CAMICO’s reported cyber-related claims show hacker attacks on CPA firm email systems were the most frequent cause of losses for firms for the 14-month period from July 2018 through August 2019. These claims accounted for almost two-thirds of cyber-related claims.
Cyber-criminals who access firm email accounts often manipulate incoming and outgoing messages. In some cases, hackers sent email messages to all addresses in the email account’s “Contacts” list, resulting in mass emailings to hundreds of recipients. The attacks
were then reported to the CPA firm by clients who had received the bogus outgoing messages. These messages often attempted to trick recipients into clicking on links, pop-ups, or attachments (phishing scams) to compromise accounts or trigger malware.
Once a fraudulent link or attachment is clicked, hackers can install malware and access other email accounts and internal computer networks. Hackers will spend time studying email messages and computer systems in preparation for ransomware attacks. The attacks encrypt files and data, rendering them inaccessible. The hacker may then demand a ransom in exchange for the release of the files.
Many claims are related to tax return preparation. A trend appears to involve waiting until just before a tax return deadline to launch an attack that encrypts all of the tax files. A demand is then made for ransom in exchange for access to the files. Ransom demands ranged from about $1,000 to $20,000.
E-filing identity theft and Social Security Numbers being used by fraudsters continued to pose problems for clients and firms. Hackers are still successful in tricking firms into changing bank account information for the direct deposit of tax refunds into the fraudsters’ accounts. A favorite technique is to use an email address that is one character off from the client’s email address—just close enough for recipients to think the email is legitimate.
Third-party online vendors also experienced security intrusions and breaches, including online tax and accounting software services, cloud storage, and virtual desktops. Some of the breaches at vendor websites exposed confidential client and firm information. CPA firms are having to pay more attention to the types of risk that third-party service providers pose.
Fraudulent wire transfers frequently cause large dollar losses. If the fraudster is controlling the client’s and the firm’s email, commonly referred to as a “man in the middle” attack, and the fraudulent request mimics previous legitimate requests, it is very difficult for the firm to identify the request as illegitimate.
Employees also caused problems for firms when they copied client information onto portable or flash drives before terminating their employment with the firm.
Loss Prevention Tips
In one case, the hacker emailed the CPA firm and explained that the reason the firm’s computer system was being hacked was because the firm’s browser software had not been updated, making it easy for the hacker to access the system. The hacker then demanded a ransom in exchange for the hacker leaving the firm’s client accounts alone.
- Be sure to use software with updated security options to defend against malware, viruses, and phishing and hacker attacks. Create and enforce a policy to regularly update and patch all software.
In another case, a CPA was typing in a website address (URL) for his tax software provider when a pop-up showed him a URL and asked him if that was the website he wanted. It looked like what he wanted, so he clicked on the pop-up, thereby allowing malware into his computer. Afterwards, it was determined that the URL he clicked had an extra period in it.
- Never click a link, pop-up or attachment without first hovering your cursor over the link to display the URL. If it’s not a URL you recognize, or if it’s abbreviated or tweaked in any way, don’t click it.
- Use your professional skepticism to avoid becoming lulled into a sense of comfort regarding email and other communications from clients and third parties. Any requests for money to be transferred to a bank account unfamiliar to you is often a red flag, especially if the new account is in another country.
- If the firm’s protocol is to permit requests for wire transfers to be made via email, then have a procedure in place to confirm requests other than email and proceed with the wire only after confirming with the client that the request is legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. To verify the authenticity of the request, confirm information only known to the client (ask questions to which hackers would not know the answers).
- Educate all employees about good cyber-hygiene and how to avoid phishing attempts that target them with social engineering techniques designed to install malware or to deceive and elicit confidential information.
- Obtain a verbal confirmation if you receive an email from a client requesting changes to their tax refund destination.
- Back up all important data and information frequently to reduce the likelihood that critical data is lost in the event of a cyber-attack or physical incident such as a fire or flood. Protect the backups in a remote or external location where they are safe from ransomware that seeks out backup copies. Periodically, verify whether backups are working.
- Add another layer of security with multi-factor authentication. Usernames and passwords alone are often insufficient for preventing account takeovers. Adding and combining factors provides greater protection.
- Avoid public wi-fi or hotspots when inputting or working with personally identifiable information (PII). Cyber-criminals can easily see individuals’ information on public wi-fi. Wait until you’re on a trusted network.
- Install a secure client web portal1 that will archive and store your clients’ personal documents and data. A portal will lower your staff’s administrative burden, ease the burden of locating important electronic documents, and eliminate the need to hunt for those documents within extended email threads.
More information and guidance is available in the Cyber/Data Security Resource Center www.camico.com.com
on the CAMICO Members-Only Site (log in at
See updated sample portal agreements and risk management guidance on client portal agreements in the article on “ New ‘Hosting Services’ Interpretation – Is Your Independence Impaired?
” in IMPACT 115.