How Do Accounting Firms Stop Business Email Compromise (BEC), Client Spoofing, and Invoice/Wire Fraud?

For a 20–100 employee accounting firm in Los Angeles, most BEC and invoice/wire fraud attempts can be prevented with an 8-step control stack implemented in 14–30 days as long as you treat this like a finance process (not just an IT tool). The quickest wins are:
- a call-back verification rule for bank/payment changes,
- two-person approval for payments above $5,000–$10,000,
- MFA enforced for 100% of email accounts, and
- domain spoofing protection (SPF/DKIM/DMARC).
This guide gives you a buyer-friendly framework, cost expectations, common mistakes, and a response playbook so you can reduce fraud risk before deadlines hit.
Why Accounting Firms Get Hit (Even If You’re “Too Small”)
Attackers love accounting firms because:
- your emails are inherently trusted by clients and vendors,
- you touch money constantly (payroll, AP, tax payments),
- your busiest periods create time pressure (“just do it now”), and
- a successful fraud attempt is often quiet until the money is gone.
The real risk isn’t only the dollar amount. It’s the downstream cost:
- partner time diverted to incident response,
- client trust damage,
- potential data exposure (W-2s, SSNs, payroll files),
- and potential insurance/renewal complications.
What BEC and Invoice Fraud Looks Like (3 Real-World Patterns)
1) Vendor bank-change scam (AP / bookkeeping)
A vendor emails: “We updated our bank details. Please use this for the next payment.”
This is the #1 pattern that leads to wire/ACH loss.
Tell: urgency, “new banking,” and pressure to bypass normal steps.
2) Partner impersonation (“Do it now” request)
Fake message appears to come from a partner: “Need this paid today. I’m in a meeting. Don’t call.”
This works because it attacks the approval chain.
Tell: secrecy + urgency + weird tone + “don’t verify.”
3) Client spoofing during tax season
A client requests payroll records, W-2s, or “send my refund to this account.”
Even when no money moves, data exposure becomes the liability.
Tell: unusual request + last-minute change + small domain misspelling.
The 8-Step Accounting Firm Fraud Prevention Framework
This is the stack that actually reduces loss. Use all 8 because attackers only need you to miss one.
Step 1: Write the non-negotiable rule (process beats tools)
Policy: “We never change payment instructions based on email alone.”
That includes:
- bank changes,
- new payees,
- payment method changes (wire → ACH),
- and address/email changes tied to billing.
Implementation tip: Put this rule in your AP/payroll SOP and train it twice a year (minimum).
Step 2: Require call-back verification using a known-good number
Call-back verification works when you do not use the number in the email signature.
Minimum standard:
- Call a phone number already stored in your system, contract, or prior invoice.
- If you don’t have one, collect and validate it once, then add it to a Verified Contacts List.
Best practice: Use a short script:
- “We received a request to change payment instructions. Please confirm the last 4 digits of the prior account on file and the authorized requestor’s name.”
Step 3: Set dual approval thresholds (remove “one-person failure”)
Fraud thrives on one busy person acting fast.
Recommended controls:
- Two-person approval above $5,000–$10,000 (pick what fits your firm).
- Partner approval for first-time payments above your threshold.
- No exceptions for “I’m traveling” or “I’m busy.”
This single step prevents most “urgent partner request” scams.
Step 4: Enforce MFA on 100% of email accounts (no exceptions)
BEC often starts as mailbox takeover.
Minimum standard:
- MFA for every Microsoft 365/email user,
- MFA for privileged/admin accounts,
- MFA for remote access tools.
If leadership gets exceptions, attackers will target leadership.
Step 5: Stop domain spoofing (SPF/DKIM/DMARC in a simple rollout)
Spoofing protection reduces fake “from your domain” emails and increases trust for legitimate mail.
Practical rollout:
- SPF + DKIM
- DMARC in monitor mode for 1–2 weeks
- Move to quarantine
- Move to reject once legitimate senders are confirmed
This doesn’t eliminate all impersonation, but it reduces a major attack channel.
Step 6: Role-based phishing training (AP/payroll/partners get more reps)
Annual generic training is not enough for high-risk roles.
Best practice cadence:
- quarterly phishing simulations minimum,
- extra training for payroll, AP, and partners during peak seasons.
Use your existing education content as supporting internal links (phishing + social engineering).
Step 7: Monitor for mailbox rules, forwarding, and suspicious logins
A common attacker move is creating inbox rules to hide replies and forward threads.
What to monitor/alert on:
- new forwarding rules,
- inbox rules that move finance emails to RSS/Archive/Trash,
- impossible travel / unusual login locations,
- repeated MFA prompts (fatigue attacks).
Response target: triage suspicious activity within 15 minutes during business hours.
Step 8: Keep recovery and continuity ready (fraud often overlaps with ransomware)
Some “BEC incidents” escalate into broader compromise.
