April Fools Is Over. These Scams Are Still Getting CPA Firms Hit.
April 1 passes. The jokes stop. The scams don't. In the last
90 days, multiple professional services firms in the Mountain West have dealt
with the same problem pattern. No ransomware. No obvious breach. Just one
"small" interaction that looked like normal work. In one case, a senior staff
member approved a routine-looking file share. In another, a partner responded
to a cleanly written payment verification email. In a third, a $7 toll payment
text came in during a deadline week. None of these firms believed they were "at
risk." All of them had smart, experienced people. All of them assumed awareness
would be enough. The common failure wasn't judgment. It was missing
enforcement. The only question that matters isn't "Would my team fall for
this?" It's this: Would our systems stop it if someone didn't slow down?
The Pattern Behind the Scams Actually Working Right Now.
Every successful scam hitting CPA firms today shares three
traits. It uses real platforms your firm already trusts. It asks for something
small, routine, or familiar. It succeeds because nothing technically blocks it.
This isn't social engineering in the dramatic sense. It's operational friction
being absent. Below are three patterns we're actively seeing—anonymized, but
real.
Scam #1: The "Small Payment" Text That Becomes a Firm Problem.
What it looks like in the wild: A staff member receives a
text during the workday: "You have an unpaid toll balance of $6.99. Pay within
12 hours to avoid fees." The link references a real toll authority. The amount
is trivial. They're between client calls. They pay and move on. What actually
breaks: That phone is also used for firm email MFA, password resets, and cloud
app approvals. The card data is gone—but more importantly, identity data leaves
the firm boundary. Policy alone is not enough here. What actually works (and
how it's enforced): Policy: No payments of any kind—personal or business—are
made through text-message links. Ever. Technical control: Mobile device
management blocks unknown payment domains and flags SMS-based payment links.
Result: Even if someone clicks, the transaction can't complete. Convenience is
the bait. Technical enforcement is the defense.
Scam #2: The File Share That Comes From a Real System.
What it looks like in the wild: An email arrives: "[Client
Name] has shared a file with you." It's sent through a legitimate cloud
platform. The sender address checks out. The branding is perfect. They click.
They log in. Their credentials are now owned by someone else. Here's where this
usually breaks: Attackers compromise one real account, then use that platform's
native sharing tools. Spam filters don't catch it because nothing is fake. This
is the single most common entry point into CPA firm cloud environments we see.
What actually works (and how it's enforced): Policy: Unexpected file shares are
never accessed from email. Technical control: Conditional access forces logins
only from trusted devices and locations. Behavioral rule: If the file is real, it
will appear when the employee logs into the platform directly. This isn't about
being careful. It's about removing the shortcut entirely.
Scam #3: The Email That's Written Too Well.
Phishing used to be sloppy. That era is gone. Today's emails
are written specifically for CPA roles: payroll verification requests, vendor
payment changes, client document follow-ups timed to deadlines. They reference
real names, real processes, and real timing. Why partners should care: These
emails don't cause panic. They cause cooperation. And cooperation under time
pressure is where controls—or the lack of them—get exposed. What actually works
(and how it's enforced): Policy: Any request involving credentials, payment
changes, or sensitive data requires second-channel verification. Technical
control: Email rules flag and isolate messages containing payment or credential
language. Cultural rule: Urgency itself is treated as the warning sign. Real
security assumes people will be busy. It plans for that reality.
The External Lens That Actually Matters.
If an insurer, regulator, or forensic firm reviews an
incident, they will not ask "Did the employee mean well?" They will ask what
controls were in place, which actions were technically blocked, and where
policy relied on human judgment alone. That is the standard your firm is judged
against—not intent.
The Minimum Acceptable Scam-Resistance Setup for CPA Firms.
Print-ready
checklist. This is the baseline we expect to see hold up under review:
text-message payment links are blocked or restricted; unexpected file shares
are accessed only through direct platform login; MFA is enforced with
conditional access, not exceptions; payment and credential changes require
second-channel verification; external sharing permissions are intentionally
limited; alerts exist for unusual login behavior; staff know exactly where to
report "something feels off." If any box is unchecked, that's not a training
issue. It's an exposure.
What To Do In The Next Seven Days.
Within the next week, do this one thing: walk this checklist
through with your leadership team and mark where enforcement is policy-only
versus technically blocked. That gap is where incidents start.
Fix This Now — With a Concrete Deliverable.
Reach out right now and request a CPA Firm Scam Exposure
Map. You'll get a clear, written breakdown showing where scams would bypass
your current controls, which risks are policy-only, and what can be technically
enforced immediately. No theory. No scare tactics. Just a practical map of
where you're exposed—and how to close it. Don't wait. Reach out now and get
this handled before it becomes an incident.
