Account Security

When Hackers Come Knocking: Protecting Your QuickBooks Practice from Modern Security Threats

Earmark Team · November 16, 2025 ·

Here’s something that might keep you up at night: A hacker breaks into a Comcast email account and immediately creates a new Outlook.com account with an almost identical username. When they send emails through the compromised account, they set the reply-to address to redirect responses to their fake Outlook account. Most people never notice the domain switch. They see a familiar name, hit reply, and hand over sensitive information directly to the fraudster.

This real-world example comes from security expert Jamie Pollock, who joined his wife and business partner, Alicia Katz Pollock, and co-host Dan DeLong for episode 104 of The Unofficial QuickBooks Accountants Podcast. The episode, titled “Insecurity about Security,” couldn’t be more timely. As Dan noted, accountants and ProAdvisors across various Facebook groups report compromised logins with increasing frequency, raising urgent questions about the security of the QuickBooks ecosystem.

“We as accountants are the gateway to security for our clients because we have our hands in our clients’ sensitive data,” Alicia explained. With real money movement now possible through QuickBooks Bill Pay, payments, and payroll, a single compromised accountant login can expose dozens or even hundreds of client accounts. That’s why Dan suggested bringing in Jamie, who teaches internet security courses. As Dan put it, “we need someone smarter than both of us combined.”

Passkeys: Your New Best Friend (Once You Understand Them)

Remember when accountants and clients just shared login credentials? Dan does. Back in 2013, when he worked at Intuit, this practice was so common that the company built the QuickBooks Online Accountant portal specifically to stop it. “People would get into their clients’ QuickBooks Online with their clients’ login,” Dan recalled. “And Intuit was like, that can’t be a best practice.”

Fast forward to today, and we’re on the verge of an even bigger change: replacing passwords entirely with something called passkeys.

Jamie explained this complex technology in simple terms. “A passkey is an encryption key. It’s a physical token,” he explained. “You go to the server—Intuit or Google or whoever—and say I’d like a passkey. It generates this passkey and downloads it onto your device.”

Think of it like those old war movies Dan referenced, where two people need to turn keys simultaneously to launch missiles. Your device has one key, the server has the other. When you log in, they work together to verify your identity without transmitting anything that could be stolen.

To help explain how this works, Jamie offered a comparison everyone already knows: secure websites. “If a website doesn’t have security, it’s HTTP, and if it has an SSL certificate, it’s HTTPS,” he said. When you visit a secure site, it downloads an encryption key to your browser. Any information you submit gets encrypted with that key, and only the server can unlock it. Passkeys work the same way, but for your identity instead of your data.

The technology depends on two things: password vaults that sync your passkeys across devices, and biometric authentication like fingerprints or facial recognition. “Nobody has my face or my finger,” Jamie pointed out, explaining why passkeys are so secure.

But here’s the catch: we’re in an awkward transition period. “Passkeys are meant to replace passwords,” Jamie explained. “But every company, every app, every website implements it differently.” Not everyone has biometric devices or password vaults yet, so companies like Intuit keep both systems running in parallel. Alicia estimates we’re “five or maybe ten years away” from passwords disappearing completely, since everyone needs biometric-capable devices first.

The Fraud Tactics Hitting QuickBooks Users Right Now

Integrating payment features into QuickBooks has transformed accountant credentials into what Dan calls “one point of access” for bad actors. With bill pay, QuickBooks payments, and payroll all accessible through a single login, fraudsters have shifted their focus from individual businesses to the accountants who hold the master keys.

Alicia shared a disturbing story that shows just how sophisticated these attacks have become. Someone contacted her through Facebook, asking for help with a locked QuickBooks account. She emailed the person to verify their identity, and they confirmed it was really them. But Alicia had a bad feeling, and her instincts were right. “I realized it was actually the hacker inside the email account.” The fraudster had compromised both the QuickBooks account and the email, turning normal verification into a trap.

Jamie explained how these email compromises typically work. Hackers break in and immediately create a new free account on Outlook or Gmail with a similar username. They set up forwarding rules and reply-to addresses that redirect responses to their controlled accounts. “Most people don’t notice and they answer the message,” Jamie said. “Next thing you know, they’re in the hands of the hacker.”

The recovery process itself has become a vulnerability. Dan highlighted a concerning issue: if you can’t access your phone or email, Intuit offers a third option involving photo ID submission. “It doesn’t take a whole lot. It’s not that far of a stretch to say that these bad actors can forge your documents,” Dan warned. Unlike banks that require account numbers or debit card information, Intuit’s recovery relies primarily on information that’s often publicly available.

Not all fraud stories end badly, though. Alicia shared how Intuit called one of her clients after detecting multiple unauthorized login attempts from Georgia and Florida. The investigation revealed fake invoices for $900 and $24,000 in the client’s system. While Alicia joked that creating invoices instead of expenses showed “the hacker used the software wrong,” it demonstrated both the scale of potential fraud and Intuit’s active monitoring.

A newer concern involves QuickBooks’ invoice forwarding system. The system now uses a standardized email format (companyname+expenses@assist.intuit.com) that vendors can use to submit invoices directly. “If that email address gets out, people can send you bills,” Alicia warned. “If you’re not paying attention, you might pay somebody that isn’t actually a supplier.”

Your Security Toolkit: Practical Steps You Can Take Today

The good news? You don’t need a computer science degree to protect yourself and your clients. The hosts shared several strategies any accountant can implement immediately.

First up is what Dan and Alicia call the “backdoor login” strategy. “You add yourself as a team member in your QBO using a different email address,” Alicia explained. Create a completely separate Gmail account just for this purpose, add yourself with full access to QuickBooks and all clients, and store those credentials securely. If your primary login gets compromised, you can still access everything while resolving the breach.

Password management is crucial, and Alicia shared how her firm uses 1Password. “Every employee has their own personal private vault,” she explained. “But then we have group vaults that are only by permission.” Administrative passwords stay separate from general team access, bookkeeping credentials remain isolated from other systems, and everything requires biometric authentication. “I can sit down at any of my computers and have instant access to the things that I need,” she said. “But nobody else can get in because it’s either under my personal password or literally my fingerprint.”

Jamie shared his rules of internet security. Rule one: “Know your source.” Click on the sender’s name in any email to reveal the actual address. “They can fake the name, but they can’t fake the email address,” Jamie emphasized. If something claims to be from Intuit but shows @gmail.com, you’ve spotted a fake.

Another powerful rule: “Don’t do anything. Don’t react, don’t click the link, don’t call the number, don’t reply to the text.” Most scams create artificial urgency to provoke immediate action. “If there’s urgency on their part, you should just stop,” Jamie advised. His reassuring logic? “If you owe somebody $500 through PayPal, they’ll get back to you. I guarantee it.”

Additional quick tips from the episode:

Hover over links before clicking to see the actual destination
Forward suspicious emails to fraud@intuit.com
Check security.intuit.com for current security alerts
Watch for deceptive URLs using dashes (like intuit-quickbooks-dash-fake.com)
Enable two-factor authentication despite the inconvenience

Speaking of two-factor authentication, Jamie reframed the hassle as a feature. “It’s a little bit of a hassle for you. But getting hacked and having $24,000 move around that you didn’t see? That’s a little bit more of a hassle.” Plus, unexpected authentication requests alert you to breach attempts, letting you change passwords before damage occurs.

The Road Ahead: Staying Secure in an Evolving Landscape

The transition to better security won’t happen overnight. Alicia compares computer aging to “double dog years.” By the time a computer is five years old, it’s like a 70-year-old person, and at seven years, it’s 94. Until everyone upgrades to biometric-capable devices, we’ll be managing both old and new security methods.

Security in QuickBooks is only as strong as its weakest link, which is often the recovery process. “The passkey or the way to sign in can only be as secure as the recovery process,” Dan observed. Unlike banks that require separate credentials like account numbers, Intuit’s recovery relies primarily on email and phone verification—both potentially vulnerable to compromise.

