Phishing used to be scams hiding behind fake login pages or emails with typos and bad grammar. Now, Business Email Compromise (BEC) has taken its place with a vicious, targeted, multi-channel attack that blends credential theft and AI-crafted social engineering.

Today’s BEC attacks aren’t bulk spam. It’s tailored and contextually precise fraud: a stolen login, an OAuth prompt disguised as routine, a QR code that slips past filters, or a deepfaked voice pushing through a payment.

Artificial intelligence has lowered the barrier to entry. What took hours of research for attack targets can now be spun up in minutes, personalised with a client’s name, invoice number, or file reference.

The Cost of BEC: How Attacks Keep Climbing in 2025

In 2025, the devil isn’t just in the details; it’s still in the email. Ignoring that truth is an expensive mistake, and the numbers from the previous financial year back it up.

In FY2023–24, Australians reported nearly $84 million lost to BEC to national cyber authorities across more than 1,400 confirmed incidents, averaging $55,000 per incident.

Globally, internet crime losses reached $16.6 billion in 2024, with cyber-enabled fraud accounting for 83% of the damage.

And that’s only what’s reported. Industry insiders estimate that the real number could be triple, as firms quietly absorb losses to avoid reputational fallout or client backlash. Threat actors powered by AI and automation are playing a volume game with BEC attacks and winning.

The trend line is heading the wrong way. In just the first quarter of 2025, BEC attacks spiked by 30%. The Australian reported attacks in this country rose 7% year on year, higher than the global average.

In the Association of Financial Professionals’ 2025 Payments Fraud and Control Survey, BEC was identified as a leading method of fraud, with 63% of organisations citing it.

For accounting and bookkeeping firms, that number likely underplays the true risk. As trusted financial intermediaries, sensitive records, identity data, and client assets they manage can be easily weaponised. That trust premium, built over years of service, is now the profession’s greatest vulnerability.

When verification is bypassed, the consequences reach far beyond a single transfer. A breach doesn’t just expose tax file numbers (TFNs) or bank accounts; it opens the door to entire client dossiers. With that access, attackers can impersonate clients, reroute payments across multiple accounts, and execute fraud at a scale that one compromised inbox alone shouldn’t allow.

What Makes Accounting Firms Uniquely High-Value Targets

Attackers aren’t chasing software flaws or obscure cloud exploits. They’re chasing workflows, and accounting firms sit at the intersection of money, authority, and trust. That’s exactly what modern BEC is designed to exploit.

• Payment authority at scale: From supplier bills to payroll, refunds, and BAS lodgements, one authorised click can release worth hundreds of thousands instantly. Every practice is wired with payment authority.
• Concentrated client data: Firms hold TFNs, bank accounts, BAS records, and business plans: a ready-made kit for account takeover and identity fraud. In the attacker’s hands, that’s not one breach; it’s multiple downstream compromises.
• Third-party complexity. Integrations, APIs, outsourced providers, and accountant-specific add-ons create persistent access points that expand the risk perimeter.
• Distributed approvals. Hybrid teams fragment approval chains and spread credentials across desktops, mobiles, and personal devices.

It’s the mix of multi-level risks that matters. Trust, speed, and sprawling tech complexity combine to make accountants prime targets. And cyber criminals know it.

The Time Pressure Paradox

Attackers strike when you’re at your busiest: quarter-end, BAS deadlines, or tax season. They time their cons for when inboxes are flooded, executives are travelling, and verification gets skipped. One rushed approval is all it takes.

As Jamie Beresford, CEO of Practice Protect, put it:

“Accountants learn best from their peers. The most powerful catalyst for change isn’t legislation or theory — it’s hearing first-hand how another firm got burned, and what they did differently the next time.”

The catch: breaches are embarrassing. No partner wants to admit, “We let a client down because we missed something preventable.”

And yet, stories circulate. A few years back, a Far North Queensland firm unknowingly infected three clients after its mailbox was compromised, triggering a PI claim and months of reputational damage. In this industry, when your mailbox is infected, your reputation is too.

For many partners, it hasn’t been regulation or ATO guidance pushing change. It’s the daily embarrassment of receiving fake invoices from a known supplier, followed by sheepish apology notes. Reputation, not compliance, is forcing action.

And in accounting, client trust is currency.

The Devil Is Still in the Email — Just Ask Your Inbox

“The devil is in the email.” What started as a warning from previous years is now a reality.

In the past, brute-force attacks against Microsoft and Google made inboxes the softest target. In 2025, the risk is multiplied: inboxes hold correspondence and years of file attachments, client IDs, and the perfect launchpad for fraud.

The profession’s shift to SAML and Federation — unifying identities across desktops, apps, and email — was an early move toward resilience. By 2025, that principle has only sharpened: identity broadened the protection perimeter.

If staff logins aren’t centrally controlled, monitored, and resistant to brute force, then every other control is downstream of failure.

How Modern BEC Plays Out in 2025: Anatomy of an Attack

Attackers don’t “hack” firms anymore. They don’t smash firewalls or guess passwords. They trick staff into giving them access. Here’s their exact methodology:

Reconnaissance: Knowing your firm before you do

They scrape your website for staff emails. They lift reporting lines from LinkedIn. They comb through public invoices and file metadata. Credentials from old breaches — sometimes yours, sometimes your vendors’ — are bought online for pocket change. By the time the first email lands, they already know who pays bills, who signs them off, and which clients are about to move big money.

