Most accounting firms can be impersonated by email – we checked 275 of them

Business

A scan of 275 Australian accounting firm domains found 76 per cent have no enforced protection against email spoofing, the exact weakness that invoice-fraud scams rely on, writes Peter Mastras.

08 July 2026 By Peter Mastras 5 minutes read
Share this article on:

Accounting firms are among the most valuable targets for email fraud. You instruct payments, hold tax file numbers and bank details, and your clients act on your emails without a second thought. That trust is the asset criminals want to borrow, and for most firms it is easier to borrow than it should be.

Earlier this year, we ran 275 Australian accounting firm domains through a standard set of email and website security checks. The most common weakness was also the most consequential: 76 per cent had no enforced DMARC.

DMARC is the setting that tells the rest of the internet what to do with an email that claims to be from your domain but is not. Set to "reject," it blocks a scammer who sends a fake "please update our bank details" message as This email address is being protected from spambots. You need JavaScript enabled to view it. before it ever reaches the client. Without it, that message often lands in the inbox looking entirely legitimate. In our sample, only 24 per cent of firms had any enforcement at all, and just nine per cent used the strongest setting.

The other 76 per cent were relying on luck.

This matters more for accountants than for most businesses. When a builder's domain is spoofed, a client might lose a deposit. When an accounting firm's domain is spoofed, the email carries the authority of the person who lodges the BAS and signs off the numbers. A redirected payment, a fake ATO notice, a quick change to remittance details: all far more convincing when they appear to come from you. The reputational damage outlasts the financial loss.

The supporting records were healthier but incomplete. SPF, a related check, was valid for 91 per cent of firms, and DKIM for 67 per cent. Those are the building blocks DMARC enforces, so most firms are closer to a fix than they assume. Blacklisting was rare, under three per cent. The gap is not capability. It is the final configuration step that no one got around to.

Two other findings are worth a moment. On basic website security, 70 per cent of firm sites scored a D or F. And as clients increasingly ask AI tools like ChatGPT for a recommendation, more than half the sites we checked (53 per cent) were graded unready for AI search, missing the structured information those engines read. A firm can be the best in its suburb and still be invisible to the channel its next client uses to find one.

 
 

The encouraging part is that almost none of this requires new spending. The firms in our sample overwhelmingly run on Microsoft 365 or Google Workspace, both of which support full email authentication at no extra cost. Fixing it is a sequence, not a project:

  • Confirm SPF and DKIM are valid for every domain you send from.
  • Publish a DMARC record at "none" first, and read the reports for a few weeks to catch your legitimate senders.
  • Move the policy to "quarantine," then to "reject," once you are confident nothing legitimate is being caught.
  • Do the same for any secondary domains you own but rarely use. Those are easy to spoof and easy to forget.

Most firms can complete the audit in an afternoon, or hand it to whoever manages their IT with a clear brief. The test of whether it is done is simple: ask whether someone outside your firm can send an email as your domain today. For three in four Australian accounting firms, the answer is still yes.

Peter Mastras is the director of Sydney-based IT firm Edos Solutions.

Accountants DailyWant to see more stories from trusted news sources?
Make Accountants Daily a preferred news source on Google.
Tags: