Questions about using AI tools to enhance tax performance are no longer confined to financial outcomes. They now intersect with cybersecurity, data governance, and technology risk. AI adoption has moved...
In the age of AI, vendor risk has moved to the centre of strategic tax discussions. As external tools play a greater role in tax operations, questions about data exposure, compliance, and control are increasingly...
So, would it be Milk Shakes, Mansions or Millionaires? After the most chaotic period of softening us up for Budget annoucements that I have experienced in my 40 plus years in the tax profession I was waiting...
The Autumn Budget is just around the corner, and our Tolley experts have been analysing every hint and headline to make their bold predictions on what changes could be coming. From tax reforms to policy...
AI use in UK tax has surged. Two-thirds (64%) of tax professionals now use generative AI in their daily work, up from 40% earlier this year. But while adoption is rising, the million-dollar question is...
It’s 6pm on the last Friday of the quarter. You’re juggling between five live forecasts and three tax reconciliations when a request claiming to be from your CFO lands in your inbox. The sender address looks familiar. The tone matches the CFO’s cadence. The request seems urgent, and the consequence of delay could be reputational.
Tax leaders have been socialised to respond, resolve, deliver. Today, however, you pause - and you should.
It’s a phishing attack.
The evolution of social engineering risk
A new report from Tolley finds that UK tax professionals rank AI-enabled phishing attacks among the top emerging cyber threats, with deepfakes and highly credible social engineering tools cited as leading concerns.
The severity of these threats is corroborated by the UK National Cyber Security Centre (NCSC), the government’s technical authority on cyber threats. It regularly highlights how attackers use social engineering and impersonation to gain access to systems or sensitive data.
In 2025, attackers used realistic AI voice synthesis, email cloning, and context-aware prompts to personalise their scams. For example, a BBC report documented UK retailers being targeted with fake “internal IT” calls that tricked helpdesk staff into resetting credentials. As a tax leader, you often have direct access to sensitive forecasts, consolidated group models, and confidential structures: temptations worth defending.
Read our report how tech is changing workplace realities for in-house tax professionals
When risk meets reputational exposure
In Tolley’s survey, four in five UK tax practitioners expressed concern about reputational and confidentiality impacts from cybersecurity breaches. For in-house teams, this is a governance risk, legal risk, and board escalation waiting to happen.
The risk becomes more severe once connected to another UK imperative. The Information Commissioner’s Office (ICO) demands that organisations protect personal and sensitive data with appropriate technical and organisational measures.
Why verification must be standard, not optional
A hallmark of AI-enabled attacks is how they exploit decision shortcuts. Under deadline pressure, even experienced tax professionals might skip verification steps that ordinarily protect the organisation.
A strong verification framework, including secondary approval processes, out-of-band confirmation, and role-segmented access to sensitive data, matters for two reasons:
1. reduces cognitive shortcuts under pressure When the CFO’s email requests data, a simple call-back validation to a known extension number or a two-factor confirmation prevents impulsive responses to deepfakes.
2. It embeds risk awareness into the culture of the team
A response protocol that says “always verify” without exception turns judgment into policy, not guesswork.
A broader imperative: governance, tools, and education
Verification alone is not enough. The UK government’s guidance on cyber security emphasises leadership and governance, not just technical controls. The NCSC’s board-focused resources are designed to equip directors and senior leaders with the right questions to ask, even if they are not technical specialists.
For in-house tax functions, this means more than ticking a compliance box. It means adopting a risk posture that aligns with broader organisational priorities:
Tolley offers trusted tax research and workflow tools, designed with enterprise-grade security to give users added peace of mind.
I want to learn how Tolley+ Research can help me streamline tax research
I want to understand how Tolley+ Guidance can help me apply tax legislation with confidence