8 Scams That Target Bookkeeping Professionals
— and how to protect yourself

Last month, we covered seven scams that target business owners. This month, we're turning the lens around.

Bookkeeping professionals are not just witnesses to financial fraud — they are targets of it. And the reason is straightforward: bookkeepers hold financial access, sensitive data, and trusted relationships that scammers find extremely valuable. A single successful attack on a bookkeeper doesn't just affect them. It can affect every client they work with.

Here are the eight scams we see most frequently targeting bookkeeping professionals — what they look like, why they work, and what you can do to protect yourself and your practice.

1. The Fake Client Onboarding Scam

The setup is convincing. A prospective new client makes contact, seems professional, and engages your services. They send payment promptly — often a check, often for more than the agreed amount. They mention they need you to also arrange a payment to a supplier or third-party vendor from those funds. It all seems routine.

The check clears initially. You forward the funds to the third party. Days later, the bank reverses the deposit. The check was fraudulent. The "client" has disappeared. You are personally liable for every dollar you already disbursed.

This scam is devastatingly effective because it mimics a legitimate client relationship at every step. The urgency is subtle. The paperwork looks real. The check shows up as cleared before it bounces.

How to spot it: An overpayment combined with a request to forward funds to a third party is the signature of this scam. Rushed onboarding, vague business details, and communication from a free or generic email address are additional warning signs.

How to prevent it: Never disburse funds from any deposit until it has fully and irrevocably cleared — allow at least 7 to 10 business days. Understand that a cleared balance is not the same as a settled check. Build a client onboarding process that includes identity verification before any financial work begins.

2. The Overpayment and Refund Scam

This is a variation of the fake client scam, and it can strike existing client relationships as well as new ones.

A client sends a payment that is significantly more than the invoice amount. They contact you — apologetically, often with urgency — to request a refund of the difference. The original payment has appeared to clear. You issue the refund in good faith. Days later, the bank reverses the original payment. Your refund came from your own funds.

The scam relies on a misunderstanding that is easy to have: that a cleared balance means a settled payment. It does not. Checks can bounce days after they appear to clear. Certain wire transfers can be reversed in fraud cases. The window between apparent clearance and actual settlement is exactly when this scam operates.

How to spot it: An unexpected overpayment followed by an urgent request for a partial refund. Pressure to process the refund quickly, before your normal timeline.

How to prevent it: The rule is simple and must be applied without exception: never issue any refund until the original payment has been confirmed as fully settled by your bank. Call your bank directly if you are unsure. Apply the policy consistently — urgency from the client is never a reason to make an exception.

3. Phishing Attacks via Fake Accounting Software Notices

Bookkeepers are among the most targeted professionals for phishing attacks, and the reason is straightforward: compromising a bookkeeper's login doesn't just give the scammer access to one account — it gives them access to every client account that bookkeeper manages.

These attacks arrive as emails that look exactly like genuine communications from QuickBooks, Xero, FreshBooks, MYOB, or whichever platforms you use. The logo is correct. The formatting matches. The message is urgent: verify your account, or face suspension. The link leads to a near-perfect replica of the real login page. You enter your credentials. The scammer now has full access.

How to spot it: The sender's email domain doesn't match the real company — check the actual address, not just the display name. The greeting is generic ("Dear User" rather than your name). The message threatens account suspension within a specific timeframe. The link URL doesn't go to the real software domain.

How to prevent it: Bookmark every accounting software login page you use, and access those pages only via your saved bookmark — never via a link in any email. Enable multi-factor authentication on every platform. When you receive a suspicious security alert, go directly to the software's website to check your account status rather than clicking any links in the email.

4. Credential Stuffing and Account Takeover

You may have strong, unique passwords for your most important accounts. But what about the password you used several years ago on a service you've long since forgotten — a service that was later involved in a data breach?

Credential stuffing attacks use exactly this: leaked username and password combinations from past data breaches, tested automatically across thousands of websites and applications. Bookkeeping platforms are high-value targets. If your credentials were leaked in any past breach, and you reused that password anywhere, your accounts may already be at risk.

The attack is invisible until it succeeds. By the time you notice, a scammer may have already accessed client accounts, changed payment details, or extracted sensitive financial data.

How to spot it: Unexpected login notifications from software you use. Clients reporting payment changes they did not authorise. Being suddenly locked out of an account — attackers sometimes change credentials to buy time. Unfamiliar login locations in your account activity history.

How to prevent it: Use a unique, strong password for every single platform you access. Enable multi-factor authentication on every accounting platform and financial system. Use a reputable password manager — this makes unique passwords practical and eliminates the need to remember or reuse them. Check haveibeenpwned.com to see if your email address has appeared in known data breaches.

5. The Fake Job Offer and Money Mule Scam

This scam specifically targets bookkeeping professionals entering the job market or looking for additional remote work — and the consequences can be severe.

A job posting or LinkedIn message advertises a remote bookkeeping role with attractive pay, flexible hours, and a fast start. The company is vague or difficult to verify. There is no formal interview. The person is quickly "hired" and asked to receive payments and forward them to third parties — framed as a routine accounts function. In reality, they are laundering money for a criminal operation.

Whether the participant knew it or not, involvement in a money mule arrangement can result in account freezes, civil liability, and criminal investigation. The legitimate-sounding job title does not protect you.

