What Should CPA Firms in New Jersey Know About Business Email Compromise and Fraudulent Payment Requests?

 

CPA firms in New Jersey should understand business email compromise and fraudulent payment requests as part of a broader operational security and client-protection issue, not simply as an email problem. For accounting firms, these incidents can lead to misdirected funds, exposed client information, disrupted workflows, damaged trust, and significant operational stress during already demanding periods.

This matters because accounting firms routinely handle sensitive financial information, communicate with clients about money-related matters, exchange confidential records, and operate under hard deadlines. That makes them attractive targets for impersonation, fraudulent instructions, credential theft, and other attacks designed to exploit trust rather than technical weakness alone.

Why This Question Matters More for CPA Firms

Many firms think of email fraud as a narrow cybersecurity issue. In an accounting firm, that is too narrow.

For a CPA firm, the more important question is whether partners and staff can recognize and respond to fraudulent requests that appear legitimate on the surface. Accounting firms regularly receive urgent communications involving tax matters, payroll, banking details, document requests, and payment-related instructions. That creates a setting where a convincing message can do real damage if people are moving quickly and relying on appearances rather than verification.

That is why business email compromise should not be treated as just another phishing variation. It should be treated as a direct risk to client trust, internal controls, and day-to-day firm operations.

The 6 Things CPA Firms Should Know About Business Email Compromise and Fraudulent Payment Requests

The clearest way to approach this topic is through a 6-part framework focused on recognition, verification, control, and leadership oversight.

1. Business Email Compromise Is Usually a Trust Problem Before It Becomes a Technical Problem

Business email compromise often works by making a fraudulent request appear routine, urgent, or authoritative.

That may involve:

• Impersonation of a client
• Impersonation of a partner or manager
• A compromised real email account
• A lookalike domain or email address
• A message that appears to continue an existing conversation
• A request tied to timing pressure, confidentiality, or urgency

This matters because many fraudulent messages do not look obviously malicious. In a CPA firm, a message may appear to involve a payroll change, wire request, document release, tax-related payment issue, or updated banking instruction. The real risk often begins when someone trusts the request before it has been independently verified.

Consistent MFA enforcement on email accounts is also important because it helps reduce the likelihood that a stolen or reused password leads to compromise of a real user mailbox. In a CPA firm, that matters because fraudulent payment or document requests can be much harder to detect when they come from an account that has been genuinely compromised rather than merely impersonated. MFA does not eliminate the risk of fraudulent requests, but it can reduce one of the most common paths to email compromise.

2. Fraudulent Payment Requests Are Not Limited to One Type of Transaction

Accounting firms should think broadly about what these attacks can look like.

For a CPA firm, fraudulent requests may involve:

• Wire transfer instructions
• Banking detail changes
• Requests to change payment destinations
• Payroll-related updates
• Vendor payment requests
• Requests to release confidential financial documents
• Instructions that appear to come from a client under deadline pressure
• Requests framed as urgent, confidential, or time-sensitive

This matters because firms sometimes prepare for one type of fraud and overlook the rest. In an accounting environment, the issue is not just whether someone asks for a wire. The issue is whether a fraudulent request causes the firm to act on false information involving money, records, credentials, or sensitive documents.

3. Verification Procedures Matter More Than User Instinct Alone

Partner and staff awareness are important, but awareness alone is not enough.

CPA firms should have clear verification procedures for requests involving:

• Payment instructions
• Banking changes
• Payroll changes
• Release of sensitive records
• Requests that appear unusually urgent
• Requests that involve confidentiality or bypassing normal process

That often means verifying through a separate known channel, such as a confirmed phone number or an established contact process, rather than replying directly to the message itself.

This matters because even experienced professionals can be misled when a message arrives at the wrong moment and appears to fit the situation. In an accounting firm, good judgment should be reinforced by process, not left to instinct alone.

4. Secure Email and File-Sharing Discipline Help Reduce Exposure

Fraud prevention is stronger when communication practices are disciplined and consistent.

For a CPA firm, that includes:

• Using approved secure methods instead of regular unsecured email for confidential records
• Limiting casual changes to document-sharing methods
• Keeping client communication processes consistent
• Reducing situations where staff must guess whether a request is normal

This matters because attackers often take advantage of inconsistency. If the firm sometimes uses secure portals, sometimes uses secure email, and sometimes falls back to informal methods, it becomes easier for a fraudulent request to appear believable. Clear communication discipline makes suspicious behavior easier to spot.

5. Internal Controls Should Be Designed to Slow Down High-Risk Requests

In this area, a little friction is often beneficial.

