Accounting · July 20, 2020

Keep Your Firm Protected From Accounting Cybersecurity Threats

Accounting firms have access to a wide range of sensitive financial and personal client data. This makes them a top target for hackers who want to steal high volumes of sensitive information. As cybercriminals become more sophisticated, their tactics evolve and become more targeted. Today, there's a range of accounting cybersecurity threats specific to the tools and channels that CPAs and other professionals in the industry use the most.

By understanding the most common threats and implementing some basic best practices, accounting firms can effectively secure customer data and have a plan to deter, detect and respond to threats.

Phishing and malware

The most common email threats are phishing scams. A phishing scam occurs when hackers use compromised or fraudulent email addresses to target a specific employee. Often, they ask the employee to facilitate what looks like a legitimate transaction or to make changes to key payment or vendor information.

A phishing message could be a fake email that appears to come from a client with the word invoice in the subject line. When the employee opens a seemingly legitimate attachment, your accounting firm's entire network can become compromised.

View every email—and attachment—with caution. Consider an email encryption system that encrypts sensitive internal emails with attachments automatically. Check with your IT team or service provider to make sure they have an alert system for suspicious emails.


Ransomware is a growing cybersecurity threat aimed at organizations that deal with highly confidential data—accounting firms included. By using malicious software, hackers encrypt all files on an organization's computers and networks, blocking the owner's access and holding their systems hostage. Owners can only regain control of the sensitive data by paying a ransom.

Your accounting should have multiple data backup strategies in place. Set up daily and weekly backup procedures to transfer information to a separate device that can be removed and stored off-site. That way, even if the entire network becomes compromised, the backup isn't infected.

Unsecured devices

Cloud-based accounting systems allow employees to access critical software on different devices from any location. Many firms even allow employees to use their own devices for business purposes. The risk, of course, is that these personal devices may not have the security features and updates needed to protect client and firm data.

Work with your employees to ensure antivirus software is installed on all devices. Require employees to use a secure virtual private network to access computers and systems remotely. Also, make it a requirement that employees remove unneeded client data from their devices regularly.


A relatively new accounting cybersecurity threat, cryptojacking involves using a computing system or network to mine cryptocurrencies. Because these currencies employ blockchain technology—the combined power of multiple computer programs to authenticate the transaction—they're untraceable as a form of online payment.

By embedding malware into a firm's systems, cybercriminals use the computer's processing power to create new tokens and generate fees, which are deposited in the miners' online wallet. While nothing in the firm's computer network is stolen or encrypted, cryptojacking can slow down a firm's computer network and overwork processors.

Make sure your systems are updated with the latest antivirus and malware-detecting software. These regularly scan for suspicious scripts. Because most cryptojacking scripts are embedded in ads, make sure you install an ad-blocker.

Educate your team

There are several cybersecurity certifications specific to CPAs and accountants that business owners can obtain to help assess and navigate digital risks. This kind of education can protect client information and demonstrate your business's commitment to cybersecurity.

The American Institute of Certified Public Accountants, or AICPA, is the largest member association representing the accounting profession. The AICPA offers four certificate programs, including Cybersecurity Fundamentals for Finance and Accounting Professionals, Cybersecurity Advisory Services, SOC for Cybersecurity Services and Cybersecurity Practical Applications.

By educating yourself and your staff about threats, you'll be positioned to put effective accounting cybersecurity protocols in place. This will limit your firm's exposure to online risks and reassure customers that you have their best interests and the safety of their information in mind.


Financial insights for your business

No results found

This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information, and encourages you to consult a professional for advice applicable to your specific situation.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.