Initial Access: The click that costs

The email doesn’t look like junk. It looks like business as usual:

• An ATO “security update.”
• A DocuSign from a known client.
• A Microsoft 365 expiry notice.
• A Xero invoice.
• Even a practice management “update.”

Each reference is real — your client, your system, your timing. Behind the click, an adversary-in-the-middle attack captures credentials and slips past MFA.

Persistence in watching, waiting, blending in

Attackers don’t act straight away. They set forwarding rules. They read threads. They learn how your firm approves payments. They bide their time — usually about five days. Long enough to look invisible, short enough to avoid notice.

Execution: When routine becomes a BEC heist

It doesn’t stay in email. The attack fans out across channels:

• An email with “updated” payment instructions.
• An SMS to “confirm” the change.
• A Teams ping to add urgency.
• And if someone calls, a deepfaked voice to close the deal.

The devil is in the email — but the attack almost always begins or ends somewhere else. That payment request in your inbox is only the visible tip of the spear.

The funds move offshore within hours. They’re split, washed through crypto exchanges, and gone. By the time anyone realises, the recovery rate is close to zero.

The 2025 Threat Evolution

AI changes everything, fast

AI hasn’t just improved scams; it has industrialised them. Security vendors such as VIPRE reported that up to 40% of BEC phishing emails in 2024 were AI-generated (VIPRE, Q2 2024). These lures now mimic tone, reference real projects, and even stitch details from LinkedIn or past emails into a convincing narrative.

What that means in practice: a message in perfect style, with a project name you actually worked on, invoice numbers that match your records, and no clumsy typos to give it away.

Deepfakes: seconds of audio is enough

McAfee testing showed that a usable voice clone can be generated from as little as three seconds of audio (McAfee, 2024). Other studies have backed this finding, with banks warning that short snippets from social media are enough to create a fake director authorising a payment or a supplier “confirming” account details.

Multi-vector attacks — email is only the first move

Email is now just the starting point. Abnormal Security observed in H1 2024 that BEC campaigns increasingly span email, SMS, messaging apps, and voice calls (Abnormal, 2024). Mimecast and APWG also reported sharp rises in “quishing” — QR-code phishing delivered via emails or messages (Mimecast, 2024; APWG, 2024).

In practice: the email instructs the change, an SMS “confirms” it, a Teams ping adds urgency, and a voice call seals the deal.

Credential sprawl and identity risk

With most accounting workflows now cloud-based, identity is the new perimeter. Microsoft’s Digital Defense Report 2024 flagged password reuse and weak identity controls as the leading entry point for BEC (Microsoft, 2024). Attackers exploit OAuth consent prompts and forwarding rules to bypass controls, then sit quietly until the right transaction appears.

Crypto rails and fast cashout

APWG data in late 2024 recorded a multi-hundred-per cent surge in BEC cash-outs routed through cryptocurrency, with some datasets citing a 344% quarterly increase (APWG, Q4 2024). Chainalysis likewise noted that crypto rails are becoming the preferred exit path for BEC attackers (Chainalysis, 2024).

A local case illustrates the point. In 2024, a BEC fraud victim from South Australia lost $813,000. Upon investigation and to retrieve the victim’s stolen funds, Australian Federal Police identified that nearly $300,000 of the money sent to a fraudulent bank account had already been transferred into cryptocurrency via a fraudulent Digital Currency Exchange (DCE) account.

The recovery of funds from that BEC fraud took almost a year and had an emotional and financial toll on the victim.

By this time, your firm should stop treating email as a passive channel; it’s the frontline. Tighten the gates, verify twice, and assume every payment request is hostile until proven otherwise.

The Cost of Delay with BEC

BEC risk compounds the longer firms treat it as a background issue. Attackers are improving every quarter, trading techniques and targeting firms during peak workload seasons when approvals move quickly and verification slows down. July, October, and year-end are not just busy for accountants — they’re peak hunting season for attackers who understand the pressure you’re under.

For partners and practice managers, the question is no longer if a malicious attempt will reach your inbox. It’s how prepared your firm is to respond when it does. Resilience doesn’t come from a single control or annual training session. It comes from embedding secure practices into daily operations — treating identity, email, and payment verification as ongoing disciplines, not one-off projects.

Accounting firms with identity controls and centralised access in place are already a step ahead. But configuration isn’t the finish line; it’s the baseline. Regular posture reviews and active use of your dashboard should sit alongside your Monday team meetings and client pipeline reviews. Security maturity is a routine, not a milestone.

And if you believe your firm is too small to be targeted, or your clients too careful to be deceived, consider this: other high-trust industries — healthcare, legal, real estate — experience similar attacks not because they’re careless, but because their work is high-pressure and time-sensitive. Accounting fits the same profile.

The Bottom Line

Business Email Compromise isn’t just another cybercrime. It goes to the heart of accounting’s role as a trusted intermediary. With BEC, there are far higher ramifications, with insurers becoming involved and often creating friction between firms and clients over who is responsible for the significant loss event. It’s an existential challenge to the accounting profession’s fundamental value proposition. When clients can’t trust payment instructions from their accountant, the entire relationship model collapses.

The knowledge to mitigate BEC is available, and the tools exist today. What separates resilient firms from exposed ones is how quickly they make BEC defense part of their operating rhythm. Not as a compliance checkbox, but as a professional standard.

The devil is still in the email. But with consistent preparation and vigilance, firms can keep control where it belongs, with their partners, their teams, and their clients.