Accounting Software Security

Accounting software holds a concentrated mix of sensitive data: Social Security numbers, bank account details, client financial records, payroll history, and vendor payment information. Platforms like QuickBooks, Sage, and Xero have built in solid security features. The challenge is that those features only protect you when they're configured correctly, and most aren't.

Many accounting firms and small businesses across the St. Louis area assume that cloud-based accounting software is "secure by default." The platform itself may be well-protected at the infrastructure level, but how you access it, which devices you use, and who holds credentials creates gaps that are exploited every day. Here's what to check—and how to close the gaps before they become a problem.

Why Accounting Software Is a High-Value Target

A single compromised QuickBooks account can expose years of payroll records, vendor bank routing numbers, client Social Security numbers, and enough financial data to enable fraudulent tax return filing at scale. Attackers know this well.

Security researchers at KnowBe4 documented a 36.5% spike in phishing attacks leveraging QuickBooks' legitimate domain in early 2025. Worse than generic spam messages, these are sophisticated attacks that impersonate Intuit directly, with pixel-perfect branding and realistic invoice notifications. Malwarebytes documented a separate campaign where attackers purchased Google Ads for misspelled QuickBooks variations, directing victims to credential-harvesting pages that looked identical to the real login screen.

The IRS has been alerting tax professionals for years that accounting firms are viewed as high-value targets. Many firms don't discover they've been compromised until months after the fact, often when clients call to ask about returns they didn't file.

The Security Features You're Probably Not Using

Modern accounting platforms include solid security capabilities. The problem is that most organizations either don't enable them or configure them poorly.

QuickBooks Online includes multi-factor authentication, user roles with granular permissions, audit logs, and automatic data encryption. Common practice gaps include a shared admin login among multiple staff, MFA disabled because it's inconvenient, and audit logs that are never reviewed. That shared credential becomes a single point of failure. When one person clicks a phishing link, everyone's data is exposed.

Sage emphasizes its ISO 27001 certification and SOC 2 compliance for cloud products, meaningful credentials that reflect third-party security audits. Sage 50 has also added AI-powered fraud detection and stronger protection against automated credential attacks in recent updates. But these features require proper setup. The certification doesn't protect a practice still logging in with weak passwords and no MFA.

Xero and FreshBooks both offer 256-bit SSL encryption, two-factor authentication, and various compliance certifications, Xero at PCI DSS Level 1. The protection is only as strong as the configuration and the behavior of the people using it.

Multi-Factor Authentication: No Longer Optional

The FTC Safeguards Rule now explicitly requires multi-factor authentication for any person accessing customer financial information. For accounting firms and tax preparers, that means every employee or contractor who touches your accounting software needs to authenticate with more than a password. A username and password alone no longer meets the legal standard.

MFA requires two or more verification factors: something you know (a password), something you have (a phone or hardware token), or something you are (biometrics). Enabling MFA on QuickBooks, Sage, and Xero is straightforward — each platform supports authenticator apps like Google Authenticator, Microsoft Authenticator, and Duo. The harder part is getting everyone to use it consistently and not share verification codes through messaging tools.

Missouri CPA practices and bookkeeping firms operating without MFA on every system touching client data are out of compliance with the FTC Safeguards Rule, regardless of size.

Desktop vs. Cloud:

The Security Question That Matters

Many accounting firms still run QuickBooks Desktop or Sage 50 installed locally rather than using cloud versions. This creates a different set of security considerations worth understanding.

Cloud platforms benefit from automatic updates, vendor-managed security patching, and professional data center protections. Desktop software puts the security burden on your own infrastructure.

A specific issue with QuickBooks Desktop is that when an administrator runs a database repair after a crash, file-share permissions can reset, making the database accessible to everyone on the network. This is inherent to how the repair process works, not a patchable bug. Every repair operation should be followed by a permissions review.

Desktop installations also require deliberate backup infrastructure. Your accounting data lives on a server or workstation in your office. If that machine is compromised by ransomware, hit with hardware failure, or stolen, your recovery depends entirely on whether you have current, tested, encrypted offsite backups. Cloud platforms handle this automatically, though you should still maintain your own data exports.

For firms using hosted QuickBooks Desktop, where a provider runs the software on their cloud infrastructure, you gain some cloud benefits while still needing to verify the host provider's credentials. SOC 2 Type II certification and solid disaster recovery documentation are baseline requirements for any hosting provider handling financial data.

Access Control That Actually Works

One of the most common security gaps in local accounting practices is defaulting to broad access permissions because it's easier. Your accounting software supports detailed user roles and permissions—so use them!

QuickBooks Online lets you assign specific roles: regular user, reports-only, time tracking, and various levels of administrator access. Your bookkeeper doesn't need the same permissions as your managing partner. The person who runs payroll doesn't need the ability to edit the chart of accounts. Limiting permissions doesn't mean you don't trust your staff; it means limiting the impact when one account is compromised.

Apply the same principle to third-party app connections. Modern accounting software integrates with payment processors, CRM systems, expense management tools, and dozens of other applications. Each connection is a potential entry point. Audit which apps have access to your accounting data regularly, revoke unused connections, and ensure each integration uses OAuth or equivalent secure authentication rather than stored credentials.

Phishing: The Threat That Keeps Evolving

Tax season brings particular risk for accounting firms. AI tools now help attackers craft convincing messages with perfect grammar, personalized context, and details scraped from public sources. The QBO phishing campaigns documented in 2025 used legitimate-looking Intuit invoice notifications that directed users to credential-harvesting pages. Some users clicked what appeared to be Google-sponsored links for QuickBooks and entered credentials directly to criminals.

Employee training matters, but it needs to be specific and regularly updated. Train your team on concrete behaviors: verifying sender domains (intuit.com versus intuit-billing.com), using bookmarks or direct navigation rather than clicking email links, hovering over links before clicking. Run phishing simulations periodically to identify who needs additional coaching.

What Your IT Infrastructure Should Be Doing

Securing your accounting software isn't only about settings inside the platform. The environment around it matters just as much.

Endpoint protection on every device that accesses accounting software is required. If a team member's laptop gets infected with a keylogger, MFA on QuickBooks doesn't help; the attacker captures both credentials and verification codes together. Endpoint security needs to be current, centrally managed, and monitored.

Network security matters for firms with on-premises servers or hybrid setups. Firewalls should restrict access to sensitive systems. Remote access should run through VPN or zero-trust solutions, not direct remote desktop exposed to the internet. DNS filtering can block known malicious domains before anyone has a chance to click.

Backup infrastructure should follow the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite. For accounting software, that means regular data exports (not just relying on the platform's internal backups), encrypted storage, and tested restore procedures. When ransomware hits, the question is then whether your backups are clean and accessible, not whether or not to pay the ransom.

Where to Start

Most accounting software security gaps are fixable without major investments. Enable MFA everywhere — this week, not eventually. Audit user permissions and remove unnecessary access. Review third-party app connections and revoke any that are no longer in active use. Confirm that every device accessing client financial data has current endpoint protection.

If you run a Missouri accounting practice and aren't sure where your gaps are, the conversation typically starts with a straightforward assessment: what software you use, how people access it, where data lives, and what happens if something goes wrong. That gives you a clear roadmap for closing gaps in a logical order.

NOC Technology works with CPA firms and accounting practices across the St. Louis region. We publish our pricing transparently, so you can review it before calling us.