Threat Intelligence & Incident Response
How BEC and wire-fraud unfold in CPA firms — refund redirect, payroll wire interception, vendor payment scams — and the controls that catch the chain before the wire leaves.
The money that disappears from accounting firms almost never disappears because of malware. It disappears because a staff accountant updated a refund routing number, processed a payroll wire on a Friday afternoon, or replied to a vendor with "new bank confirmed" — and nobody picked up the phone.
Once you have seen the pattern, you stop arguing about whether it could happen at your firm and start asking what is in place to catch it.
A CPA firm sits between two parties moving money on almost every engagement. Client to IRS. Client to payroll provider. Client to vendor. Client to a fiduciary account the firm administers. Every one of those is a wire instruction or routing number that touches the firm's email.
The attacker does not need to compromise the firm to win. They only need to compromise the email of any party in a thread the firm reads. That structural exposure is why this attack keeps producing six-figure losses at firms that thought they were too small to be interesting. The number of CPAs on staff does not matter. The dollar amount on a single payroll wire or high-net-worth refund does.
Tax-season specific and brutally simple. The attacker compromises a client's email weeks before filing. When the firm-client thread about refund destination opens, they reply from inside the client's mailbox with a new routing number — "switched banks last month."
The preparer updates the return, files it, the refund deposits to the attacker's account via ACH, and the client discovers it only when the refund never lands. Losses commonly run $4,000 to $50,000. Recovery odds are low — ACH is harder to claw back through the Financial Fraud Kill Chain than a wire.
The year-round pattern, and the one with the biggest losses. The attacker compromises the client's email or a vendor's, then watches the firm assist with payroll funding or vendor payment. At the right moment — usually the day before funding — a reply lands: "Our bank changed, please update."
The firm processes the new instruction. The wire goes. Losses commonly run $25,000 to $500,000. Recovery depends entirely on speed — FFKC and IC3 reporting in the first 24 hours give you a real chance; by the next business day the money is layered out.
The most damaging pattern, because the malicious email genuinely comes from the firm's real domain. DMARC, DKIM, and SPF will not save the recipient — the message authenticates because it actually is from your firm.
The attacker phishes a partner or staff accountant using an AiTM kit — EvilProxy, Tycoon, NakedPages, or Mamba 2FA. The kit captures both the password and the post-MFA session token. The attacker logs in from a foreign IP, sets an inbox rule hiding mail containing "wire", "ACH", "refund", or "EFT", and waits for a wire-instruction thread. When one surfaces, they reply with "updated" details. Losses commonly run $50,000 to $500,000 or more.
A composite — not one specific firm — but every beat has happened at real CPA practices recently.
Wednesday afternoon. A staff accountant at a twelve-preparer Midwest firm opens an email that looks like an IRS CP-2000 notice — "your client's account is under review." The link prompts her to authenticate with Microsoft 365. She enters credentials, approves the Authenticator prompt, a generic IRS-looking page loads, and she moves on.
She entered credentials on a proxy. An AiTM kit forwarded the password to the real Microsoft login, captured the MFA prompt, and captured the post-authentication session cookie.
Thursday morning. The attacker logs in from Lithuania using the captured token. Because the cookie is post-MFA, the tenant treats them as fully authenticated. They create an inbox rule: any message containing "wire", "ACH", "refund", "routing", or "EFT" — forward externally, mark as read, move to RSS Subscriptions.
Thursday afternoon. The attacker watches an active thread about the client's Q2 estimated payment — an $87,000 wire scheduled for Friday. The rule routes copies to the attacker and hides the originals.
Friday, 11 a.m. Posing as the staff accountant on a reply to the live thread, the attacker sends "updated" wire instructions from the firm's real mailbox.
Friday, 1 p.m. The client wires $87,000.
The following Tuesday. The IRS reports the estimated payment was never received. The staff accountant pulls the thread and finds the attacker's reply hiding in RSS Subscriptions. The floor falls out.
MFA is necessary. But the version most CPA firms have — push notification or six-digit code — does not stop adversary-in-the-middle.
Public AiTM kits like EvilProxy, Tycoon, NakedPages, and Mamba 2FA have been widely documented across 2024 and 2025. They proxy the real Microsoft login and capture the session cookie issued after MFA is satisfied. Once replayed, the tenant cannot tell the attacker apart from your staff accountant.
The factors that resist this cleanly are phishing-resistant — FIDO2 keys, Windows Hello for Business, or certificate-based authentication. Most small and mid-size firms are not there yet. Treat MFA as one layer and add at least one more.
This is where managed identity threat detection earns its keep. The signal pattern in the composite above is loud if anyone is watching:
Managed ITDR — the Huntress identity product we deploy for accounting clients — catches all four in minutes. The mailbox-rule anomaly is among the highest-confidence detections in identity security, because real users almost never hide financial keywords from themselves.
Every BEC wire-fraud case I have walked through could have been stopped by a phone call. Not a tool. A phone call.
If you implement the callback rule and nothing else, you eliminate most of the realistic loss path.
The next four hours decide how much money you get back and how clean the response is:
If the compromised mailbox contained customer information — and at any accounting firm, it almost certainly did — the firm has obligations under the FTC Safeguards Rule's incident response provisions in § 314.4(h). Under the 2024 amendments, events affecting 500 or more consumers trigger a 30-day FTC notification clock from discovery.
