CPABC's senior security analyst Jimmy Ho outlines how CPAs are being targeted by increasingly persuasive and polished AI-generated scams, and how to guard against them.
As artificial intelligence becomes increasingly powerful, the content it produces - including spear-phishing emails, websites, and voice messages - is becoming more polished and convincing. One risky result of this progress is that cybercriminals are using AI to make their scams harder to detect. One recent study found that an AI-supported spear-phishing email campaign tricked more than 50% of its targets into clicking through to a bogus website. Of the control group that received an old-fashioned phishing email, only 12% were tricked. To discuss how bad actors are using AI and how CPAs can guard against their scams, we chatted with Jimmy Ho, CPABC's senior security analyst.
Could you give us a quick refresher on AI-supported spearfishing?
Old-fashioned spearfishing is a targeted attempt to trick a user into clicking on a bogus link. Usually, an attacker gathers information about a target through social media and websites that contain their information, then curates an email specifically for that target. AI-supported spear-phishing uses artificial intelligence tools like ChatGPT or machine learning algorithms to craft convincing emails, texts, and voice calls to trick people into revealing sensitive information. Unlike more traditional types of phishing, these messages are more personalized, grammatically correct, and can mimic trusted contacts or organization, making them harder to spot.
Can you share a recent example of an AI spear-phishing attack?
Cybercriminals have been using AI-driven website builders like Lovable to rapidly spin up ultra-realistic phishing websites - cloning login pages, deploying platforms to bypass muti-factor authentication, and even hosting these bogus sites on the domain itself. There was also a massive campaign in February that sent out thousands of phishing emails affecting thousands of organizations. Thankfully, that platform took down the worst clusters and has since rolled out AI-powered detection to block malicious site creations.
How might CPAs encounter AI spear-phishing?
As a CPA, you could get what looks like a genuine email request from one of your long-term clients asking for updated banking information or an email styled exactly like the CRA down to the logos, fonts, and tone of voice. Even invoices from vendors can be faked with shocking accuracy because attackers scrape details from the internet and feed them into AI tools that clean up the grammar and formatting. The results can look very legitimate, making them hard to catch at a glance.
Who is targeting CPAs and why?
Organized cybercriminal groups like to target CPAs because they hold the keys to financial data like tax information and sensitive client records. If the bad actors succeed, that data can be gathered quickly and sold off to the dark web. However, it’s not just about the money - there are nation-state actors who are very interested in financial professionals because their data can reveal business strategies, high-value clients, or even be used for identity theft. CPAs are high-value targets and attackers know it.
Read more
- AI and accounting: Privacy, security, and compliance for CPAs
- Are your passwords for sale on the dark web?
- Fraud gets personal with social engineering
What are some risks to CPAs and their clients?
The risk runs across the board. There's an immediate financial loss if a wire transfer or payment is redirected to a fraudulent account. There's also a reputational hit - if a client finds out that their sensitive tax or payroll information has leaked through your system, that trust is really hard to win back. There's also the regulatory risk. A breach of personal or financial data can trigger fines and compliance reviews. There can also be legal obligations that can drag out long after the initial incident.
Who is most at risk?
Smaller and mid-sized firms tend to be the most vulnerable simply because they might not have a dedicated IT or security team to watch their backs. However, any CPA who's handling high-value client data without following basic safeguards like multi-factor authentication, regular training, or secure email filtering is putting themselves and their clients in the danger zone. Remote workers are also a big target because they rely almost entirely on email and cloud systems to communicate - and these systems are at risk of being attacked.
What are some precautions CPAs can take?
My number one tip is, “Don't trust, always verify.” If you receive a request that feels even slightly unusual or suspicious - for example, to change payment details or send sensitive files - you should contact the requester directly and confirm with your client or vendor. On the technical side, enable multi-factor authentication, especially on email accounts and accounting systems. If possible, invest in email filtering tools to vet suspicious attachments or links before they hit your inbox. Security awareness training is also extremely important - teaching staff to pause and question if anything looks a little bit too perfect or suspicious, or is coming in at an odd time. Finally, have a plan. If a spear-phishing email does get through, know what you need to do to respond to it quickly.
Are there resources you'd recommend to learn more?
CPA Canada has excellent cybersecurity resources tailored for accountants and the Government of Canada has a Get Cyber Safe portal that provides information on how to protect yourself.
Leah Giesbrecht is a communications specialist at CPABC.