How to spot it: High pay with no formal interview. A company that cannot be independently verified. A role that involves receiving funds into your personal or business account and transferring them elsewhere. Being asked to handle payments before completing a proper hiring process.

How to prevent it: Research every potential employer independently via company registers, LinkedIn, and professional directories — not using links or contact details the employer provides. No legitimate bookkeeping role involves forwarding funds from your personal accounts to third parties. If an offer seems unusual, consult your professional association before engaging.

6. Ransomware Targeting Client Data

Bookkeeping professionals are high-value ransomware targets for a specific reason: they hold sensitive financial data for multiple clients on a single system. One successful attack can expose the financial records of every business they work for.

Ransomware typically enters via a phishing email or an infected file download. It runs silently in the background, encrypting files. Then the ransom demand appears — payment in cryptocurrency, with a deadline before the data is permanently destroyed or published publicly. Even if the ransom is paid, full recovery is not guaranteed. The reputational damage to the practice, and the potential liability to clients whose data was exposed, can be significant.

How to spot it: Unusual computer slowness or unexplained file activity. Files appearing with new extensions or names you did not create. Sudden inability to open documents that were previously accessible. A ransom demand screen.

How to prevent it: Maintain regular, tested backups to a separate offline or cloud location that ransomware cannot reach — and test your restores, not just your backups. Use reputable endpoint protection on all devices and keep all software fully updated. Use cloud-based accounting software where possible to reduce the volume of sensitive client data stored on local devices. Train on phishing recognition, since most ransomware enters via a clicked link or email attachment.

Ransomware loses most of its leverage when you have clean, recent backups. If you do not currently have a backup system in place, that is the most important thing you can fix today.

7. Fake Professional Association Membership Scams

This scam is smaller in dollar value but effective precisely because of that. An unsolicited invoice arrives for a membership to a bookkeeping or accounting association. The name sounds legitimate — sometimes closely resembling a real professional body. The letterhead is professional. The amount is modest. You have never heard of them.

The association does not exist, or exists solely to collect payments and issue worthless credentials. Because the amount is small and the presentation looks credible, it often gets paid without question.

How to spot it: An unsolicited invoice for a membership or certification you did not apply for. The organisation name cannot be found on government business registers. No recognition of the association from any professional body you already belong to. Urgency to pay before a deadline to "maintain active status."

How to prevent it: Research any unfamiliar association independently via government business registers before paying. Contact your existing professional body — organisations like the ICB, AAT, CPA Australia, and IPA know which bodies are legitimate and which are not. Never pay an unsolicited membership invoice without verification. A genuine professional body does not send cold invoices with payment deadlines to non-members.

8. Social Engineering via LinkedIn

This is perhaps the most patient and sophisticated scam on this list — and the one that is easiest to miss precisely because it moves slowly.

A scammer creates a credible LinkedIn profile: a business owner, a referral partner, or an industry peer. They send a connection request. They engage with your posts and ask thoughtful questions. Over weeks or months, they build genuine-seeming rapport. The objective, throughout all of this, is information: who your clients are, what software you use, how your payment processes work, what your thresholds and controls look like.

With enough of this intelligence, a scammer can convincingly impersonate a trusted party, target your clients directly, or use your internal process knowledge to bypass the controls you have in place.

How to spot it: A new contact asks unusually specific questions about your clients, your software, or your internal processes. An opportunity that arrived via LinkedIn seems disproportionately attractive and easy. The profile looks polished, but the company cannot be independently verified.

How to prevent it: Do not list specific client names or industries publicly on your LinkedIn profile — this is valuable intelligence for a scammer. Verify new contacts and their businesses independently via company registers before sharing any professional information. Treat early-stage requests for client or process details as a red flag — legitimate partners do not need this upfront. Be thoughtful about what your posts and comments reveal about your clients, your systems, and your workflows.

What These Eight Scams Have in Common

The scams targeting bookkeeping professionals are more sophisticated than many people expect — and they're more targeted. Bookkeepers are not incidental victims. They are chosen specifically because of what they hold: financial access, client data, and professional trust.

Several patterns appear across all eight. Most create some form of urgency that is designed to make you act before you think. Most exploit something legitimate — a new client relationship, a professional email, a job opportunity, a professional connection. And most are significantly harder to execute against a bookkeeper who has clear policies, good habits, and a healthy level of professional scepticism.

The best protection is procedural. A policy of not disbursing uncleared funds protects against the first two scams entirely. A rule of never logging into software via email links stops phishing cold. Unique passwords and multi-factor authentication block credential stuffing. Regular tested backups neutralise ransomware. These are not complicated fixes — but they need to be implemented before a scam, not in response to one.

Protecting Your Practice and Your Clients

At Salt & Sand Bookkeeping, we take the security of our clients' financial information seriously. We maintain the systems, habits, and processes that protect both our practice and the businesses that trust us with their accounts.

If you're a business owner looking for a bookkeeper, it's worth asking about their security practices — just as you would ask about their qualifications. And if you are a bookkeeping professional, we hope this series has been useful. The more aware our profession is of these tactics, the harder they become to execute.

Visit us at saltandsandbookkeeping.com or get in touch if you'd like to talk about how we work.

Salt & Sand Bookkeeping provides bookkeeping and financial management services to small and growing businesses. This post is intended for general educational purposes. If you believe you have been the target of fraud, contact your financial institution and relevant authorities immediately.

← Back to all posts