WestBAS Logo
Online-Security-for-Business-Owners-From-a-Bookkeepers-Perspective
In 2026, it’s fair to say most business owners think their business and accounting files are ‘secure.’ They’ve put in place cyber security with their IT guys and updated some procedures for employees to be aware of. However, criminals are coming up with impressively innovative scams, and businesses can quickly change from thriving to scrambling when online security slips. The problem for business owners is that every invoice, payroll run, and supplier email is a potential entry point for scammers. As a business owner, you can’t just put procedures in place – you must be continually diligent with your cyber security.
The Most Common Scams We See in Bookkeeping

These are the scams we see most often:

The “Please update our bank details” email.

You get an email from a regular supplier explaining that they’ve changed their bank details. It looks legitimate, even the logo and email address appear correct. But if you change the payment details without verifying with a phone call to the supplier, your payment could go straight to a criminal’s bank account. Simple fix: Call your supplier contact, with a number you know is correct for their business and ask if they have updated their bank details recently. Never update bank account details based only on information you receive in an email. And document the verification process every time. 

CEO impersonation payment requests are on the rise.

It’s not uncommon for accounts payable to get emails from the CEO saying, “Please pay this, now!” …but these emails can often be intercepted and the invoice attachment can be switched. The scammers are far ahead of the average business, technology-wise, so, to be cyber safe, consider how emails can be intercepted before making changes based on email instructions. One way you could mitigate risk, is to call the CEO, double-check the payment request, and also double-check the account number, name and details of who you’ll be paying.

Phishing 

A word we’ve all heard of… but what’s the ‘definition’? It’s where cybercriminals call or send emails and DMs hoping to gain sensitive information, including passwords, credit card numbers or login credentials. Fake ATO emails or alerts from companies like Xero and MYOB are becoming more prevalent and getting more sophisticated. If you’re not vigilant, it’s easy to get caught out. These emails will often have an ‘urgent’ call to action, such as, ‘your account will be locked if you don’t act now!’ Remember, a ‘real’ company is unlikely to ask you to click a link or provide sensitive information via email.

Multi-Factor Authentication (MFA) Is Non-Negotiable in 2026

Multi-Factor Authentication (MFA) adds a critical layer of protection that can stop many cyberattacks. At WestBAS, we choose MFA for all our banking, financial software like Xero, our super portals, and every other data-sensitive software platform. We also choose to use app-based authentication, like Google Authenticator, rather than SMS. Why? Because SMS can be intercepted or redirected. The Australian Cyber Security Centre has excellent, up-to-date advice on this - check it out here: https://www.cyber.gov.au.

While passwords are still your first line of defence, putting MFA in place means your accounts can only be accessed with a code that changes every sixty seconds. And only you, or your trusted employees will have access to that code. 

When it comes to passwords, the consensus from cyber experts is to not reuse the same password across multiple platforms. Choosing to use a password manager will help create and store strong, unique passwords for every account. At WestBAS, we also have procedures in place to regularly check who has access to our sensitive data, and when a staff member leaves, we remove their access immediately.

Why Dual Approval Matters

With banking and payments, we ensure dual approval is enacted: one person creates the ABA file, another approves it. Dual approval is a layer of protection, another set of eyes, that could be the difference in you paying the right bank account or not picking up where there might be an inconsistency. As with all cyber security matters, consistently updating procedures and ensuring those procedures are adhered to, could make the difference in being scammed… or not!

Dual approval is also relevant when dealing with payroll. Employee data contains (extra) sensitive information. It’s tax file numbers, addresses, bank details, and superannuation accounts - all goldmines for criminals. Restricting access to payroll files and using encrypted storage, and secure sharing platforms, will support your business’ cyber security. We have systems in place to ensure we never send payroll data via email. Protecting this information is about safeguarding your staff and your business reputation.

A Simple 5-Step Security Checklist for Business Owners

Here’s a practical checklist we use with our new clients to remind us to keep data safe: 

Turn on MFA everywhere - accounting, banking, email, everything. 

Stop making changes to bank account details received in emails - verify by phone every time. 

Review user access to sensitive platforms, at least quarterly and remove anyone who no longer needs it. 

Lock down payment approvals with dual authorisation.

Talk to your bookkeeper about your workflow and make security a priority item.

Why Cyber Security Is More Than Just a Financial Risk

Yes, cyber security is important for your cashflow, your reputation, and the trust you’ve built with every client and employee, but in 2026, the Australian Government is getting tough with security compliance, advising businesses to work through “The Essential Eight” framework. You can read more about it here: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight 

With financial scams and cybercriminals getting more innovative by the day, protecting your business online is as critical as balancing your books. Ultimately, if you want to protect your business and your bank balance, it’s time to treat online security as a daily discipline, not an afterthought. At WestBAS, we work closely with our customers to ensure cyber security is prioritised.

Stay tuned for our next blog, where we’ll be discussing ‘all things cyber-security’ with experts in the industry and sharing some tips on how, at WestBAS, we keep our client data safe.