“Your Accountant Made a Mistake” Scam: The Fake Tax Correction Trap
Written by: Thomas Orsolya
Published on:
It starts with a message that feels routine, almost boring.
“Your accountant made a mistake.”
Maybe it says a tax calculation was wrong. Maybe a payment was missed. Maybe your filing needs a quick correction to avoid penalties. The tone is calm, professional, and oddly familiar, like the kind of note you would expect to get during tax season or at the end of a quarter.
That is exactly why it works.
This scam is built around a simple idea: if a message sounds like it is coming from the person who already handles your finances, you are far more likely to act quickly, share sensitive information, or approve a payment without slowing down to verify.
And once the scammer has that one moment of trust, they can turn it into money.
Scam Overview
The “Your Accountant Made a Mistake” scam is a social engineering and business email compromise style operation where criminals impersonate an accountant, a bookkeeping firm, a tax preparer, or even a tax authority. Their goal is typically one of two things:
Redirect a payment by supplying “updated” bank details or a “corrected” invoice.
Steal sensitive financial information by pushing you to click a link, open a file, or fill out a form.
In many cases, the message is designed to feel like a correction to an existing, legitimate process. That design choice is not accidental. Corrections are common in accounting, and most businesses have experienced last-minute clarifications, revised invoices, updated tax forms, or changed payment instructions.
Scammers exploit that normalcy.
Why this scam feels so convincing
This is not the type of scam that relies on obvious typos or cartoonish threats. The best versions are clean, well-written, and plausible. They often include:
Your name and job title
Your company’s name, address, or website
Correct vendor names or real staff names
Real invoice numbers, payment amounts, or deadlines
A signature block that looks like a real accountant’s email signature
References to real-world events like “quarterly filing,” “VAT,” “W-2,” “1099,” “payroll,” or “audit”
In other words, it can look and read like a message you should take seriously.
Common angles used in the message
Scammers rotate through several storylines depending on who they are targeting (individual taxpayers, small businesses, finance departments, or executives). Common versions include claims such as:
A tax calculation was wrong
A payment was missed, or a filing was incorrect
A “corrected” invoice or updated bank details need to be used
Penalties or audits may follow if action is not taken quickly
The message is “from your accountant” or from a tax authority “on their behalf”
Sometimes it is framed as a helpful fix:
“I noticed an error before submission, please confirm these details.”
“We need your approval so we can correct the filing today.”
“Here is the revised invoice with correct remittance details.”
Sometimes it is framed as urgent risk:
“If we do not act today, penalties may apply.”
“This needs confirmation immediately to avoid an audit trigger.”
“This correction must be submitted within 24 hours.”
The urgency is the lever. The goal is to compress your decision-making window so you do not verify.
Where the scam shows up
Most people encounter this scam via email, but criminals increasingly use multiple channels to raise credibility or apply pressure:
Email (most common)
Text message (especially for executives, owners, and contractors)
Phone calls (as a follow-up to the email)
Messaging apps (in organizations that use WhatsApp, Teams, or similar tools)
A scammer may send an email and then call 30 minutes later pretending to “follow up” to ensure it is handled.
What the scammer wants
Even though the message looks like a simple correction, the underlying objective is usually one of these:
1) Payment redirection (invoice fraud)
This is the classic business version. The scammer wants you to send money to their bank account by changing payment instructions.
The message may include:
A revised invoice
New bank routing details
A request to update payment details “for future invoices”
A reason for the change (bank merger, audit, account closure, new payment processor)
Sometimes they will claim the invoice amount stays the same, only the bank information changed. That makes it feel less suspicious. The invoice looks real. The request looks routine. The result is catastrophic.
2) Credential theft and account takeover
The scammer wants access to email, payroll, accounting software, or banking portals. They do this by:
Sending a link to a fake sign-in page
Attaching a file that prompts you to “log in” or “enable editing”
Asking you to fill out a form with sensitive details
Once they steal credentials, they may:
Access past invoices and email threads
Send more convincing messages from your actual account
Change real vendor bank details inside your accounting system
Attempt payroll diversions or tax refund theft
3) Data harvesting for later fraud
Sometimes the first message is not the final strike. It is reconnaissance. If you reply, the scammer learns:
Which addresses are active
Who processes payments
Your internal workflow
How quickly your team responds
Which vendor names you use
Which accounting platform you use
That information helps them craft a later, far more damaging attack.
