Australian accounting firms saw a sharp spike in phishing attempts during the 2025 tax season, with the ACSC reporting a 40% increase over the prior year. Here are the five red flags your team should be trained to spot — and what to do when they see one.

Why accounting firms are targeted

Firms handle tax file numbers, bank account details, business financial data, and signed tax documents. A single compromised email account can yield enough information to file fraudulent returns, redirect refunds, or commit identity theft against dozens of clients. The ROI for an attacker is high.

Red flag 1: "Urgent" client requests from new email addresses

A classic pattern: "Hi John, it's Sarah from ABC Pty Ltd. Can you urgently send me a copy of our 2024 BAS and last quarter's financials? Our auditor needs them by tomorrow." The email looks right, signed off with Sarah's usual name. But the "From" address is slightly different — sarah@abcptyltd.com.au instead of the usual sarah@abc.com.au. The urgency is the giveaway.

Red flag 2: Generic lodgement notifications

Attackers send emails posing as the ATO: "Your recent lodgement has failed. Click here to review." The links go to credential-harvesting pages that look exactly like the ATO's portal. The ATO does not send unsolicited emails with clickable lodgement links. Period.

Red flag 3: Document attachments from clients you haven't worked with recently

"Please find attached the documents you requested." You didn't request any documents. But you're busy, it's tax season, and you open it just in case. The PDF is actually a shortcut file that runs malware. If you didn't ask for it, don't open it.

Red flag 4: Password reset emails you didn't request

You get an email that looks like a password reset for your practice management system. You didn't try to reset anything. It might be a fishing attempt, but more dangerously, it might mean someone is actively trying to break into your account. Report it to IT immediately — don't just ignore it.

Red flag 5: Voice calls "confirming" an email you've never received

The phone call version of phishing. "Hi, this is Michelle from the ATO. I'm following up on an email we sent you about unpaid amounts." There's no email. The call is trying to get you to take action over the phone. Hang up and call the ATO back on a published number.

What to do when you see one

Stop. Don't click. Don't reply. Report it to your firm's IT contact. Forward the suspicious email to the ACSC at report@cyber.gov.au. And if you did click and enter credentials, change them immediately and notify IT — don't wait to see if anything happens. The window between compromise and exploitation is often hours, not days.