Why Accountancy Practices Are Targeted: Client Data, Tax Records and Trust

A typical accountancy practice with 5 to 20 staff holds the financial records — personal, corporate, and payroll — for potentially hundreds of clients. It has HMRC agent credentials that provide access to client tax accounts. It holds client banking details for BACs payment processing. It maintains directors' personal financial information as part of company accounts. It handles payroll data including salary, NI number, and bank account details for employees of its clients.

From a criminal's perspective, a small accountancy practice is a concentrator of high-value financial data. Compromising one firm provides access to the financial information of every client it serves — and, via the HMRC agent portal, the ability to access and manipulate client tax records.

The HMRC Agent Credentials Problem

Registered agents on HMRC's online services have a level of access to client tax affairs that is unusually powerful: the ability to view, amend, and submit returns for every client within the agent's portfolio. Criminal groups specifically target accountancy practices for their HMRC agent credentials. Compromised agent logins have been used to redirect tax repayments to criminal bank accounts, submit fraudulent returns, and access client financial information at scale.

HMRC agent credentials should be treated as privileged credentials: unique passwords, MFA (HMRC's Government Gateway now supports authenticator app MFA for agents), and immediate revocation when a staff member with agent access leaves the practice.

Client Financial Data as a Fraud Resource

The combination of data that an accountancy practice holds for a typical business client — bank account details, director personal details, annual turnover, payroll figures, VAT registration number, and Companies House filing history — provides everything needed for a sophisticated impersonation fraud. An attacker who has compromised an accountancy practice's systems can impersonate the practice to its clients, impersonate clients to their suppliers, and impersonate the practice to HMRC — with enough financial detail to make the impersonation convincing.

Payroll Data: A Specific High-Risk Category

Payroll data processed by an accountancy practice for its clients contains the personal data of third parties — the employees of client businesses — who have no direct relationship with the practice and no awareness that their data is held there. This data includes NI numbers, bank account details, salary figures, and in some cases information about employment status, sick pay, and maternity leave. Its breach creates both a GDPR consequence for the practice and a direct identity fraud risk for individuals who don't know the practice exists.

Payroll data is among the most directly actionable personal data for financial fraud. A database of employee bank account details and NI numbers is a list of fraud targets. An accountancy practice that processes payroll for 50 clients with an average of 20 employees is holding the personal financial data of 1,000 individuals whose security depends on the practice's controls.

Invoice Fraud Targeting Practice Clients

Accountancy practices are frequently impersonated in invoice fraud and business email compromise attacks against their clients. A client who regularly receives emails from their accountant requesting payment of fees, sending draft accounts for approval, or confirming bank details for tax refund transfer is a natural target for a criminal impersonating the practice. If the practice's own email domain has been compromised or can be spoofed, the impersonation is convincing.

Practices that configure DMARC at p=reject on their domain prevent their domain from being successfully spoofed in attacks against clients. This is both a security control for the practice and a duty of care to clients who trust communications bearing the practice's identity.