How scammers get the “real” details
A question many victims ask is, “How did they know our accountant’s name or our vendor relationships?”
In practice, scammers gather details from a mix of sources:
Public websites (company pages, staff pages, contact forms)
Social media (LinkedIn job titles and responsibilities)
Data broker leaks and past breaches
Previously compromised email accounts
Vendor compromise (a vendor’s email gets hacked and used to contact clients)
Spoofing and lookalike domains that mimic a real firm’s address
In higher-end cases, scammers do not guess. They read. They already have access to someone’s mailbox and are watching legitimate conversations. That is why the scam can include perfect context.
Red flags that often appear in this scam
Even very polished versions tend to have subtle tells. Here are common warning signs you can train yourself and your team to spot:
The sender’s email address is slightly off (a missing letter, extra word, or different domain)
The reply-to address differs from the from address
The message pushes urgency and discourages verification
Payment instructions changed unexpectedly
The message asks you to bypass normal approval steps
The link goes to a non-standard domain or a generic file host
The attachment name is vague or mismatched (for example “InvoiceCorrection.pdf” without a known invoice number)
The message is unusually short for a real accountant-client correction
The tone is too generic or does not match the accountant’s typical style
The request involves sensitive data that should never be emailed (bank login, full SSN, passwords)
A single red flag does not always prove it is a scam, but any payment change request should trigger a verification step every time.
Why this scam is so dangerous for businesses and individuals
The damage from this scam can be severe because it hits two high-trust areas at once: money and authority.
For businesses, the consequences can include:
Direct financial loss from wire transfers or ACH payments
Compromised payroll systems and employee data exposure
Ongoing fraud as scammers reuse stolen information
Legal and compliance issues, depending on what data was exposed
Operational disruption during incident response
For individuals, it can involve:
Tax identity theft
Stolen tax refunds
Compromised banking access
Credit fraud using harvested personal details
The scam also has a psychological advantage: people feel embarrassed because the message looks so reasonable. That embarrassment can delay reporting, which gives the scammer more time.
If there is one takeaway from the overview, it is this:
This scam succeeds when people treat a “correction” as routine instead of treating it as a high-risk financial change.
How The Scam Works
Below is a detailed, step-by-step breakdown of how the “Your Accountant Made a Mistake” scam is typically executed, from setup to theft. Not every case includes every step, but most follow this general pattern.
Step 1: Target selection and research
The scammer identifies a person or organization likely to handle payments or tax-related decisions.
Common targets include:
Business owners
CFOs, controllers, bookkeepers
Accounts payable staff
HR and payroll administrators
Contractors and freelancers
Individuals during tax season
Then they gather basic information such as:
Names, roles, and email formats
Company vendors and payment timelines
Names of accounting firms or tax preparers
Current filing periods or upcoming deadlines
Even minimal public information can be enough to craft a believable first message.
Step 2: Impersonation setup
The scammer sets up the “identity” they will use to contact you.
This typically looks like one of the following:
Lookalike domain impersonation
They register a domain that looks close to the real one, such as:
Using .net instead of .com
Swapping letters (like “rn” for “m”)
Adding a word like “support” or “services”
To a busy reader, it looks legitimate.
Display name spoofing
The email might show the accountant’s real name as the display name, even if the underlying email address is not theirs. Many people read the display name and stop there.
Compromised real email account
In more advanced cases, the scammer is sending from a real, compromised email account belonging to the accountant, the bookkeeping firm, or a vendor. This is the hardest to detect because the address is correct and email threading may look normal.
Step 3: The initial message lands
The scam message arrives and tries to create immediate credibility.
It often includes:
A calm, professional tone
A “mistake” explanation that sounds plausible
A quick action request
A file or link that looks like routine documentation
It may say something like:
“I found an error in the tax calculation and need your confirmation.”
