Phishing is one of the most common types of cyberattacks facing accounting firms as criminals work to follow the money, targeting the keepers of large amounts of confidential financial information.
And with tax season in full swing, we should take a look at what accounting firms and tax preparers need to know about phishing attacks, as well as how they can keep their practices and clients safe.
What is a Phishing Attack?
In a phishing attack, the cybercriminal, posing as a trustworthy source, tries to trick the recipient into taking the attacker’s desired action, such as providing sensitive information. A cybercriminal can cast a wide net with a phishing attack or hand-select a potential victim in a more targeted attack called spear phishing. Once a person takes the bait, the attacker can then use that information to carry out the malicious deed.
Types of Phishing Attacks
One phishing scam making the rounds this tax season involves an attacker pretending to be from the IRS, another accounting firm, or posing as a client, and asking for legal or tax forms, such as a W-2 or W-9. The attacker then races to use the employee W-2 or contractor W-9 to file fraudulent tax returns.
Some other phishing attacks that we’ve been seeing recently involve scams targeting PayPal users and those appearing to be from Apple Tech Support. These phishing emails revolve around your account being “hacked” or an “important” notice regarding your data.
How to Recognize a Phishing Attack
While phishing can take the form of online advertisements or a phone call, they often take the form of emails. Remember that businesses should not ask for your password, login names, Social Security numbers, or other personal information by email.
If you’re not sure if an email is legitimate, there are several red flags to look out for:
Unfamiliar sender. If the email is coming from a sender that the user doesn’t have an account with or doesn’t do business with, it’s nearly always a phishing email.
Invalid web address. Attackers can vary the URL address slightly – http://gogledoc.com-stz.info/ instead of docs.google.com – to make a website look authentic. Get familiar with the websites you go to often and don’t click on a website link unless you verify it’s the correct address. You can do this by hovering with your mouse pointer on the link and inspecting it carefully for any misspellings, and to make sure the link is taking you to a safe place, like your client’s website.
Spelling errors/typos. A fake email is often loaded with spelling and grammatical errors. It also contains information that is out of context or uses an unprofessional tone.
Odd formatting. A fake email often has the user’s email address as the “From: address”, a mismatched sender and email: The sender’s name could say Bob Jones, but the address might be [email protected] or a double greeting: Dear Mr. Jones and Dear Sir or Madam.
Unusual requests or promises. The old adage “if it sounds too good to be true, then it is” applies here. An attacker may promise a lot of money for no effort on your part or ask you to provide money up front for questionable activities.
Urgent tone. Cybercriminals convey a sense of urgency to get you to act quickly without thinking. Watch out for phrases like “hey, can you get me the information in the next two hours – I need it for a meeting I’m going into,” or “failure to act may render your account inactive.”
Educating and Training Users on Phishing Attacks
Your firm should conduct regular security awareness training for employees on everything from how phishing works to what common phishing attacks look like. Train employees not to open emails that are unfamiliar or click on suspicious links.
As part of your training, you can manually send a fake email or use a simulation tool like InfoSec’s Security IQ that sends these emails to your staff and then reports on how they respond. The findings of these tests can help you plan your next security training sessions, so it’s best to do it a couple times each year.
To educate customers, we recommend sending an email to them letting them know about the dangers of phishing and what to look out for. Explain to them the information your firm will never request and how to report issues. Give them the details on how they can securely submit their information, create strong account passwords, and follow other security best practices.
Protecting Rogue Clickers
Even with the best user education programs, sometimes your staff clicks. Maybe the message was very compelling or showed no signs of maliciousness.
In this case, you will need malware protection. These solutions monitor for your employees clicking on phishing emails and prevent attackers from being able to carry out their nefarious mission.
Security as a Business Enabler
Attackers have such high success rates with phishing that they’re not backing down anytime soon. Use these tips to protect your customers and your firm from phishing attacks during tax season and beyond, and you’ll also improve your brand reputation, increasing customer loyalty and retention.
Todd O’Boyle is a co-founder and CTO at Strongarm, an Allied Minds company, and spent 15 years at The MITRE Corporation providing technical support to the Department of Defense and the intelligence community.