This vulnerability matters because of scale. One compromised accountant login doesn’t just expose one business; it potentially unlocks financial data for tens or hundreds of client accounts. As Dan put it, accountants have become “one point of access that a bad actor could access.”

The profession must also stay informed about evolving threats. Many accountants don’t know about resources like security.intuit.com for current alerts or that forwarding suspicious emails to fraud@intuit.com helps track fraudulent campaigns. As Alicia noted near the episode’s end, “They’re always finding new backdoors. I’m sure a year from now we’re going to have this conversation again.”

Jamie also mentioned his own services, including email cleanup and password management training. “My favorite is unread messages that are more than two years old,” he said. “You never read them two years ago, you’re not going to read them now.”

The episode ended with exciting news about Intuit actively seeking feedback. They’ve launched a new board specifically for ProAdvisors to provide actionable suggestions about banking feeds. “The developers are reading it,” Alicia emphasized. “You can have conversations with other people, we can upvote suggestions, and the developers actually join the conversation.”

Take Action: Your Security Starts Now

Security in the QuickBooks ecosystem isn’t just about protecting passwords; it’s about protecting livelihoods. Every compromised login is a potential breach of trust with clients who depend on you to safeguard their financial data.

The tools and threats will continue evolving, but your responsibility to protect client data remains constant. As Jamie’s simple rules demonstrate, effective security requires consistency and awareness. Know your source. Don’t react to urgency. Use the backdoor login strategy. Enable two-factor authentication even though it’s annoying.

Listen to the full episode for additional examples, detailed technical explanations, and Jamie’s complete security framework. The conversation includes specific guidance that could save your practice from becoming the next cautionary tale. Because in today’s digital accounting landscape, vigilance isn’t paranoia; it’s professionalism.

Alicia Katz Pollock’s Royalwise OWLS (On-Demand Web-based Learning Solutions) is the industry’s premier portal for top-notch QuickBooks Online training with CPE for accounting firms, bookkeepers, and small business owners. Visit Royalwise OWLS, where learning QBO is a HOOT!

Protect Your Bookkeeping Practice: Essential Boundaries That Preserve Your Value

Earmark Team · August 27, 2025 ·

When hosts Alicia Katz Pollock and Veronica Wasek spun their “Wheel of Rants” on a recent episode of The Unofficial QuickBooks Accountants Podcast, they landed on a topic that sparked an energetic discussion: “The 20 things that accountants should never do.”

What followed was a candid conversation about the essential boundaries every bookkeeper should establish to protect themselves and their clients. Whether you’re just starting your bookkeeping practice or you’re a seasoned professional, these boundaries are critical safeguards for building a sustainable business.

Client Relationship Boundaries: Who’s Really in Charge?

“Allowing clients to control the work we do and really treating us as employees” topped Wasek’s list of boundary violations. She explained that many bookkeepers, especially those transitioning from employee roles, fall into the trap of letting clients direct their work.

“The client shouldn’t be directing the work you do,” Wasek emphasized. “There should be proper diagnosis done by us as accountants and then we give the client our recommendations.”

This distinction is crucial: Are you following orders or leading the process? As Katz Pollock pointed out, “If you’re a bookkeeper with your own firm or your own practice, you should be the one guiding the narrative.” Otherwise, you might actually be functioning as an employee rather than an independent contractor.

Financial Boundaries: Know Your Worth

Both hosts shared strong opinions about working for free or undervaluing services. Wasek explained how offering free work “devalues our industry as a whole” and signals that you don’t value your own expertise.

Katz Pollock added a practical concern: “If you were willing to do it for free, why would I pay you $500 a month to do it?” This initial boundary violation creates expectations that become nearly impossible to reset later.

Another common mistake is marking down invoices without discussion. Wasek shared an example based on her own experience. “My fee was $10,000 based on all the time that I spent on it, but I don’t think they’re going to pay me $10,000, so I just charge them $5,000.”

