How CPAs Can Spot a Social Engineering Scam
A seasoned corporate accountant will often first detect a problem when a situation fails to pass a “sniff test”. That is, the CPA might generally sense that something is wrong with the corporation’s books and records before he or she determines the source and nature of the problem. CPAs can use this same intuition to spot social engineering scams that hackers launch to steal data from companies or to freeze up their internal systems and data with ransomware.
CPAs and accounting firms have become a prime target for hackers, largely because of the amount of financial information that they hold for several different clients. Also unlike their clients, CPA firms generally have fewer cyber defenses around their internal systems. During the tax season and around other times of the year, cyber thieves rely on moments of inattentiveness to launch social engineering scams that might give them access to a CPA firm’s data trove.
How A Social Engineering Scam Works
Many social engineering scams follow common fact patterns and forms. They bypass technical defenses, including firewalls and anti-virus software, and rely on the vulnerability and emotional responses of a CPA firm’s employees. A social engineering scam might initially appear to be legitimate, but an accountant’s finely-honed intuitive sense can help him or her to sniff out the fake from the genuine.
- “Phishing” scams originate with email requests that appear to come from legitimate sources, and that ask the recipient to click on a link or to transfer data or funds somewhere outside of the business. The typical accountants who developed a more conservative approach will look deeper into the request before taking any action.
- “Ransomware” attacks follow a similar pattern, in which an employee within an organization will receive an email that includes a “PDF.zip” or some similar attachment and an urgent request to take quick action. When opened, the attachment encrypts the accounting firm’s data and systems and withholds an encryption key pending the firm’s payment of a ransom to a designated account.
- Cyber thieves often hijack social network accounts to derive information about an individual’s employment, interests, and contacts. That information is then used to launch social engineering scams that are more believable because they include more personalized information.
Defenses
CPAs can protect themselves and their firms against social engineering scams and other cyberattacks first, with their intuitive sense of what is legitimate and what is fake, and second, with training and education, technical defenses, and post-breach containment strategies.
Regular training and education will raise awareness among a CPA firm’s employees about the type of social engineering scams they are likely to face. Regular training can also instill the importance of good cybersecurity practices among employees, including refraining from using free Wi-Fi networks and employing different passwords for different account logins. Because social engineering scams are constantly evolving, training needs to be conducted regularly to maintain awareness of current threats.
Every CPA firm should also install robust technical defenses and protective strategies in their information systems networks, including firewalls, ant-virus software, and tracking software that logs both incoming and outgoing data.
What If It Happens To You?
Lastly, because data breaches are not absolutely preventable, every CPA firm should have a post-breach containment strategy with a broad cyber insurance policy that will provide reimbursements for a firm’s direct losses and third-party liabilities that flow from a data breach. Domestic and international professional accounting associations have universally concluded that cyber insurance for accountants is a necessary addition to every CPA firm’s cyber defense strategies.
A CPA firm that loses control over its clients’ data and financial information will face potentially ruinous liabilities as well as losing its reputation as a firm that can be trusted to hold and maintain client confidences. Cyber insurance will provide resources to help a CPA firm to stem these losses and maintain a reputation for quality and reliability.
.