“Please use the corrected invoice attached.”
“We need to update bank details for the next payment run.”
“This needs approval today to avoid penalties.”
The scammer is setting the stage for either a payment change or a credential grab.
Step 4: Urgency and authority get layered in
Once you engage, the scammer leans on two psychological pressures:
Authority: accountants and tax authorities are perceived as experts. People defer.
Urgency: the threat of penalties, audits, or missed deadlines creates anxiety.
They may add:
A looming deadline
A mention of an audit risk
A warning about penalties or interest
A claim that “submission is scheduled for today”
The goal is to keep you moving.
Step 5A: Payment redirection path
If the scammer’s objective is money, the next step is to get you to send funds to a new account.
This often happens in one of these ways:
“Corrected invoice” with new remittance details
You receive a PDF invoice that looks real. The amount is plausible. The vendor name is correct. But the bank details are the scammer’s.
If you pay it, the money is gone.
“Updated bank details” for a known vendor
The scammer claims a vendor updated their bank information and wants you to update it in your system.
If you update it, then the next legitimate payment goes to the scammer.
“Deposit” or “penalty prevention” payment
The scammer invents a payment that feels like damage control:
A deposit to avoid a penalty
A fee to correct a filing
A late charge that must be paid immediately
This can be especially effective against individuals, who may not know typical tax workflows.
Step 5B: Credential theft path
If the scammer’s objective is account access, they will push you toward a link, portal, or form.
Common lures include:
Fake “secure portal” login
They claim your accountant needs you to log in to review the correction. The link goes to a fake sign-in page designed to steal your credentials.
Fake document signature request
They ask you to “review and sign” a corrected filing. The signature platform is fake or the file leads to a credential prompt.
Malicious attachment
The attachment may be designed to:
Harvest credentials
Install malware
Trick you into enabling macros or editing
Once they have credentials, the scam often escalates quickly.
Step 6: Escalation after access
If the scammer gets into an inbox or platform, they may:
Search for invoices, payment schedules, and vendor details
Forward rules to hide future messages
Insert themselves into real conversations
Send messages from your account to others
Change vendor bank details in accounting software
Request payroll changes or employee data
This is where a simple “accountant mistake” message turns into a full-scale compromise.
Step 7: Cover and persistence
Scammers often try to delay detection.
They may:
Ask you not to call due to “being in meetings”
Push email-only communication
Use plausible explanations for delays
Send follow-ups that sound like normal accounting workflows
If money was sent, they may ask for additional payments, claiming the correction was only partial.
Step 8: The victim discovers the problem
Victims usually discover the fraud when:
A vendor reports they never received payment
A bank flags unusual transfers
A user cannot log into an account
An accountant says they never sent that message
Payroll or tax accounts show changes
By then, the scammer may already have moved on, and recovery becomes a race against time.
Example Scam Messages
These examples are intentionally sanitized and use placeholders like [Company Name] and [link]. Real scams often look similar, but may include your actual details.
Use these to train your eye for patterns, not to “compare word-for-word.”
Example 1: “Corrected invoice” email
Subject: Correction needed: invoice for [Month]
Hi [Name], I spotted a mistake in the tax calculation tied to your last invoice.
Please use the corrected invoice attached and arrange payment today to avoid penalties. Let me know once it is done so I can finalize the filing.
Thanks, [Accountant Name][Accounting Firm]
Red flags to notice
Sudden urgency tied to “penalties”
“Pay today” pressure
Attachment you were not expecting
No clear reference to a prior agreed workflow
What to do instead Call your accountant using a known number and confirm whether a corrected invoice is real.
Example 2: “Updated bank details” email
Subject: Important: updated remittance details
Hello [Name], We need to update our bank information for future payments. Please see the updated details below and confirm once your records are updated.
New bank: [Bank Name]Account: [Account Number]Routing: [Routing]
This change is effective immediately. Please do not use the previous account.
Regards, [Accountant Name]
Red flags to notice
Bank details changed “effective immediately”
Requests that you update records without verification
“Do not use the previous account” pressure
What to do instead Verify via phone with a trusted contact and confirm using a second channel.
