ability to serve the very thing your entire practice is built on.
5. Fake SARS / Tax Services
Lastly, we have one of the fastest-growing threats hitting South African accountants and their clients: fake tax filing portals.
These sites look real.
They use SARS colours, SARS fonts, SARS wording.
Some even buy Google ads so they appear above the real SARS link.
But they’re traps, built to harvest everything an attacker needs to impersonate you or your clients:
ID numbers
Bank details
eFiling credentials
Contact information
Security questions
The minute someone enters their details, that information is captured, packaged, and sold on the dark market. From there, criminals use it for refund fraud, loan scams, account takeovers, and full-blown identity theft.
For accountants, the impact is brutal:
Clients blame you, not the scammer.
Reputations suffer.
Hours are lost fixing the damage.
And SARS gives you zero leeway, whether the fraud started on a fake portal or not, the consequences still land on your desk.
These portals don’t need to hack you.
They simply need one client (rushing, stressed, trying to “quickly file”) to click the wrong link. And suddenly you're dealing with a crisis you didn’t cause but now have to clean up.
How to Recognise a Phishing Attempt — The Practical Red Flags
But here’s the good news and yes, Chicken Little can relax for a moment:
The sky is not falling.
Most phishing attempts leave fingerprints everywhere.
You just need to know what to look for.
Email Warning Signs
Unexpected urgency (“immediately,” “today,” “cannot delay”)
Sender domains that differ by a single letter
Messages with generic greetings
Attachments with odd file types (.html, .iso, .rar)
Requests to enable macros
Links that redirect to slightly altered URLs
Changes to banking details without a phone call
Behavioural Red Flags Inside Your Firm
Staff bypassing standard approval steps
Sudden vendor banking changes
“Confidential instructions” that discourage verification
Login attempts from unusual locations
Requests made outside normal business hours
Your staff are the frontline. Training them to spot these signs is not a luxury, it’s a survival tactic.
Individual Defence: The Basics Every Accountant Must Apply
These personal habits protect you more than any software ever will:
Use strong, unique passwords for each platform
Enable MFA (preferably authentication apps, not SMS)
Keep your devices and software updated
Treat email attachments with suspicion
Report suspicious activity immediately
Engage in continuous cybersecurity awareness training
Cybersecurity starts with behavioural discipline, not technology.
Firm-Wide Protection: Systems, Processes, and Culture
To protect your practice, you need both technical controls and operational discipline.
Governance and Accountability
Clear written cybersecurity policies
Documented approval levels for payments
Segregation of duties
Oversight roles that are actively enforced
Policies are useless unless they are lived, enforced, and audited.
Technical Controls
Advanced email filtering
Mandatory MFA across all systems
Endpoint detection and response
Segmented networks
Regular offline backups stored separately
Staff Training and Awareness
Awareness is not a once-off activity.
It must be repeated, realistic, and relevant.
Simulated phishing attacks are essential, they teach staff how to respond under real conditions.
Payment Controls (Your Most Critical Defence)
Phone-based verification for any banking detail changes
Two-person approval for large payments
Written verification for unusual or urgent requests
Never rely solely on email instructions
This single control prevents most financial losses.
Your Legal and Professional Obligations
Cybersecurity is not optional, it’s embedded in your compliance responsibilities.
POPIA
You must safeguard personal information or face investigations, penalties, and liability.
FIC Act
You must protect identity data and report suspicious transactions.
CIBA Standards
Due care, confidentiality, and integrity require secure handling of client data.
Protecting client information is a professional requirement, not a technical issue.
What to Do When You Suspect You’ve Been Compromised
Immediate Actions
Stop using the compromised device
Change passwords from a clean device
Activate MFA immediately
Notify your IT provider or security team
Record all details and timestamps
Next Steps
Inform clients if their data may have been affected
Consider mandatory POPIA/FIC reporting
Get a cybersecurity professional to analyse the breach
Identify control failures and fix them
Review internal processes and staff training gaps
In cyber incidents, speed matters more than perfection.
Continuous Improvement: Cybersecurity Is Never “Done”
Cybersecurity is not a project.
It’s a cycle.
Maintain:
Annual security audits
Regular risk assessments
Updated policies
Tested disaster recovery plans
Ongoing staff awareness initiatives
Your practice evolves. Threats evolve. Your defences must evolve too.
Conclusion: Protecting Your Practice Is Protecting Your Reputation
Phishing and fraud aren’t rare events, they are daily operational risks. Criminals aren’t targeting accountants because they’re careless, they’re targeting accountants because they’re busy, trusted, and central to financial decision-making.
A layered defence (smarter processes, trained staff, strong authentication, strict payment controls, and clear incident planning) is no longer optional, it’s mandatory.
Clients trust accountants with their financial lives. Securing that trust is part of modern professionalism.
You deserve protection that matches the pressure you’re under.
Join CIBA and we’ll show you how to lock down your practice, protect your clients, and turn cybersecurity from a vulnerability into a billable service.
Herewith our upcoming CPD events