Minimum expectations:
- backups protected and tested,
- documented recovery steps,
- a continuity plan for deadline work (so the firm can keep operating).
Cost Expectations: What It Usually Takes to Reduce Fraud Risk
Most accounting firms spend in two buckets:
1) One-time setup (14–30 days)
Typical work includes:
- MFA enforcement and tightening admin access,
- SPF/DKIM/DMARC rollout,
- payment verification workflow + templates,
- initial training for AP/payroll/partners.
2) Ongoing monthly protection
Usually includes:
- managed email security monitoring,
- phishing simulations and training,
- identity monitoring and response,
- reporting (what’s protected, what changed, what was blocked).
If you’re already paying managed IT, this is often:
- included as part of a managed security layer, or
- added as a focused security package for high-risk roles.
How to Choose a Provider to Help Stop BEC and Invoice/Wire Fraud
If you’re evaluating an MSP or security partner, ask these five buyer questions:
- Will you enforce MFA with zero exceptions (including partners)?
- Will you implement SPF/DKIM/DMARC and maintain it—through to “reject”?
- Do you provide role-based phishing simulations (AP/payroll/partners), at least quarterly?
- Do you monitor mailbox rules/forwarding and suspicious logins—and what’s your response SLA?
- Will you help build the finance workflow (call-back verification + templates), not just install tools?
🚩Red flags:
- “We’ll install antivirus and you’ll be fine.”
- “Training once per year is enough.”
- No written incident response plan for mailbox compromise.
Relevant service pages you can internally link: Managed Security + IT Assessment.
Common Mistakes (and the Quick Fix for Each)
- Accepting bank changes by email → Require call-back verification
- No dual approval threshold → Set a $5k–$10k two-person rule
- Partner MFA exceptions → Enforce MFA for 100% of accounts
- No spoofing controls → Roll out SPF/DKIM/DMARC
- No mailbox rule monitoring → Alert on forwarding/rules creation
- Training isn’t role-based → AP/payroll/partners get extra drills
- No response playbook → Use the 10-step playbook below
If You Suspect Fraud: A 10-Step Response Playbook
- Pause the transaction / hold approvals
- Verify via known-good phone number
- Notify leadership (partner + ops lead)
- If compromise suspected: lock the mailbox (password reset + revoke sessions)
- Remove suspicious rules/forwarding
- Search for similar messages across the firm
- Notify AP/payroll team: “Do not process payment changes until verified”
- If funds sent: contact the bank immediately (time matters)
- Document what happened (who/what/when)
- Fix the control gap (process or technical)
Example Scenario (What “Good” Looks Like)
A 35-user bookkeeping/payroll firm receives an email “from a vendor” requesting new banking details right before payroll day.
Because the firm had:
- a call-back verification rule,
- a verified contacts list,
- MFA enforced,
- and alerting on mailbox forwarding,
they confirmed the request was fraudulent, discovered a compromised mailbox rule, locked the account, and prevented funds from leaving. The firm tightened controls within two weeks (domain protection + training refresh) and avoided a deadline disruption.
Trust Signals
When you work with a provider to reduce fraud risk, look for:
- documented processes (not just “install tools”),
- clear response SLAs,
- and a repeatable approach to identity, email security, and reporting.
Fothion brings 20+ years in IT with sub-1-hour response times and 95% positive customer feedback.
Get an Accounting Firm Email Fraud Risk Assessment (30 Minutes)
If you’re unsure how exposed your accounting firm may be to BEC, client spoofing, or invoice/wire fraud, the fastest next step is identifying operational and cybersecurity vulnerabilities before a real payment event happens.
Book a 30-minute call with Fothion and we’ll:
- review BEC + invoice/wire fraud exposure risks
- identify gaps in payment verification workflows
- assess email spoofing protections (SPF/DKIM/DMARC readiness)
- evaluate MFA, access controls, and monitoring
- outline practical steps to reduce financial loss and disruption
Book here: https://www.fothion.com/schedule-a-phone-call/
FAQs (with answers):
- What is Business Email Compromise (BEC)?
BEC is when an attacker impersonates a trusted sender (or takes over a real mailbox) to trick your firm into sending money or sensitive data—often using invoice, bank-change, or “urgent partner request” emails.
- What’s the #1 control that stops invoice/wire fraud?
A written rule that no payment instructions change via email alone, plus a call-back verification to a known-good phone number already on file.
- Is MFA enough to stop BEC?
MFA is critical, but BEC is also a process problem. You still need verification workflows, approvals, training, and monitoring for mailbox rules/forwarding.
- How fast should we respond to suspected email compromise?
Treat it like financial fraud: aim for minutes, not hours—lock the account, remove malicious inbox rules, and freeze payments until verified.
- What should we ask an MSP about protecting us from BEC?
Ask if they can enforce MFA with no exceptions, implement spoofing protections (SPF/DKIM/DMARC), provide phishing simulations, monitor mailbox rules/forwarding, and commit to a written response SLA.
Leave a Comment