CPA firms are seeing a surge in fraud targeting their clients. From corrupt email accounts and fraudulent bank account changes to ransomware threats, fraud threats are no longer rare events — they’re daily risks for companies of every size.

Because of their role as a trusted advisor, CPAs are stepping in to help clients recognize and respond to these threats. Here’s a look at several of these schemes and how the rule of verification can help protect these businesses.

The Fraud Problem: Business Email Compromise

Business email compromise (BEC) is one of the most effective forms of fraud because it preys on trust. Criminals gain access to a legitimate email account, often through phishing, malware, or stolen passwords, then monitor correspondence for weeks or months.

When the moment is right, they strike. A common tactic is to send an email that appears to come from a trusted vendor, client, or executive, instructing someone within the business to change a bank account for upcoming payments. The email may look perfect — same tone, same signature block, sometimes even the correct email address if the account has been fully compromised.

Funds are then wired to the fraudster’s account, and by the time the error is discovered, the money is gone.

Email Compromise Meets Ransomware

As if BEC wasn’t enough, corrupt email accounts are often the gateway to larger cyberattacks, including ransomware. For CPA firms and their clients, the consequences can be severe:

• Financial loss from unauthorized transfers
• Operational disruption if systems are locked down
• Reputational damage from client or vendor relationships compromised
• Regulatory exposure if sensitive financial or personal data is breached

In short, one fraudulent email can spiral into a multilayered crisis.

Pick Up the Phone: The Golden Rule of Verification

The best defense against compromising emails may also be the simplest: Verify before you act.

CPAs should consider advising their clients to adopt a clear policy: Any request to change bank account details (or any other financial or confidential information) must be validated by phone. Here’s why phone verification works:

• It bypasses the compromised channel. If email is the means for committing fraud, using a separate method to confirm instructions cuts the attacker out of the loop.
• It slows down impulsive actions. Fraudsters often create a sense of urgency: “Payment must be sent today!” A phone call disrupts that rush.
• It creates a culture of caution. Employees learn to treat financial instructions with the scrutiny it deserves.

Verification should follow a clear process:

• Call using the phone number you already have on file, not the one in the email. Don’t rely on an online search, either. Scammers create fake websites with fake phone numbers, so even if you think you’re verifying, you could still be calling them directly.
• Confirm the identity of the person on the other end.
• Document the call for audit and security purposes.

The Bottom Line

Fraud isn’t slowing down, and business email compromise remains one of the most effective attack vehicles for scammers. CPAs are in a powerful position to protect clients by stressing vigilance and simple verification practices.