Example 3: “Missed filing” pressure email
Subject: Action required today: filing issue
Hi [Name], There was an error in your filing and we need to correct it today. If we miss the submission window, you may be flagged for review.
Please confirm the following details:
Full legal name
Address
Tax ID
Bank used for payments
Reply ASAP so I can proceed.
Thanks, [Accountant Name]
Red flags to notice
Requests for sensitive identifiers by email
Threat language like “flagged for review”
“Reply ASAP” pressure
What to do instead Do not email sensitive IDs. Verify with your accountant and use a known secure method.
Example 4: “Secure portal” credential phishing
Subject: Please review the correction in portal
Hi [Name], I uploaded the corrected documents to our secure portal. Please log in and approve so we can finalize.
Access here: [link]
Thank you, [Accountant Name]
Red flags to notice
Unfamiliar portal link
“Approve” language tied to urgency
You are pushed to click instead of navigating normally
What to do instead Type the portal address manually or use a bookmarked link you already trust.
Example 5: “CEO-style” payment authorization request (common in businesses)
Subject: Quick confirmation needed
Hi [Name], We need to correct the invoice payment. Please process $4,850 to the updated account today. This is time-sensitive.
Send confirmation once completed.
[Name]
Red flags to notice
A sudden request for a specific $ amount
No invoice context, no purchase order reference
Push to bypass normal approvals
What to do instead Stop and verify internally. Confirm using your standard approval workflow.
Example 6: Text message version
Hi [Name], this is [Accountant Name]. Your filing has an error and we need confirmation now. Please open [link] and verify details to avoid penalties.
Red flags to notice
Accountant contact via text if that is not your normal channel
Link plus urgency
“Avoid penalties” pressure
What to do instead Do not open the link. Call your accountant using the number you already have.
Example 7: Text message with payment change
Payment details changed for your next invoice. Please send $2,190 to the new bank today. I emailed the corrected invoice.
Red flags to notice
Payment request via text
“New bank today” urgency
Attempts to move you fast
What to do instead Freeze the payment and verify through a known channel.
Example 8: Phone voicemail script (follow-up pressure)
Hi, this is [Accountant Name]. Please call me back urgently about a mistake in your tax filing. We have a short window to fix it today. If you cannot reach me, respond to the email I sent and confirm the updated details.
Red flags to notice
“Short window today” urgency
Directs you back to email instead of a trusted workflow
No verifiable reference details
What to do instead Call back using a known number from your records, not the voicemail callback number.
What To Do If You Have Fallen Victim to This Scam
If you think you clicked, replied, shared information, or sent money, the priority is speed and containment. The steps below are designed to be practical and calming, even if you are dealing with a stressful situation.
1) Stop all payments connected to the request immediately
Pause the payment run if you are in the middle of processing it
Do not send additional funds “to fix it”
Do not continue emailing the suspected scammer
If you paid by wire or ACH, time matters. The sooner you act, the higher the chance of stopping or recalling the transfer.
2) Contact your bank or payment provider right away
Tell them you believe you were targeted by invoice fraud or payment redirection.
Ask about:
Wire recall or reversal options
Freezing or flagging the recipient
Filing a fraud report internally
Monitoring your account for additional unauthorized activity
If you have the transaction reference number, provide it. If you do not, provide date, amount, and recipient details.
3) Verify with your real accountant using a trusted method
Do not reply to the suspicious email to “check.”
Instead:
Call the accountant using a phone number you already have on file
Use a known portal login (typed manually, not from the email link)
Ask if they sent the message and whether any correction is actually needed
If they did not send it, ask if they have seen similar scams targeting other clients.
4) Assume credentials may be compromised if you clicked a link or logged in
If you entered credentials on a page you reached from the message, treat that account as compromised.
Immediately:
Change the password for that account
Change passwords for any accounts using the same or similar password
Enable two-factor authentication (2FA) where available
Log out all active sessions if the platform allows it
Prioritize:
Email accounts
Accounting platforms
Payroll systems
Banking portals
Cloud storage that may contain financial records
5) Check for mailbox rules and forwarding settings
If a business email account might be compromised, scammers often set rules that hide their activity.
Look for:
Auto-forwarding to unknown addresses
Rules that archive or delete messages containing words like “invoice,” “payment,” “wire,” “bank”
Filters that route finance emails into obscure folders
Remove suspicious rules immediately.
6) Alert internal stakeholders and lock down approval workflows
If you are in a business setting, notify the right people quickly:
Accounts payable
Finance leadership
IT or security team
Payroll administrators
Then tighten controls temporarily:
Require verbal verification for any bank detail changes
Require dual approval for transfers above a threshold (for example $1,000 or $5,000 depending on your business)
Implement a vendor change confirmation process
The goal is to prevent a second strike while you investigate.
7) Notify the affected vendor if payment was redirected
If you paid a “corrected invoice” or changed remittance details for a vendor, contact the real vendor using a known number.
Tell them you suspect payment redirection fraud
Ask for the correct bank details through an established method
Ask whether their email was compromised
If their email account is compromised, other clients may be targeted too.
8) Preserve evidence
Even if you feel embarrassed, documentation matters.
Save:
The original email or text message
Full email headers if possible
Attachments and links (do not click them again)
Transaction details, receipts, and bank confirmations
Screenshots of the phishing page if you have them
This evidence helps banks, internal teams, and investigators.
9) Report the incident
Reporting helps create a paper trail and may assist in recovery.
Depending on your location and situation, consider:
Reporting to your national cybercrime reporting channel
Filing a report with local law enforcement if money was lost
Reporting the phishing email to your email provider
If the scam impersonated a tax authority, report it through that authority’s scam reporting mechanism
Even if recovery is uncertain, reporting can help prevent further harm.
10) Monitor for follow-up attacks
After you respond once, scammers may try again with new angles.
Watch for:
“Second chance” recovery scams claiming they can get your money back
New messages pretending to be your bank or accountant
Requests for additional verification or “urgent confirmations”
Attempts to reset passwords on your accounts
If you were targeted successfully, you may be placed on a list of “responsive” contacts.
11) Consider a professional security review if this occurred in a business
If money was lost or credentials were entered, a quick internal review may not be enough.
A focused review can include:
Checking endpoint security logs
Verifying no malware was installed
Auditing accounting software vendor changes
Reviewing all finance-related mailbox access
Confirming backups and recovery plans
The goal is to ensure the incident is contained, not just patched.
Is Your Device Infected? Scan for Malware
If your computer or phone is slow, showing unwanted pop-ups, or acting strangely, malware could be the cause. Running a scan with Malwarebytes Anti-Malware Free is one of the most reliable ways to detect and remove harmful software. The free version can identify and clean common infections such as adware, browser hijackers, trojans, and other unwanted programs.
Malwarebytes works on Windows, Mac, and Android devices. Choose your operating system below and follow the steps to scan your device and remove any malware that might be slowing it down.
Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android
Run a Malware Scan with Malwarebytes for Windows
Malwarebytes stands out as one of the leading and widely-used anti-malware solutions for Windows, and for good reason. It effectively eradicates various types of malware that other programs often overlook, all at no cost to you. When it comes to disinfecting an infected device, Malwarebytes has consistently been a free and indispensable tool in the battle against malware. We highly recommend it for maintaining a clean and secure system.
Download Malwarebytes
Download the latest version of Malwarebytes for Windows using the official link below. Malwarebytes will scan your computer and remove adware, browser hijackers, and other malicious software for free.
(The above link will open a new page from where you can download Malwarebytes)
Install Malwarebytes
After the download is complete, locate the MBSetup file, typically found in your Downloads folder. Double-click on the MBSetup file to begin the installation of Malwarebytes on your computer. If a User Account Control pop-up appears, click “Yes” to continue the Malwarebytes installation.
Follow the On-Screen Prompts to Install Malwarebytes
When the Malwarebytes installation begins, the setup wizard will guide you through the process.
You’ll first be prompted to choose the type of computer you’re installing the program on—select either “Personal Computer” or “Work Computer” as appropriate, then click on Next.
Malwarebytes will now begin the installation process on your device.
When the Malwarebytes installation is complete, the program will automatically open to the “Welcome to Malwarebytes” screen.
On the final screen, simply click on the Open Malwarebytes option to start the program.
Enable “Rootkit scanning”.
Malwarebytes Anti-Malware will now start, and you will see the main screen as shown below. To maximize Malwarebytes’ ability to detect malware and unwanted programs, we need to enable rootkit scanning. Click on the “Settings” gear icon located on the left of the screen to access the general settings section.
In the settings menu, enable the “Scan for rootkits” option by clicking the toggle switch until it turns blue.
Now that you have enabled rootkit scanning, click on the “Dashboard” button in the left pane to get back to the main screen.
Perform a Scan with Malwarebytes.
To start a scan, click the Scan button. Malwarebytes will automatically update its antivirus database and begin scanning your computer for malicious programs.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now scan your computer for browser hijackers and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check the status of the scan to see when it is finished.
Quarantine detected malware
Once the Malwarebytes scan is complete, it will display a list of detected malware, adware, and potentially unwanted programs. To effectively remove these threats, click the “Quarantine” button.
Malwarebytes will now delete all of the files and registry keys and add them to the program’s quarantine.
Restart your computer.
When removing files, Malwarebytes may require a reboot to fully eliminate some threats. If you see a message indicating that a reboot is needed, please allow it. Once your computer has restarted and you are logged back in, you can continue with the remaining steps.
Once the scan completes, remove all detected threats. Your Windows computer should now be clean and running smoothly again, free of trojans, adware, and other malware.
If your current antivirus allowed this malicious program on your computer, you may want to consider purchasing Malwarebytes Premium to protect against these types of threats in the future. If you are still having problems with your computer after completing these instructions, then please follow one of the steps:
Malwarebytes for Mac is an on-demand scanner that can destroy many types of malware that other software tends to miss without costing you absolutely anything. When it comes to cleaning up an infected device, Malwarebytes has always been free, and we recommend it as an essential tool in the fight against malware.
Download Malwarebytes for Mac.
You can download Malwarebytes for Mac by clicking the link below.
When Malwarebytes has finished downloading, double-click on the setup file to install Malwarebytes on your computer. In most cases, downloaded files are saved to the Downloads folder.
Follow the on-screen prompts to install Malwarebytes.
When the Malwarebytes installation begins, you will see the Malwarebytes for Mac Installer which will guide you through the installation process. Click “Continue“, then keep following the prompts to continue with the installation process.
When your Malwarebytes installation completes, the program opens to the Welcome to Malwarebytes screen. Click the “Get started” button.
Select “Personal Computer” or “Work Computer”.
The Malwarebytes Welcome screen will first ask you what type of computer are you installing this program, click either Personal Computer or Work Computer.
Click on “Scan”.
To scan your computer with Malwarebytes, click on the “Scan” button. Malwarebytes for Mac will automatically update the antivirus database and start scanning your computer for malware.
Wait for the Malwarebytes scan to complete.
Malwarebytes will scan your computer for adware, browser hijackers, and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Quarantine”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malware that Malwarebytes has found, click on the “Quarantine” button.
Restart computer.
Malwarebytes will now remove all the malicious files that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your computer.
After scanning, delete any detected threats. Your Mac should now be free from adware, unwanted extensions, and other potentially harmful software.
If your current antivirus allowed a malicious program on your computer, you might want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future. If you are still experiencing problems while trying to remove a malicious program from your computer, please ask for help in our Mac Malware Removal Help & Support forum.
Run a Malware Scan with Malwarebytes for Android
Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don’t have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth.
Download Malwarebytes for Android.
You can download Malwarebytes for Android by clicking the link below.
In the Google Play Store, tap “Install” to install Malwarebytes for Android on your device.
When the installation process has finished, tap “Open” to begin using Malwarebytes for Android. You can also open Malwarebytes by tapping on its icon in your phone menu or home screen.
Follow the on-screen prompts to complete the setup process
When Malwarebytes will open, you will see the Malwarebytes Setup Wizard which will guide you through a series of permissions and other setup options. This is the first of two screens that explain the difference between the Premium and Free versions. Swipe this screen to continue. Tap on “Got it” to proceed to the next step. Malwarebytes for Android will now ask for a set of permissions that are required to scan your device and protect it from malware. Tap on “Give permission” to continue. Tap on “Allow” to permit Malwarebytes to access the files on your phone.
Update database and run a scan with Malwarebytes for Android
You will now be prompted to update the Malwarebytes database and run a full system scan.
Click on “Update database” to update the Malwarebytes for Android definitions to the latest version, then click on “Run full scan” to perform a system scan.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now start scanning your phone for adware and other malicious apps. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Remove Selected”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes for Android has detected. To remove the malicious apps that Malwarebytes has found, tap on the “Remove Selected” button.
Restart your phone.
Malwarebytes for Android will now remove all the malicious apps that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your device.
When the scan is finished, remove all detected threats. Your Android phone should now be free of malicious apps, adware, and unwanted browser redirects.
If your current antivirus allowed a malicious app on your phone, you may want to consider purchasing the full-featured version of Malwarebytes to protect against these types of threats in the future. If you are still having problems with your phone after completing these instructions, then please follow one of the steps:
Restore your phone to factory settings by going to Settings > General management > Reset > Factory data reset.
After cleaning your device, it’s important to protect it from future infections and annoying pop-ups. We recommend installing an ad blocker such as AdGuard. AdGuard blocks malicious ads, prevents phishing attempts, and stops dangerous redirects, helping you stay safe while browsing online.
The Bottom Line
The “Your Accountant Made a Mistake” scam works because it hides inside a believable, everyday scenario. Corrections happen. Deadlines are real. Accountants do send revised documents. Scammers exploit that normal rhythm to push you into acting before you verify.
The safest rule is also the simplest: any request that changes where money goes or asks for financial access must be verified outside the message itself. Call a known number. Use a trusted portal link you type manually. Confirm bank detail changes with a second method every time.
If you already engaged with the scam, focus on speed, containment, and documentation. Payments can sometimes be interrupted, accounts can be secured, and the damage can be limited quickly when you take action right away.
FAQ
What is the “Your Accountant Made a Mistake” scam?
It is an impersonation scam where someone pretends to be your accountant, bookkeeper, or a tax authority contact and claims there was an error that needs urgent fixing.
The “fix” is the trap. It is usually a push to send money to new bank details or to click a link and enter credentials.
Why do scammers use the word “mistake”?
Because it feels normal.
Most people have seen corrections in real life: revised invoices, updated filings, amended forms, recalculated tax totals. “Mistake” triggers urgency without sounding like a scam.
What do scammers usually want from victims?
Typically one of these:
Money: you pay a “corrected” invoice to the wrong bank account.
Access: you log into a fake portal and hand over credentials.
Data: you share sensitive financial information that can be used for later fraud.
How can I tell if the message is fake if it includes real names and company details?
Treat “real details” as neutral. Scammers get them easily from public sources, leaks, or prior compromises.
Instead, look for risk signals like:
A request to change bank details
A request for urgent payment approval
A link to “review” or “confirm” a correction
A new attachment you did not expect
Pressure to avoid calling and “handle by email”
Do tax authorities or accountants ever ask for passwords or banking logins?
Legitimate professionals generally do not ask for passwords, full login credentials, or sensitive access details by email or text.
If anyone asks for:
Passwords
One-time codes
Full online banking credentials
Remote access to your computer treat it as a major red flag.
What if I clicked the link but did not type anything?
You may still be fine, but assume elevated risk.
Do this quickly:
Close the page
Run a security scan on the device if possible
Change your email password as a precaution if you are unsure
Watch for unexpected login alerts
If you downloaded or opened an attachment, move faster and involve IT if this is a business device.
What if the email came from the accountant’s real email address?
That is possible in more serious incidents.
A real address can still be dangerous if:
The accountant’s mailbox is compromised
Someone is sending from within their systems
The message is a reply inside a real thread
In that scenario, verification by phone using a known number is essential.
Can banks reverse a wire or ACH payment?
Sometimes, but it depends on timing and the payment type.
The best approach:
Call the bank immediately
Ask for recall or fraud intervention options
Provide transaction details
Even if recovery is not guaranteed, fast reporting improves your chances.
What is the safest policy for businesses to prevent this?
A simple rule that stops most losses:
Any bank detail change requires out-of-band verification, every time.
That means:
Call a known number already on file (not the email signature)
Confirm changes with a second person
Document who verified and when
If I replied to the scammer, does that put me at risk even if I did not pay?
Yes, it can.
Replying tells scammers:
The address is active
You are a real person
You might handle money or approvals
That can lead to more targeted follow-ups.
10 Rules to Avoid Online Scams
Here are 10 practical safety rules to help you avoid malware, online shopping scams, crypto scams, and other online fraud. Each tip includes a quick “if you already got hit” action.
Stop and verify before you click, log in, download, or pay.
Most scams win by creating urgency. Verify using a trusted method: type the website address yourself, use the official app, or call a known number (not the one in the message).
If you already clicked: close the page, do not enter passwords, and run a malware scan.
Keep your operating system, browser, and apps updated.
Updates patch security holes used by malware and malicious ads. Turn on automatic updates where possible.
If you saw a scary “update now” pop-up: close it and update only through your device settings or the official app store.
Use layered protection: antivirus plus an ad blocker.
Antivirus helps block malware. An ad blocker reduces scam redirects, phishing pages, and malvertising.
If your browser is acting weird: remove unknown extensions, reset the browser, then run a full scan.
Install apps, software, and extensions only from official sources.
Avoid cracked software, “keygens,” and random downloads. During installs, choose Custom/Advanced and decline bundled offers you do not recognize.
If you already installed something suspicious: uninstall it, restart, and scan again.
Treat links and attachments as untrusted by default.
Phishing often impersonates delivery services, banks, and popular brands. If it is unexpected, do not open attachments or log in through the message.
If you entered credentials: change the password immediately and enable 2FA.
Shop safely: research the store, then pay with protection.
Be cautious with brand-new stores, “closing sale” stories, and prices that make no sense. Prefer credit cards or PayPal for dispute options. Avoid wire transfers, gift cards, and crypto payments.
If you already paid: contact your card issuer or PayPal quickly to dispute the transaction.
Crypto rule: never pay a “fee” to withdraw or recover money.
Common patterns include fake profits, then “tax,” “gas,” or “verification” fees. Another is a “recovery agent” who demands upfront crypto.
If you already sent crypto: stop paying, save evidence (wallet addresses, TXIDs, chats), and report the scam to the platform used.
Secure your accounts with unique passwords and 2FA (start with email).
Use a password manager and unique passwords for every account. Enable 2FA using an authenticator app when possible.
If you suspect an account takeover: change passwords, sign out of all devices, and review recent logins and recovery settings.
Back up important files and keep one backup offline.
Backups protect you from ransomware and device failure. Keep at least one backup on an external drive that is not always connected.
If you suspect infection: do not connect backup drives until the system is clean.
If you think you are a victim: stop losses, document evidence, and escalate fast.
Move quickly. Speed matters for disputes, account recovery, and limiting damage.
Stop payments and contact: do not send more money or respond to the scammer.
Call your bank or card issuer: block transactions, replace the card if needed, and start a dispute or chargeback.
Secure your email first: change the email password, enable 2FA, and remove unfamiliar recovery options.
Secure other accounts: change passwords, enable 2FA, and log out of all sessions.
Scan your device: remove suspicious apps or extensions, then run a full malware scan.
Save evidence: screenshots, emails, order pages, tracking pages, wallet addresses, TXIDs, and chat logs.
Report it: to the payment provider, marketplace, social platform, exchange, or wallet service involved.
These rules are intentionally simple. Most online losses happen when decisions are rushed. Slow down, verify independently, and use payment methods and account controls that give you recourse.
Thomas is an expert at uncovering scams and providing in-depth reporting on cyber threats and online fraud. As an editor, he is dedicated to keeping readers informed on the latest developments in cybersecurity and tech.
