End of Financial Year Cyber Threat Guide

EOFY is the highest-risk period of the year for Australian professional services firms. What attackers do differently and what to do about it.

Download PDF

End of Financial Year
Cyber Threat Guide

EOFY is the highest-risk period of the year for Australian professional services firms and their clients. This guide covers what attackers do differently during this period and what to do about it.

stealthcyber.io

Why EOFY Is Different

The end of financial year creates a specific set of conditions that attackers actively exploit. Staff are under genuine time pressure. The volume of legitimate urgent requests is at its peak. Finance teams are processing a higher-than-normal volume of transactions. Decisions that would normally receive careful scrutiny get made faster because deadlines are real.

Attackers understand this. EOFY phishing campaigns, business email compromise attempts, and credential harvesting operations targeting Australian accounting, legal, and financial advisory firms spike consistently in the lead-up to 30 June. These are not opportunistic attacks. They are planned campaigns timed to exploit a known window of reduced vigilance.

The Threat Landscape at EOFY

ATO-Themed Phishing

The ATO is one of the most impersonated brands in Australian phishing campaigns. During EOFY, phishing emails impersonating the ATO spike significantly. They claim returns have been lodged, refunds are pending, debts require urgent payment, or TFNs have been flagged. The emails are increasingly convincing with correct branding and plausible subject lines.

Accounting Software Credential Harvesting

Xero, MYOB, and QuickBooks credentials are directly valuable. An attacker with access to a firm's practice management software has access to client financial data, bank account details, and payroll records. EOFY sees a surge in fake login pages, urgent account notifications, and credential stuffing attacks.

Payment Redirection and BEC

The volume of large transactions peaks at EOFY. Settlement payments, tax payments, superfund contributions, trust account disbursements. A fraudulent payment redirection request inserted into a busy EOFY transaction stream has a higher chance of success because the volume and urgency make careful verification less likely.

Ransomware Targeting Deadline Pressure

A firm that cannot access client files three days before tax lodgement deadlines is under maximum pressure to pay a ransom quickly. Ransomware groups are aware of these deadlines and time deployments accordingly.

EOFY Controls: For Your Firm

Brief all staff on EOFY-specific phishing themes before the peak period. ATO impersonation, accounting software credential requests, and urgent payment requests should be specifically named.

Confirm that your payment verification process is in place and being followed. No payment detail changes based solely on an email instruction.

Review who has access to your accounting and practice management platforms. Remove or suspend accounts for staff who no longer need access.

Confirm MFA is enforced on your accounting software, not just your email.

Review your backup status. Verify that recent backups are completing successfully and that at least one copy is stored offline or immutably.

Confirm your incident response contact details are current and accessible to key staff.

Remind staff that urgency is a manipulation tactic. A genuine ATO or software vendor communication will not collapse if it takes 10 minutes to verify.

EOFY Controls: For Your Clients

Brief clients who handle their own finances on ATO impersonation scams and how the ATO actually communicates.

Remind clients that bank account details should never be changed based solely on an email instruction, even if it appears to come from your firm.

Advise clients to verify any unusual communication purportedly from your firm by calling your office on a number they already have.

If your firm sends large invoices or payment requests at EOFY, consider establishing a verbal confirmation protocol with high-value clients.

Recognising an ATO Impersonation Email

Legitimate ATO communications will not:

Ask you to confirm bank account details via email or a link

Demand immediate payment via gift card, cryptocurrency, or wire transfer

Threaten arrest, legal action, or account suspension in an email

Ask for your myGov credentials via a link in an email

Send an attachment requiring you to enable macros to view it

If an email claims to be urgent and from the ATO, log in to myGov directly through the browser. If the communication does not exist there, the email is fraudulent.

If a Staff Member or Client Has Already Clicked

Acting quickly limits the damage.

Do not panic. Gather the facts before escalating.

Determine what was clicked and what information was entered. A link clicked with no credentials entered is a different risk profile to credentials being submitted.

If credentials were entered, treat those accounts as compromised immediately. Change passwords and revoke active sessions from a different, clean device.

Contact your security provider with the details. Preserve the email and any screenshots.

If client data may have been exposed, contact legal counsel to assess notification obligations.

Do not send a mass internal email about the incident using systems that may be affected.

Tax Time Scam Reporting

If you or your clients receive ATO impersonation emails, report them:

ATO: forward to reportemailfraud@ato.gov.au

ACCC Scamwatch: scamwatch.gov.au

ACSC ReportCyber: cyber.gov.au/report

The Broader Point

EOFY is a predictable risk period. The threats are not new and the defences are not complicated. The firms that come through this period without incident are the ones that brief their people, verify their controls, and treat the elevated risk as an operational reality to manage rather than a background concern to note and move on from.

A 15-minute briefing to your team before the peak period is one of the highest-return security investments you can make. Do it every year.

Need a pre-EOFY security review?

Stealth Cyber provides managed cybersecurity for Australian professional services firms. For a pre-EOFY security review or to discuss your firm's risk posture, get in touch.

Website

stealthcyber.io

contact@stealthcyber.io

Phone

AU: +61 7 5230 8381

US: +1 (855) 774-2595

Offices

Gold Coast, Australia

São Paulo, Brazil

Texas, United States