



A Melbourne accounting firm discovered last year that a staff member’s email had been silently monitored for six weeks. The attacker — who had accessed the account using credentials stolen in a third-party data breach — waited patiently, watching invoice cycles, learning client names, and ultimately redirecting a $67,000 payment to an overseas account. The firm had antivirus software. They had a firewall. They had an IT support contract. None of it caught the intrusion.
This is not an isolated incident. Professional services firms — accountants, lawyers, financial advisers, management consultants — sit at the intersection of two things cybercriminals prize most: sensitive data and financial transactions. In our experience working with Australian SMEs, professional services firms are among the most targeted and least protected sectors.
It comes down to what you hold. A typical professional services firm of 20 staff might manage tax returns for 500 businesses, hold wills and trust deeds for hundreds of families, or advise on M&A transactions worth tens of millions. The data is extraordinarily sensitive, and the trust relationship means clients share things they share with nobody else.
Attackers know this. The motivations for targeting professional services firms include:
When we conduct penetration tests and security assessments for professional services firms, we see the same gaps repeatedly. Not because these firms are negligent — but because the security industry has done a poor job of communicating what actually matters.
| Gap | Why It Matters | How Common |
|---|---|---|
| Credentials in dark web breach databases | Attackers use these to log in without any hacking required | Very common — affects most firms |
| No MFA on email | A stolen password gives full email access | Common in smaller firms |
| Former staff accounts still active | Ex-employees retain access to client files and systems | Extremely common |
| No email authentication (DMARC/SPF/DKIM) | Your domain can be spoofed for phishing attacks on clients | Very common |
| Shared passwords for practice management software | No audit trail, no way to revoke access for departing staff | Common |
| Client data in personal email or cloud storage | Outside firm control, unencrypted, unmonitored | Common |
Beyond the practical security risks, professional services firms have specific compliance obligations that create legal exposure if a breach occurs.
Privacy Act 1988 (as amended): If you hold personal information about clients — which every professional services firm does — you are subject to the Australian Privacy Principles. The 2024 amendments increased penalties substantially, with serious or repeated breaches now attracting fines of up to $50 million. You are required to notify the OAIC and affected individuals of eligible data breaches.
For accountants: Tax Practitioners Board requirements include adequate records management and data security. ASIC guidance increasingly references cybersecurity as part of operational risk for registered company auditors.
For lawyers: Legal Professional Conduct Rules in each state impose confidentiality obligations. Trust account obligations create additional exposure — a BEC attack targeting a trust account is both a financial and a professional conduct matter.
For financial advisers: ASIC has issued specific guidance on cybersecurity for AFS licence holders. The guidance makes clear that cybersecurity is an operational risk that licensees must manage as part of their licence obligations.
1. Find out what is already on the dark web about your firm. Run a Cybernod scan at fort1.com.au. It checks dark web breach databases for credentials connected to your domain — takes 5 minutes and is free. Most professional services firms have at least one set of staff credentials exposed from a third-party breach they were never told about.
2. Enable MFA on everything, starting with email. Multi-factor authentication blocks the vast majority of credential-based attacks. Priority order: email first, then your practice management software, then any cloud file storage, then remote access.
3. Audit and deactivate former staff accounts. Run a report of all active user accounts in your email system and practice management software. Compare against your current staff list. Deactivate any accounts belonging to people who have left.
4. Set up email authentication. Configure DMARC, SPF, and DKIM for your domain. This prevents attackers from sending emails that appear to come from your firm. Your IT provider can typically set this up in under an hour.
5. Establish a payment verification process. Any request to change bank account details should be verified by phone using a number already on file — not one provided in the email. This single control stops the majority of BEC attacks.
When we conduct external penetration tests for professional services firms, here is what we typically find in the first 24 hours: staff credentials in dark web breach databases (almost always present); an email domain without proper DMARC configuration; at least one internet-facing portal with weak authentication; and former staff accounts still active in at least one system.
None of this requires sophisticated hacking to exploit. It requires a leaked credential and patience.
Run a free Cybernod dark web scan on your domain. See exactly what credentials and data threat actors can find about your firm — in under 5 minutes. If anything surfaces, we will walk you through what it means and what to do next.
Fort1 works with accountants, lawyers, financial advisers, and management consultants across Australia on penetration testing, compliance assessments, and dark web monitoring. We understand the specific regulatory obligations and client confidentiality requirements that professional services firms operate under. Reach out at info@fort1.com.au or call +61 1300 294 089.
Fort1 is an Australian cybersecurity firm based in Sydney. We provide penetration testing, compliance advisory, and dark web monitoring. Contact us at info@fort1.com.au or +61 1300 294 089.