She now recognizes this as a serious boundary violation, explaining, “We tend to project our own feelings about money to our clients.” Instead of assuming clients won’t pay, have an open conversation about pricing.

Katz Pollock offered a practical strategy for those who bill hourly. “I charge what I consider a reasonably high rate, and that allows me to give a discount. Then I feel like everybody wins. I’m still getting a satisfactory rate, and they feel good.”

The hosts also warned against becoming financially dependent on just a few clients. “What if one out of those three leaves and you were financially dependent on that client?” Wasek cautioned. This dependency traps bookkeepers in problematic relationships where they can’t enforce other boundaries for fear of losing essential income.

Security Boundaries: Protecting Your Clients and Yourself

“Having direct access to the client’s bank accounts or their bill payment” is a practice Wasek strongly discourages. She shared a sobering example of a client that embezzled $8 million through their in-house bookkeeper, who had unrestricted access.

Katz Pollock acknowledged the practical challenges, noting she sometimes needs bank account access to view statements or check images. Her solution involves strict controls: “We have a 1Password vault that nobody has access to except for me and my contracted bookkeeper,” plus explicit language in her engagement letter that they “will never take any action either on your behalf or at your request.”

Both hosts emphasized the importance of secure password management. “Nowadays, you need to have unique passwords for everything,” Wasek explained, recommending systems that limit credential visibility to only those who absolutely need them.

Email communication presents another security concern. “The bane of my existence is emails,” Katz Pollock admitted, noting important client communications often get buried. More critically, Wasek warned, “There are so many email scams going on right now where you think you’re talking to your client and they are not your client.”

She shared a chilling example: “One of my clients was a victim of an email scam with a vendor. He sent a couple of million dollars to this fraudulent vendor, and then couldn’t do anything about it.” This led her firm to abandon email entirely for client communications, moving to secure platforms instead.

Professional Expertise Boundaries: Know Your Limits

“Taking a client when you lack the required skills” and giving legal or tax advice without proper qualifications made both hosts’ lists of major boundary violations.

“Certain industries and certain types of clients are more complex,” Wasek explained, highlighting areas like e-commerce and nonprofit accounting that require specialized knowledge.

Both hosts stressed that bookkeepers should never give tax or legal advice without proper credentials. “If you don’t have a law degree and if you don’t have a tax designation, then you can’t actually back up and stand by the advice you’re giving,” Katz Pollock cautioned.

Instead, they recommended developing relationships with specialists and having prepared responses for common client questions. As Wasek suggested, “I would try to give them the right words to use to ask their CPA the proper question.”

Documentation Boundaries: Get It in Writing

“Not using engagement letters” was another boundary violation, both hosts emphasized. Wasek learned this lesson “the hard way” after initially “working on a handshake,” explaining that formal agreements “really set the tone for the entire relationship.”

A comprehensive engagement letter should outline services provided, responsibilities, pricing, payment terms, and procedures for ending the relationship. Katz Pollock recommended reviewing engagement letters annually. “I look to see if their scope has changed. How many checking accounts did I agree to and how many do they have now?” This gives a “tangible reason for raising our prices” beyond just annual increases.

Both hosts also advocated for paid diagnostic assessments before committing to new clients. This smaller initial engagement helps evaluate a client’s responsiveness and complexity before making longer-term commitments.

Personal Boundaries: Protecting Your Time and Energy

The hosts discussed the common issue of bookkeepers acting as “unpaid therapists” for their clients. Wasek recalled a client who “would keep me on for at least an hour” multiple times weekly, making it impossible to complete actual work. She learned to establish time parameters, saying, “I’d love to talk to you, but I have a meeting in 15 minutes.”

Another crucial personal boundary involves maintaining client confidentiality. “You never, ever, ever talk badly about either the business owner or a bookkeeper to another business owner or another bookkeeper,” Katz Pollock stressed. This includes avoiding sharing information between clients or discussing former clients with their new bookkeepers without explicit permission.

