accountants daily logo

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.

TPB flags cyber-criminal threats for accountants

The TPB has urged accountants to bolster their cyber-security posture as they increasingly communicate online with staff and clients while working remotely.

Tax&Compliance Malavika Santhebennur 01 February 2022
— 3 minute read

Speaking to Accountants Daily, Tax Practitioners Board (TPB) board member Greg Lewis said that communicating securely online while staff work remotely is critical for accounting practices, whose employees may be scattered and working in their homes.


While offices would typically have inbuilt secure logins and multifactor authentication for websites and confidential information is shared over secure portals, these facilities might not be available to those working at home.

“Once you start moving outside your physical office environments, some of the protection mechanisms might not be available,” Mr Lewis warned.

“For example, I might not have the same firewalls in my home office that I normally would in my office environment.”

Cyber criminals have found it easier to target small-to-medium enterprises (SME) through various methods since they have transitioned to remote working, including business email compromise where criminals impersonate business representatives by using similar names, domains, and/or fraudulent logos as a legitimate organisation, or by using compromised email accounts and pretending to be a trusted party (such as a broker, real estate agent, or conveyancer).

A common scam associated with BEC is invoice fraud, where criminals impersonate other parties by compromising a vendor’s email account and accessing legitimate invoices. The criminals could then insert illegitimate bank details for settlements on those invoices and send them to customers with the compromised email account. The customer could assume that this request is legitimate and unknowingly send payments to the cyber-criminal’s bank account.

Weeks could pass by before the accounting practice identifies the cyber-criminal activity.

“I’ve just come across an example recently where someone got hacked and I think they were up for a ransom of over US$20,000,” Mr Lewis said.

To combat this criminal activity, Mr Lewis suggested that accounting practices could obtain cyber-security insurance, in addition to first and third-party insurance because a cyber attack could lock a business down for indefinite periods.

Secondly, he recommended that practices assess their organisation’s level of risk of a cyber-security breach, and seek advice if they are unsure.

“If practices are unsure of their cybersecurity arrangements, they should step back and reflect,” Mr Lewis said.

“If need be, they should get some outside advice from someone who could look at their operations and find out what sorts of hardware and software they’ve got and how theyre protected.”

The increase in remote working has also prompted the TPB to focus on ensuring that accounting practices are maintaining adequate supervision and control when they are providing advice.

An information sheet issued by the TPB around supervisory arrangements under the Tax Agent Services Act 2009 has outlined considerations that could be relevant in determining whether remote supervisory arrangements are adequate.

These include (among others) frequency of contact and the methods of communication, whether the supervisor is available to be contacted at all times by staff, access to training and research resources while working remotely, management of workflow, particularly where the supervision and control are being exercised by an unrelated entity, and how documents are to be reviewed and feedback provided to staff.

“When we look at a practice, it’s about whether we’re comfortable with the level of supervision and control and whether the quality of work an employee is producing for a client is of the same standard as if they were working collaboratively in an office,” Mr Lewis said.

“Our other focus has been looking at how accounting practices approach problem solving in this remote working environment. That’s easier to do when you’re all in an office because you can have a discussion. How do you do that in a digital environment?”

Mr Lewis recommended accounting practices to access resources such as information sheets or liaise with experts and associations to access advice and guidance to plug any gaps around cyber security or supervision and control arrangements.

“Don’t assume you know everything, particularly in the digital world. If you don’t know something, recognise the issue and go and talk to someone,” he said.

“Do a health check of your digital environment and narrow down where you might need assistance. People sometimes miss the small, simple things but they are the ones that could be really important and make a huge difference.”

To hear more from Greg Lewis about the issues that could impact tax practitioners in the near future (including the TPB review), come along to the Accountants Daily Strategy Day.

Click here to book your tickets and make sure you don’t miss out.

TPB flags cyber-criminal threats for accountants
image intro
accountantsdaily logo