The Accounting Firm Scam Costing Melbourne Accountants Thousands

Melbourne accounting practices are being hit by a wave of targeted cyberattacks specifically designed to exploit the trust clients place in their accountant. These are not random attacks — criminals research their targets, understand accounting workflows, and time attacks to coincide with tax season when staff are busy and less likely to notice something unusual.

How the Attack Works

The most common attack targeting Melbourne accountants begins with a phishing email that appears to come from the ATO, from a software vendor like MYOB or Xero, or from another accounting firm. Once inside your system, attackers either encrypt all your files and demand a ransom, steal client data to sell on criminal markets, or monitor your email communications to intercept client payments.

The ATO Portal Attack

One of the most damaging attacks specifically targeting accountants involves compromising your ATO Online Services for Agents credentials. Attackers use phishing emails or malware to steal your login details, then access the portal to lodge fraudulent tax returns on behalf of your clients, redirecting refunds to criminal bank accounts. One Melbourne accounting practice lost access to their ATO portal for three weeks and spent months dealing with fraudulent returns lodged on behalf of their clients.

The MYOB/Xero Ransomware Attack

Ransomware that specifically targets accounting software databases is increasingly common. These targeted attacks focus on the database files used by MYOB, Xero, Reckon and similar software — making it impossible to access any client data without paying the ransom. Without an isolated, tested backup, recovery is extremely difficult.

Client Trust at Stake

Beyond the direct financial loss, an accounting firm data breach carries significant professional consequences. The Tax Practitioners Board takes data breach incidents seriously. Depending on the nature of the breach, you may have mandatory notification obligations under the Privacy Act's Notifiable Data Breaches scheme — meaning you must notify both the OAIC and each affected client. The reputational cost of informing clients that their financial data has been compromised can be severe and lasting.

Why Accounting Firms Are Targeted More Than Ever

The concentration of high-value financial data, the proliferation of software integrations between accounting platforms, and the fact that many small to medium practices have not invested in dedicated security controls makes this sector an attractive target. Criminals increasingly use techniques like thread hijacking — inserting malicious emails into existing email threads to make them appear legitimate — and spear phishing campaigns that reference specific software your practice uses.

What a Good Defence Looks Like

Defending an accounting practice effectively requires a layered approach. At the network level: endpoint detection and response software on all computers, email security that filters phishing attempts, and a properly configured Microsoft 365 or Google Workspace environment with anti-spoofing enabled. At the process level: a strict policy that no bank account change request is processed without verbal confirmation to a known phone number, and clear procedures for what staff should do if they suspect a phishing attempt. At the awareness level: regular, practical training for all staff — not just partners — on the specific techniques used against accounting firms.

What You Must Do Immediately

• Enable MFA on your ATO portal access right now. The ATO mandates this — if you have not done it yet, you are at serious risk.
• Test your backups today. Try restoring a test file right now. Many businesses discover their backup has been failing silently for months.
• Stop clicking links in emails about ATO, MYOB or Xero. Always navigate directly to these sites by typing the URL yourself.
• Verify any bank account change requests by phone. Call on a number you already have — never the one in the email.
• Review who has administrator access to your accounting software and ATO portal. Former staff should have access removed immediately on departure.

IntrusionX works with Melbourne accounting practices to put the right controls in place before an attack occurs. We understand the specific threat landscape facing this sector and can deploy protection with minimal disruption to your practice operations. Call us on +61 499 468 971 for a free assessment.