Now, you are sitting there thinking “I am not a CPA, so this matters not to me”. You are thinking, “I don’t even need to read the articule to know they talk about targetted phishing against those folks”. Your worry is misdirected. You are at risk.
Let me explain. You see, in your personal and professional supply chain there are CPA at many steps. Your bank, your investments, your auditor, etc. And, it is you, the end-user of the CPA service, that will be where the next attack comes, using this data.
Perhaps some CPA use the same password & email on other systems, and someone can act as them to come into your business.
Someone posing as your CPA could trick your Accounts Payable team, your bank. Or perhaps your HR, maybe that “we want to audit all employees SIN numbers are correct” audit that doesn’t exist?
The risk you see is often a misdirection from the risk that will become concrete.