Be conservative when the count is uncertain — assume the count is above the threshold and prepare notification while forensics narrows it down. Missing the window because you were waiting for a tidy number is worse than filing an initial notification later refined. The rule also requires the incident response plan to exist in writing before the incident.
A wire-fraud loss typically pulls from two parts of the insurance stack:
Both should be triggered. Call the broker the same day.
The partners who have lived through one of these cases almost always say the same thing: it was not really a technical failure. It was a process failure — no callback verification — compounded by a credential-theft event. Both ends needed fixing.
The credential theft is what MDR and ITDR are for — Managed Detection and Response on endpoints, Managed ITDR on Microsoft 365 identities. The process failure is what the callback policy, dual-approval rule, and Managed SAT program are for. A firm with both layers is a hard target. A firm with neither is the case study in next quarter's incident report.
We deploy Huntress Managed ITDR — Protected and Complete tiers — for accounting firms because the inbox-rule and foreign-sign-in detections are the highest-leverage controls against this pattern. A hidden "wire/ACH/refund/EFT" forwarding rule fires a detection within minutes — hours or days before a fraudulent wire would otherwise be initiated.
We pair it with Managed SAT tuned to IRS impersonation, refund-redirect themes, and payroll-platform lookalikes, focused on the staff accountants and seasonal contractors. And we run a short tabletop on the callback policy so that when the moment comes in February or April, nobody is making it up in real time.
If you are not sure where your firm stands, that is the conversation to have before a Friday afternoon arrives with an $87,000 client wire on it. Talk to us about Managed ITDR, review your cyber insurance readiness, or get the weekly briefing.
Last updated: May 16, 2026.
Last updated
May 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
The attacker compromises a client's email account, watches the thread between the client and the CPA about refund destination, then sends a 'reply' to the firm with new bank routing for the refund deposit. The firm updates the return, files it, and the refund deposits to the attacker's account via ACH. Recovery odds are low — refund proceeds move by ACH, which is harder to claw back through the FBI's Financial Fraud Kill Chain than a wire, and by the time the client notices the missing refund the funds are already layered out. Losses typically run from $4,000 to $50,000 per incident, depending on refund size.
No. MFA stops password-stuffing attacks, but adversary-in-the-middle phishing kits like EvilProxy, Tycoon, NakedPages, and Mamba 2FA proxy the real Microsoft login and capture the post-MFA session cookie. Once the cookie is replayed, your tenant treats the attacker as fully authenticated. MFA is necessary but it is not a finish line — especially at a firm where staff accountants are reading IRS-themed emails and payroll-provider notifications all day long.
Callback verification means that any change to wire or payment instructions — even a routing-number tweak — requires a phone call to the other party on the number from the original engagement letter, not the number in the email signature. The attacker controls the email thread but does not control the client's, vendor's, or payroll provider's phone. One outbound phone call to a number you already had on file before this engagement opened catches almost every redirect attempt.
Yes, and quickly. IC3.gov is the FBI's front door for BEC and the entry point for the Financial Fraud Kill Chain, the program that coordinates with banks to recall fraudulent wires. File the initial report the same day with whatever you know — you can update it later. Reporting does not require certainty about every detail.
If the compromised mailbox contained client tax data — returns, prior-year filings, transcripts, K-1s, W-2s — the firm has an obligation under IRS Publication 4557 and the FTC Safeguards Rule to notify the IRS Stakeholder Liaison serving the firm's region, typically within 24 hours of confirming the breach. The IRS uses that notification to flag affected client accounts against fraudulent return filings. Do not wait for forensics to finish — file the initial notification and supplement later.
Under § 314.4(h), CPA firms must have a documented incident response plan for security events involving customer information, and as of the 2024 amendments, breaches affecting 500 or more consumers must be reported to the FTC within 30 days of discovery. A compromised mailbox at almost any accounting firm meets the customer-information definition. The hard part is the count — when you do not yet know which clients' files were accessed, be conservative and prepare to notify. See our [IRS Publication 4557 and FTC Safeguards Rule guide for CPA firms](/blog/compliance/irs-publication-4557-ftc-safeguards-rule-for-cpa-firms-2026) for the full framework.
Usually it splits across two coverages. The wire-fraud loss itself is paid under the crime rider or social engineering fraud sublimit, which for accounting firms commonly runs $25,000 to $250,000 — almost always far below the headline cyber limit. The cyber policy pays the forensics, mailbox investigation, breach counsel, and notification costs. Confirm that the social-engineering sublimit covers an employee being tricked into authorizing a transfer, not just direct funds-transfer fraud — that distinction has caused denied claims. Both carriers should be notified within the policy window, usually 24 to 72 hours.
Accounting firms holding client funds — often through retainer accounts, fiduciary engagements, or RIA-adjacent payroll funding accounts — face the same kind of exposure law firms face with IOLTA. The cyber loss runs alongside a fiduciary exposure. Reconciliation records, the audit trail of who authorized the transfer, and the bookkeeping treatment of the loss will all be scrutinized by clients, regulators, and possibly state boards of accountancy. Engage outside counsel familiar with fiduciary obligations within the first day.
Related reading
A practical first-24-hours ransomware checklist for small businesses: isolate systems, preserve evidence, call the right parties, and avoid the panic moves that make recovery worse.
Read articleWhy ransomware operators target accounting firms during tax season, the attack chains that work, the recovery timelines firms cannot afford, and the controls that break the chain.
Read articleHow BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read article