Tax-related fraud has been on the rise for the last several years, particularly during tax season, but the targets have typically been individual taxpayers, or corporate HR departments getting phished for sensitive W-2 and payment-related information.
The bottom line is phishing costs organizations billions of dollars per year and is the single largest entry point for all manner of data breaches and financial loss.
Picture this: It’s tax crunch time. Your firm starts receiving a flurry of calls and emails from clients asking why you’ve sent them a cryptic email that included a link to some malware.
You dive in to investigate only to discover that your email has been compromised, and someone has gotten access to all of your client contacts and their tax information. In addition to talking clients down from a ledge, you’ve now exposed yourself to financial liability and client turnover. Congratulations! You’ve just joined the large and growing dubious fraternity of organizations that have been victimized by a phishing attack.
As people have become more savvy, hackers are starting to turn their attention towards higher-value targets, namely small and medium-sized accounting businesses. Accounting firms in general are attractive targets because they represent a point of data aggregation as they are custodians for sensitive information for large numbers of clients. And while larger firms have the benefit of skilled IT and security staff, small and medium-sized firms are particularly juicy for bad guys; that’s because they frequently lack the technology, resources, and training to properly protect themselves.
While still employing tried-and-true phishing tricks--such as using keywords that denote a sense of urgency, hackers are also becoming more sophisticated in their tactics. Increasingly, bad actors are more likely to do research via social networks and review sites to pinpoint specific clients of your firm.
They can also spin up lookalike internet domains or personal Gmail or Yahoo email addresses to closely mimic what emails from your actual clients might look like. Their intent is to use these tactics to phish your firm so that they can collect your credentials, or plant malware that can track the passwords you use to access various online systems.
Once hackers get that, they have the keys to the kingdom in terms of access to client data. Worse yet, you may not discover that you’ve been breached until it’s too late.
What Can You Do?
Fortunately, there are several things that even a lean IT department can do to protect your firm and your clients. In security there are always varying layers of protection and a few simple steps can make a large difference in keeping you and your firm safe. Remember, if you don’t want to get eaten by a lion, you don’t have to be the fastest gazelle--you just don’t want to be the slowest one.
1. Send a clear communication to your clients indicating how you will reach out to them and that they should never include any sensitive information (passwords, SSNs, banking information, etc.) in email. If they receive something that looks like it’s coming from you, they should contact you directly to validate that request.
2. Speak with your staff about the importance of being vigilant for false communications that look like they’re coming from clients. Be on the lookout for atypical activity and when in doubt, err on the side of caution.
3. Stop using email for sharing tax documentation and returns. There are many platforms that are cost-effectively available that provide bank-grade security for communicating and sharing documents with your clients.
4. Turn on Two-Factor Authentication (2FA) for all your systems where available. 2FA is the use of a secondary channel of identity verification in addition to your password, for example a text message to your mobile device, prior to being allowed access. This is available for most email platforms and financial tools, and this simple step will make it significantly more difficult for an attacker to compromise your systems.
5. Use anti-phishing platforms to protect your employees from getting phished. There are a broad variety of solutions available that can provide you with a strong and user-friendly solution. While some are designed for large enterprises, look for ones that are cost-effective, easy to deploy and use, and are geared for small and medium businesses (SMBs).
In particular, look for solutions that provide an active defense that will notify your users in the event of a suspicious email, before they have a chance to click on a bad link or download malware onto their computer.
Hackers know that potential victims are most vulnerable when they are overworked and in the accounting world that means tax season. Stay vigilant and follow these simple techniques to safeguard your client data and, by extension, your firm.
Ranjeet Vidwans is co-founder of Clearedin, which helps organizations defend against phishing attacks. He brings 25 years of technology experience across a number of successful cybersecurity startups as well as blue chip firms like Cisco and Oracle