Emerging cyber threats for accountants in 2025 (UK/EMEA)

From sole practitioners to large multi-national companies, accountants continue to be a major target for cybercriminals. In this article, we explore the emerging ways in which cybercriminals’ methods are evolving.

Sophisticated social engineering

In our recent article, Kennedys’ cyber team reported on an emerging risk which we identified concerning the exploitation of Microsoft teams by cybercriminals, together with evolving AI techniques.

In short, cybercriminals are spamming employees with deliberately suspicious looking emails before then masquerading as someone from the target organisation’s IT team in order to coax the concerned employee into granting remote access to their desktop. Our prediction is that cybercriminals will increasingly use ‘deepfake’ audio, and even video, to further convince those they are communicating with that they are the contact they are pretending to be.

Given we know cybercriminals target accountants because of a perception of ‘deep pockets’, the increasing use of AI, and particularly deepfake technology as a form of advanced social engineering, is something which all professionals need to be aware of. Employee training in these areas is also essential.

Phantom employees and ‘smoking gun’ tax returns

Once unauthorised access to systems has been secured, cybercriminals are finding novel ways to divert funds. Cybercriminals can, for example, create a ‘phantom’ employee (or employees) on the payroll and input fraudulent bank details for them.. The phantom employee or employees would then periodically receive a fictitious salary which would be paid directly to the cybercriminals. Alternatively, with access to the payroll platform, fraudulent bank details could simply be swapped for the legitimate bank details associated with a genuine employee.

For those offering payroll as a service for clients, the implementation of effective controls to immediately identify the manipulation of financial records is essential in order to avoid the commercial disputes and reputational harm that would inevitably flow from late awareness of the diversion of client funds arising from a breach of the accountants’ systems.

Even without unauthorised access to systems, accountants should be alive to the increased use of AI by cybercriminals to extort victim organisations. For those with high profile clients, we consider it very possible that cybercriminals will also seek to leverage AI to create ‘smoking gun’ style documents which they hold accountants to ransom to in order to prevent publication to the press, even if the document is fake (for example, a potentially damaging tax return for a politician in the midst of an election campaign). This is something we have seen in other industries already, with cybercriminals claiming the document (typically a compromising image) was taken from the victim’s systems following a cyber attack.

Third party file sharing platforms

Transferring sensitive data with clients, with the tax authorities, and within the business, can be an everyday occurrence for many accountants. Doing so securely is essential, not just because of contractual requirements to keep data safe, but also because of regulatory requirements to do so.

In recent months there have been a growing number of high profile cyber attacks against the providers of file transfer platforms, including MoveIt, and more recently, CrushFTP (see our article for more detail). Given there are particular ransomware groups focussing on supply chain attacks, this makes it very likely that other such file transfer platforms are being actively targeted.

Whilst the software providers have been the primary victim of such cyber attacks, those using the platforms to transfer data have subsequently become secondary victims, with data being exfiltrated from users’ accounts, before then each being held to ransom to prevent publication of the extracted data online.

How to mitigate the risk of a cyber attack

Aside from implementing appropriate technical and organisational measures to ensure a level of IT security appropriate to the risk, awareness that humans (employees) are often the ‘weakest link’ is imperative.

For each of the risks above, up to date employee training and clear acceptable use policies can help to mitigate the risk of a cyber attack, but in the event an incident does occur, effective breach response planning can allow for early detection and containment.

In addition to effective planning, immediate access to experts can often make the difference between short term disruption and long term outages, naturally resulting in very significant operational issues (and often third party claims) for those impacted within the accountancy industry.

Should you be interested in finding out more about any of the trends covered in this article, or if you would like to discuss pre-breach planning options, please do not hesitate to contact our cyber team.

Related items: