Your vendor just asked you
to update their bank details.
Was it your vendor?
Your CAS team processes hundreds of client instructions a week — AP payments, payroll runs, vendor updates, tax authority wires. One fraudulent vendor bank change, and your client's next payment run goes to the attacker. We catch the fraud at the source — not after the funds have moved.
A real pattern — any week at a CAS firm
"Tuesday morning, a vendor for your largest CAS client emails: 'We've moved banks. Please update our ACH details.' Your bookkeeper verifies nothing is missing from the email, updates the record, and moves on to the next task. Two weeks later, during the scheduled AP run, $84,000 flows to the new account. It's not the vendor's account."
The vendor's inbox had been compromised weeks earlier. The attacker waited for the legitimate payment cycle. Your firm's AP process became the attack vector. The client now faces a recovery claim against your firm and a FTC Safeguards inquiry.
+66%
Year-over-year growth in vendor email compromise
$2.9B
US BEC losses reported to FBI in 2024
Tax season
Peak attack window across US accounting firms
FTC
Safeguards Rule now enforced at accounting firms
What we hear from firm owners
Three things you're right about —
that leave you exposed anyway.
None of these are mistakes. They are the natural pressures of running a modern CAS practice. And they are exactly what the attackers are counting on.
"Our bookkeepers process hundreds of instructions — we can't verify every one."
Exactly. Verifying every routine AP payment would destroy productivity. The answer is smart filtering — gates that fire only on elevated risk (vendor bank changes, pattern-anomalous payments, new signatories) while 90% of routine work flows through untouched.
Volume-calibrated protection, not blanket friction"We have Bill.com — it handles our payments securely."
Bill.com is excellent at what it does. But its fraud detection fires after a payment is initiated, based on patterns inside Bill.com. It can't see the email asking your bookkeeper to update the vendor bank details in the first place. The attack happens upstream, in the inbox.
Bill.com protects payments; we protect the instructions"FTC Safeguards doesn't really apply to us."
FTC Safeguards Rule applies to any entity that handles customer financial information — which includes every CPA and CAS firm handling client tax data, bank information, or payroll. Enforcement has accelerated through 2024–2025. The question is whether your firm has documented controls, not whether the rule applies.
FTC enforcement is accelerating, not theoreticalThe single highest-risk instruction in accounting
Vendor bank change fraud —
the setup attack nobody is ready for.
Most fraud attacks the transaction that's happening now. Vendor bank change fraud attacks transactions that haven't happened yet.
The attacker compromises a vendor's inbox — or impersonates them from a look-alike domain — and sends a routine-looking email: "we've moved banks, please update our ACH details." Your bookkeeper updates the record. No money moves that day.
"The attack is the update. The damage is the next scheduled payment run. Standard fraud detection sees nothing wrong, because nothing wrong happened today."
Two weeks later, during the legitimate AP cycle, funds flow to the new account. Recovery rate is under 20%. Your firm is in the middle of a client liability discussion, a cyber insurance claim, and an FTC inquiry — simultaneously.
Verify before changing
Preservers detected: vendor bank change request. Two-party verification required before this change can be saved. A 24-hour hold is applied.
⚠ Setup fraud risk
Bank change is the highest-risk accounting instruction. Funds don't move today, but the next legitimate payment run is now at risk if this change isn't verified independently.
Bank detail comparison
I verified with the client's authorised signatory at a CRM phone number — not a number in this email.
I verified with the vendor directly at a known phone number — not via email reply.
Cooling-off hold
Payments to new account blocked for
24:00:00
Compliance & evidence
You don't just need controls.
You need evidence that they work.
The FTC is enforcing. Cyber insurers are demanding documented controls at renewal. State tax boards and the AICPA are tightening scrutiny. We produce the evidence each body expects — formatted for direct use.
Customer financial information safeguards
Our evidence pack maps directly to §314.4(c) access controls, §314.4(g) monitoring, and §314.4(i) change management. Structured for direct inclusion in your FTC compliance attestation.
Written Information Security Plan
We produce a Preservers section that drops directly into your WISP template. Covers controls against BEC, vendor compromise, and client impersonation — in the format IRS and state tax boards expect.
Documented controls for underwriters
Cyber carriers now require documented BEC and wire verification controls at renewal. Our evidence pack has been reviewed with major carriers (Beazley, Chubb, Coalition, At-Bay) and is structured for direct acceptance.
CC6 · CC7 · CC8 evidence
For firms pursuing SOC 2, our evidence supports logical access, system operations, and change management criteria. Compatible with Vanta and Drata workflows for automated evidence collection.
Client financial data handling
Evidence of documented controls over client financial data — useful for AICPA peer reviews, CAS benchmark participation, and institutional clients asking about your firm's data handling practices.
Multi-state compliance support
State tax boards in California, New York, and Texas now require documented cybersecurity controls for preparer registrations. Evidence produced in jurisdiction-specific formats with local regulatory citations.
How Preservers helps
Three things happen —
before your bookkeeper acts on a bad instruction.
We don't slow your firm down. We give you the one thing nothing else in your stack provides: early warning at the point of decision, with evidence that you acted correctly.
Multi-client predictive defence
We continuously monitor the external threat surface around every CAS client you serve — their authorised signatories, their vendors, their payroll employees. When an impersonation is being prepared against any client in your book, you know.
Volume-calibrated interception
Routine AP payments from known signatories to known vendors flow through untouched. Gates fire only on elevated risk — vendor bank changes, new signatories, pattern-anomalous payments, tax-authority impersonation. Tax-season mode adapts automatically to seasonal baseline shifts.
Documented, defensible verification
Every high-risk verification is logged with client ID, bookkeeper name, vendor details, and a tamper-proof hash. Your audit trail is built automatically — ready for FTC attestation, cyber insurance renewal, or SOC 2 audit.
What this means for your firm
<20 min
From signing to protected. No IT project. No DNS changes. No procurement.
24-hour
Hold on every vendor bank change. Setup fraud stopped before the next payment run.
Every client
Monitored individually. Their signatories, their vendors, their employees — watched continuously.
1-click
Regulator & insurer evidence. FTC, WISP, cyber renewal, SOC 2 — all formats on demand.
The details
Built for the way modern CAS firms
actually operate.
Designed for accounting firms with 3–30 staff — partner-owners wearing multiple hats, lean CAS teams, tax seasons that amplify every flaw. Everything below reflects that reality.
Multi-client tenant model
Your firm is the tenant. Each CAS client is a sub-workspace with its own authorised signatories, vendor list, and baseline patterns. Monitoring runs per-client; dashboards roll up to firm level.
Context-aware for accounting workflows
We understand the difference between a routine AP invoice, a vendor bank change, a payroll diversion attempt, and a tax-authority impersonation. Each gets a different response.
Frequently Asked Questions
Vendor bank change is the single highest-risk instruction in accounting work. Preservers detects bank change requests, requires two-party independent verification (the client signatory AND the vendor directly), and applies a 24-hour cooling-off hold on the updated bank details in Bill.com, QuickBooks, or your downstream system. The setup attack — where funds flow to the attacker at the next legitimate payment run — is blocked before it can execute.
Yes. Our evidence pack maps directly to FTC Safeguards Rule 16 CFR Part 314 requirements — access controls, monitoring, change management, incident response. The format is auditor-friendly and structured to support your FTC compliance attestation.
We produce a Preservers section that drops directly into your IRS Publication 5709 WISP template. It covers the specific controls we provide against BEC, vendor compromise, and client impersonation — documented in the format IRS and state tax boards expect.
No. Our detection logic is volume-calibrated. Routine AP payments from known signatories to known vendors at typical amounts flow through untouched — logged for audit, but not interrupted. Gates fire only on elevated risk: vendor bank changes, pattern-anomalous payments, new signatories, or tax-authority impersonation. Tax-season mode adjusts to the seasonal baseline shift automatically.
Under twenty minutes. No IT project, no DNS changes, no procurement committee review. Preservers integrates with QuickBooks Online, Xero, Bill.com, Karbon, Canopy, and TaxDome to pull client and vendor context automatically.
Boutique and mid-size CPA/CAS firms (3–30 staff) running Client Advisory Services, bookkeeping, AP/AR outsourcing, tax compliance, and outsourced CFO work. Particularly effective for CAS-first firms where a single vendor bank change fraud could damage multiple clients simultaneously.
Stop instructions becoming fraud.
Neutralize Your Risks today.
Preservers intercepts vendor bank change fraud, payroll diversion, and invoice manipulation. Produces evidence for FTC Safeguards, IRS WISP, and cyber insurance.
Deployment in under 20 minutes