Wasek shared a situation involving partnership conflicts: “I had to terminate the relationship. I would rather this client think badly of me for leaving them without a bookkeeper than to attack the other partner or to tattletale.”

Building a Stronger Practice Through Boundaries

Throughout their discussion, Wasek and Katz Pollock emphasized that proper boundaries ultimately create more sustainable and rewarding businesses.

“I am a big believer in karma, and that when one door closes, another one opens,” Katz Pollock shared. “If you have a really large client that you depend on, and either they let you go or you just find it toxic, I don’t recommend staying.”

Wasek agreed, adding that when bookkeepers release problematic clients, they gain “so much more mental energy to devote to better clients.”

For bookkeepers looking to establish stronger boundaries, the hosts recommended:

Getting proper training to understand your expertise and limitations
Using engagement letters reviewed by legal professionals
Implementing secure technology solutions for passwords and communications
Developing scripts for common boundary challenges
Building relationships with specialists for referrals
Conducting paid diagnostic assessments before committing to new clients

As Katz Pollock concluded about maintaining professional boundaries, “It says way more about you than it does about them.” It’s a reminder that how you establish and maintain boundaries ultimately defines your professional reputation and the health of your practice.

To hear more detailed insights about these essential bookkeeping boundaries, listen to the full episode using the player below or wherever you get your podcasts.

Mastering Intuit Account Management: Essential Security for QuickBooks Professionals

Earmark Team · April 8, 2025 ·

Imagine waking up one day and discovering that you can’t access any of your QuickBooks clients’ data. That’s exactly what happened to one bookkeeper who found themselves locked out of their QuickBooks Online account, with no quick fix in sight. Suddenly, they were left in a lurch and unable to help their clients—a true nightmare scenario!

In a recent episode of The Unofficial QuickBooks Accountants Podcast, hosts Alicia Katz Pollock and Dan DeLong dove into the important but often overlooked topic of Intuit account management. This article breaks down the key takeaways from their discussion, equipping you with tips on how to:

secure your QuickBooks account,
set up reliable backup access methods, and
manage client relationships effectively using Intuit’s management portals.

Exploring accounts.intuit.com: Your Personal Command Center

Many accounting professionals use QuickBooks every day, but not everyone takes the time to explore the powerful management tools that are often overlooked. One of these gems is accounts.intuit.com, which acts like your personal command center within the Intuit ecosystem.

When you navigate to accounts.intuit.com (using the same credentials you use for QuickBooks Online), you’ll find a comprehensive dashboard that organizes your entire Intuit footprint. It’s a centralized hub where you can manage everything from security settings to document access.

The Sign-in and Security section represents your first line of defense against unauthorized access. Here, you can:

Update your user ID
Change your email address
Modify your password
Enable two-step verification (critical for security)
Set up authenticator apps
Use biometric security (fingerprints, facial recognition)
Monitor account activity across all devices

As Dan emphasized in the podcast, “Turn on your 2-Factor Authentication. Do it. Especially for accountants and ProAdvisors in the accounting community, your login is potentially connected to a lot of sensitive information—social security numbers, credit card information, EINs, a lot of personally identifiable information is there.”

The Activity Log displays every login attempt and includes details about the device, location, browser, and timestamp used, making it easy to spot any unauthorized access.

The Business Profile section shows a complete history of every QuickBooks client you’ve ever worked with.

For those concerned about privacy, the Data and Privacy section allows you to download your personal data, delete information if desired, and correct any errors in your profile.

The Products and Billing section displays all QuickBooks packages and services you subscribe to—including Online, Payments, Payroll, and more. What makes this view powerful is that it consolidates information from across multiple QuickBooks Online Accountant (QBOA) logins.

The Documents section provides access to attachments across all your client files. Rather than logging into individual client accounts to retrieve documents, you can access, download, and add new files directly through this centralized hub.

Leveraging camps.intuit.com for Product-Based Management

While accounts.intuit.com organizes your Intuit ecosystem from a user perspective, camps.intuit.com (Customer Account Management Portal System) provides a different view—one organized by product rather than by user profile. This portal serves as the external-facing view of Intuit’s customer relationship management system.

