There’s a persistent myth that cyber security is only for big firms.
That if you’re a one-person accountancy practice, with a good client base, then serious cyber security somehow isn’t your problem.
This blog exists to politely, but firmly, dismantle that idea.
Because what you’re about to read isn’t theory. It’s a real-world example from a single-director accountancy firm we look after. Sensible. Professional. Client-focused. Not flashy. Not noisy. Just quietly doing things properly.
And because they did things properly, eight scam emails sent in their name in December didn’t reach a single client.
Eight.
In December.
That matters more than it might sound.
The Accountant in This Story (And Why They Matter)
Let’s set the scene.
This accountancy firm is:
-
A one-person business
-
With a healthy, stable client base
-
Not running heavy marketing campaigns
-
Not chasing growth for growth’s sake
In short: a classic small UK accountancy practice.
But they also take one thing extremely seriously:
Their responsibility to their clients.
So when it comes to IT and email security, they don’t “wing it”.
They don’t copy-paste settings from a forum.
They don’t let web developers “have a go”.
They involve their IT provider (us) every time.
And that’s why, in December, when scammers tried to impersonate them, nothing landed.
What Actually Happened
During December, emails were sent claiming to be from this accountancy firm.
Not just display-name tricks.
Actual spoofed emails pretending to be sent from their domain.
Eight attempts in total.
Now, eight emails doesn’t sound like a lot… until you realise what December is.
Why December Is Prime Time for Accountant Impersonation
December is perfect scam territory:
-
Many businesses operate on April–March financial years
-
Accounts are often submitted by 31 December
-
Business owners are busy, distracted, and under pressure
-
Information is often sent to accountants late (we’ve all done it)
-
Christmas shutdowns, bank holidays, staff leave
-
Cash flow pressure from trading three weeks but paying four
Now imagine being a busy business owner in mid-December.
You receive an email from your accountant saying:
“Your corporation tax liability for this period is £XX,XXX.
Please pay it using the following details.”
You’re not shocked.
You’re not surprised.
You expect a bill around that size.
So you pay it.
And that’s exactly why scammers do this.
How Do Scammers Make the Figures Look So Convincing?
Here’s the uncomfortable bit.
They don’t guess.
They calculate.
Most of what they need is public information:
-
Companies House filings
-
Previous year profits
-
Named accountant
-
Filing dates
-
Trends year-on-year
Corporation tax is roughly 19%.
If a company paid £68,000 last year, and profits look similar, a demand for £72,000 doesn’t raise eyebrows.
Too high? You’d question it.
Too low? You’d question it.
But roughly right?
You pay it.
And this is where AI changes everything.
Why This Is Getting Worse (And Faster)
Historically, scammers worked on volume:
-
Millions of generic emails
-
Hope a tiny percentage bite
-
Move on
To be more precise requires manpower. Time. Effort.
AI removes all of that.
AI can:
-
Scrape Companies House
-
Identify accountants linked to businesses
-
Calculate realistic tax estimates
-
Match timing to filing deadlines
-
Generate personalised, professional-looking emails
-
Run 24/7 without fatigue
This is no longer “spray and pray”.
It’s targeted impersonation at scale.
And accountants are right in the middle of it.
So Why Didn’t Any of These Emails Get Through?
Because this accountant had DMARC set to the strictest possible level.
In plain English:
Their domain is configured so that:
-
Only authorised systems can send email as them
-
Emails must pass SPF and DKIM
-
Anything that fails is rejected outright
Not junked.
Not flagged.
Not “maybe delivered”.
Rejected.
The scam emails never reached inboxes.
Never reached junk folders.
Never reached clients.
Game over.
What Is Email Spoofing (And Why Junk Folders Make It Worse)
Spoofing is when an email claims to come from an address it has no right to use.
Not the display name.
The actual “From” address.
Without proper controls:
-
Receiving servers do their best
-
Emails often land in junk
-
Users check junk
-
They recognise the sender
-
They move it to inbox
-
They trust it
And at that point, the damage is done.
This is why sender-side security matters more than receiver-side filters.
Google and Microsoft can only act on the instructions you give them.
That instruction is DMARC.
DMARC: Protection for Your Clients and Your Reputation
There’s another uncomfortable truth:
If a client falls for a spoofed email…
They will still blame you.
Even if you didn’t send it.
Even if you were spoofed.
Even if it wasn’t your fault.
Reputation damage doesn’t care about technical nuance.
DMARC on reject:
-
Protects your clients
-
Protects your name
-
Protects your professional credibility
But, and this matters, it must be done carefully.
Why DMARC Must Be Monitored (Not “Set and Forget”)
DMARC isn’t dangerous.
Unmonitored DMARC is.
Legitimate changes can break email:
-
New email platforms
-
New marketing tools
-
CRM integrations
-
Website migrations
-
Web developers moving DNS and missing records
Without monitoring, you can accidentally block your own email.
With monitoring:
-
Issues are spotted immediately
-
Services stay authorised
-
Protection remains intact
That’s why DMARC should always be managed, not just configured.
A Quiet Word on Cyber Essentials (Yes, Really)
Accountants handle:
-
Financial data
-
Payroll information
-
Identity details
-
Tax records
-
Client correspondence
In reality, you sit inside your clients’ security boundary.
Cyber Essentials isn’t “just for IT companies”.
It’s a baseline expectation for anyone handling data.
And frankly, if your clients are being pushed towards Cyber Essentials, you should already be there.
Final Thought: This Isn’t About Fear. It’s About Responsibility.
This accountant didn’t panic.
They didn’t over-engineer.
They didn’t wait for something to go wrong.
They quietly did things properly.
And when scammers tried their luck in December, nothing happened.
That’s the outcome accountants should be aiming for.
If you want to talk about DMARC monitoring, email protection, or how this fits into a wider security baseline (including Cyber Essentials), have a chat with us.
Because protecting your clients also means protecting yourself.
And in today’s landscape, email security is no longer optional.
TL;DR:
-
Accountants are a prime target for email spoofing, especially around December deadlines
-
Scammers now use AI + public Companies House data to create convincing, personalised tax scam emails
-
A one-person accountancy firm we support had 8 spoofed emails blocked outright in December
-
Why? DMARC set to “reject”, backed by correctly configured SPF and DKIM
-
Those scam emails never reached inboxes or junk folders, clients were fully protected
-
Without DMARC, spoofed emails often land in junk, get rescued, trusted, and acted upon
-
If a client falls for a spoofed email, your reputation still takes the hit
-
DMARC must be monitored, not just set once and forgotten
-
Accountants handle highly sensitive data, Cyber Essentials should be a baseline, not a stretch goal
Bottom line:
Proper email authentication isn’t just IT hygiene, it’s client protection, reputation protection, and professional responsibility.