Accounting firms should consider controls such as:

• Dual approval for payment-related changes
• Separate verification for banking updates
• Clear escalation procedures for suspicious requests
• Approval requirements for release of sensitive financial records
• Defined rules for who can authorize what
• Policies that prevent staff from bypassing normal controls because a request appears urgent

This matters because attackers often rely on speed. The message is designed to create pressure, reduce reflection, and move someone to act before the request is questioned. In a CPA firm, strong internal controls help prevent urgency from overriding judgment.

6. Leadership Should Treat This as an Ongoing Operating Risk

Business email compromise should not be addressed only after an incident occurs.

For a CPA firm, leadership should review:

• Whether staff receive training on impersonation and fraudulent requests
• Whether verification procedures are documented clearly
• Whether suspicious messages are reported consistently
• Whether approval and payment controls remain strong
• Whether communication practices support security or create ambiguity
• Whether the firm has seen repeated patterns that suggest rising exposure

This matters because fraudulent-request risk changes over time. Attackers adapt, staff turnover occurs, client communication patterns evolve, and firms become busier during certain parts of the year. Leadership oversight helps ensure the firm’s controls remain aligned with how the firm operates.

What Firm Leadership Should Ask

Before assuming the firm is adequately protected, CPA firm leadership should want clear answers to questions such as:

• Would staff recognize a convincing fraudulent request that appeared to come from a client, partner, or vendor?
• Do we require independent verification before acting on payment or banking changes?
• Are sensitive records released only through approved and controlled processes?
• Are our communication methods consistent enough to make suspicious requests easier to identify?
• Do our internal controls reduce the chance of an urgent fraudulent request being acted on too quickly?
• Would partners and staff know exactly how to escalate a suspicious request?
• Have we treated this as a real operating risk rather than just an email-security issue?

These are not only security questions. They are leadership questions about how the firm protects money, client information, and decision-making under pressure.

Why Generic Fraud Prevention Advice Usually Falls Short for CPA Firms

Generic fraud advice often tells businesses to be careful with suspicious emails and move on. That is not enough for a CPA firm.

For an accounting firm, fraudulent requests must be understood in the context of tax deadlines, financial records, payroll information, client communications, document release procedures, and partner-level authority. A generic warning may raise awareness, but still fail to give the firm the controls and verification discipline needed for real-world situations.

Real-World Perspective from Inside a Regional Accounting Firm

Total Cover IT Founder David Quick spent 17 years as the internal IT Director for a mid-sized regional accounting firm in New Jersey, supporting the firm as it grew from approximately 50 employees to more than 80.

During that time, David was responsible for:

• Designing, implementing, and maintaining the firm’s entire IT infrastructure
• Supporting specialized practice management and time and billing systems, workflow management tools, and various accounting, audit, and tax-related applications
• Minimizing downtime, especially during peak tax seasons
• Leading a full headquarters office relocation, including the migration and reassembly of core IT infrastructure, with minimal disruption

That experience matters because security issues in a CPA firm are not theoretical. They affect how the firm handles trust, verification, and client-sensitive decisions under real deadline pressure.

FAQ

What is business email compromise in a CPA firm?

Business email compromise is a fraud tactic in which a message appears legitimate enough to trigger action. In an accounting firm, that can include impersonation of clients, partners, vendors, or internal staff, compromised real email accounts, lookalike domains, or requests tied to urgency and confidentiality.

Why are fraudulent payment requests especially risky for accounting firms?

Because accounting firms routinely handle sensitive financial information, banking details, payroll-related requests, tax matters, and confidential records under deadline pressure. A convincing request can lead to misdirected funds, exposed information, or release of sensitive documents if it is acted on too quickly.

What is the most practical way to reduce this kind of risk?

Clear verification procedures and internal controls usually matter more than instinct alone. Requests involving payment instructions, banking changes, payroll updates, or release of sensitive records should be verified through a separate known channel rather than by replying directly to the message.

How does this connect to broader firm security?

Business email compromise sits at the intersection of awareness training, MFA, secure communication methods, document-release discipline, and leadership oversight. It should be treated as part of the firm’s broader operating and client-protection discipline rather than as a narrow email issue.

Related Resources for Accounting Firms

If you’re evaluating IT support for your accounting firm, these additional resources may help:

• What Should Accounting Firms in New Jersey Know About Security Awareness Training and Phishing Simulations?
• What Cybersecurity Controls Should Accounting Firms in New Jersey Prioritize First?
• What Should Accounting Firms in New Jersey Know About Secure Client File Sharing and Document Portals?
• What Should CPA Firms in New Jersey Know About New Jersey Data Breach Notification Requirements?

View All Resources for Accounting Firms

This article is part of our Resources for Accounting Firms series covering IT costs, security requirements, compliance expectations, and operational risk. Go to Resources.