When you log into camps.intuit.com, you’ll see tabs organizing your Intuit ecosystem by product type: QuickBooks Desktop, QuickBooks Online for Accountants, QuickBooks Online, QuickBooks Payments, and Intuit Online Payroll. This organization makes CAMPS valuable when you need information about specific services rather than specific clients.

For QuickBooks Desktop users, CAMPS reveals all versions you’ve used over time, including those purchased for clients. “I see all of the different QuickBooks desktop accounts that I’ve had,” Alicia notes during her exploration of the portal.

Creating a Backup Access Method: Your Emergency Entry Point

Understanding these portals is important, but equally crucial is ensuring you always have access to your clients’ data. During the podcast, Alicia shared a concerning story about a bookkeeper who completely lost access to QuickBooks Online.

“I was on a call with Roundtable Labs, and Alexis Sadler was telling us a story about how one of her bookkeepers lost complete access to their QBO. They would go to log in to QBO, and it was just flat out not working. And they were completely locked out. My blood ran cold because it was like, well, shoot, if I get locked out, I literally can’t do my job.”

The solution? Create a backup access method that functions as your emergency entrance when the front door is locked. Alicia recommends: “Go add yourself as a different email address to your teams inside QBO. So when you’re in your QuickBooks Online for Accountants and you look on the left-hand side, it says team. Add yourself as a team member, give yourself full access to your books.”

This simple step ensures that even if your primary login becomes locked, you still have a way to access your clients’ data and continue providing services without interruption.

Understanding the Primary Admin Role: Who Should Control the Account?

Equally important is understanding the Primary Admin role—the person with ultimate control over a QuickBooks account. When creating a new QuickBooks file for a client, should you designate yourself or your client as the Primary Admin?

Alicia takes a clear position: “Your primary admin is the person who is responsible for the account… some bookkeeping firms will say, well, I’m the one who’s doing all the work, I’m the one paying for the subscription. Therefore I am the primary admin. But really, Intuit’s platform is that the primary admin should be the business owner, even if they’re not the main user.”

Alicia continues, “You’re the person who’s creating the data, but you don’t own the file. They own the file.”

Dan explains the technical reality: “The Intuit definition of who the primary admin is, is, in reality, the first person to touch that service.” This means whoever initially set up the QuickBooks account automatically becomes the Primary Admin unless changed.

There are limited exceptions to this best practice. Alicia notes: “I do have one exception to my rule about the business owner being the primary admin. And that’s if they’re working with QuickBooks Commerce, because QuickBooks Commerce integrations can only be set up by the primary admin.”

When client relationships end, the question of Primary Admin status becomes especially sensitive. Some accounting professionals resist transferring Primary Admin status, believing they “own” the file they’ve built. Alicia says, “Don’t be that person. That’s petty. You’re burning bridges. It’s the client’s data. They paid for it. They didn’t just pay for the service. They paid for the results. And the results are the data.”

Dan reinforces this point: “Intuit will side on the business owners side… provided they provide the legal documents that are necessary. So it is a losing battle when it comes to that.”

Only the Primary Admin can transfer this status to another user. If the original Primary Admin is unavailable, Intuit has a legal process requiring proof of business ownership—but this takes time (typically 7-10 business days) and requires documentation.

Master Your Intuit Ecosystem Today

Navigating Intuit’s account management options goes beyond the QuickBooks interface, offering essential tools for security and data management that many accounting professionals overlook. By visiting accounts.intuit.com and camps.intuit.com, you can manage your entire Intuit footprint and implement important security measures to safeguard your clients’ data.

Take some time to log into accounts.intuit.com and camps.intuit.com. Set up two-factor authentication, create backup access, and make sure each client’s Primary Admin status aligns with your relationship. These simple steps can help you avoid stress and business disruptions down the line.

For a deeper dive into these topics and more QuickBooks insights, listen to the full episode of The Unofficial QuickBooks Accountants Podcast.