by Roman H. Kepczyk, CPA.CITP, CGMA
Phishing attacks are consistently listed as one of the top cyber threats impacting CPA firms. They are most often malicious emails containing malware, viruses, and/or links to unscrupulous websites that harvest personal and business data. Hackers then use that information to steal identities, file fraudulent tax returns, capture login/password information, and encrypt the firm’s data with ransomware. All firms should regularly remind their people of these threats and update them on the ploys that cyber criminals use. Here are some specific considerations when educating your staff about today’s phishing threats.
Use professional skepticism: Firm members should always be skeptical of emails that are urgent, require immediate action, and in particular, are unexpected. Hackers know that basic human nature makes people lower their guard when they feel that they are in trouble, at risk of losing something (such as access to accounts), or when a vendor, client or higher-ranking staff member makes an urgent plea for help.
Response: Emails that are urgent, unexpected, and require immediate action should raise red flags in the recipient’s mind and cue them to look carefully for other warning signs. If firm members have doubts, they should contact the sender through other means (telephone, texting) to verify the validity of the email.
Inspect emails: The days of amateurish phishing emails containing poor grammar, misspellings and obviously fake graphics have given way to highly sophisticated attacks that often “spoof” (mimic) the email address of someone you know or may seem to be sent from a familiar organization, vendor or client. Hackers collect information from firm websites, social media accounts (Facebook, LinkedIn), and other public resources to identify potential trusted sources and then use automated programs to send phishing emails that appear to be from them.
Response: Whenever any red flags are raised, recipients should inspect the sender’s email address by hovering over the address to verify if it is valid. Firms should establish and communicate a process to report and discard emails with invalid addresses or other signs of phishing to minimize the risk that other firm members will become victims.
Watch for hacked accounts: Hackers use stolen email login names and passwords to send phishing/malware emails to every person in that individual’s email contact list. The cybercriminal may even operate “live” in the hacked account and respond to emails being sent to the compromised account in response to the initial phishing email.
Response: If you think the sender’s email has been hacked, contact the sender through another secure means or get in touch with the sending organization. Firms can minimize the risk of their email accounts being compromised by using multi-factor authentication, in which the owner of the email account must verify that they are logging in before using the account.
Identify red flags: Make sure your people are aware of other signs of phishing attempts. For instance, if an email was sent at 2:00 am or on a day when the sender’s office would normally be closed, it should raise suspicions. Hackers also often use a subject header that includes a reply (RE:) or forward (FW:) to make the recipient believe the email is the continuation of a previous conversation. Hackers may employ a vague salutation, such as Dear Employee, Hello Friend, or Hey Client. That’s a warning sign if you would normally receive a more personnel salutation from that sender. Another significant red flag is an unusual choice of words or different writing style within the email that is out of character for the sender. Remember that attacks can be seasonal in nature. Tax attachments and notices closer to tax deadlines and unexpected shipping notifications or extreme coupons and discounts during holiday periods can be a sign of a phishing attempt.
Response: Share examples of phishing emails that point out the various phishing red flags with staff.
Take care with attached documents and links: Hackers use file attachments and links to websites to install malware on the victim’s computer. If staff have any doubts about the validity of an email, they should not access or download the document or click on websites links included in the email.
Response: Remind staff to go directly to websites and type in the address or to separately verify that the client intended to send the attachment. Share information on valid website domains and formats so when they type them directly into their browser, they can differentiate between real and fake accounts.
Consider mobile threats: In an increasingly mobile workplace, hackers have responded with phishing texts as well as emails. Because mobile device screens and browser windows are smaller, the recipient may not be able to see an entire link or it may be hidden with a redirect (TinyURL), which can download malware or capture the user’s login credentials.
Response: Security training should include specifics on using mobile devices and the types of attacks targeted towards them. Mobile devices that access firm resources should have the same cybersecurity requirements as firm computers.
With CPAs relying so heavily on digital communications, cybersecurity will continue to be a significant concern for all accounting firms. For more information and effective tools to use in protecting your firm, turn to the AICPA cybersecurity resource center and the PCPS cyber checklist. And remember to schedule proactive and ongoing training and updates on all aspects of security, including phishing, to minimize the risk that the firm will be victimized by cybercriminals.
Roman H. Kepczyk, CPA.CITP, CGMA, LSS BB, is the Director of Firm Technology Strategy for Right Networks and works exclusively with CPA firms to implement today’s leading best practices and technologies, incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of the 2019 Edition of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization,” which is available for download to members of the AICPA PCPS section.