Over recent times, security discussions have undergone a transformation in order to counter evolving cybercriminal tactics.
Initially, focus centered on safeguarding client data to prevent financial and reputational harm. This resulted in investments in single sign-on (SSO), multi-factor authentication (MFA), and a shift to cloud-based software with robust online security.
But with this improved data protection, hackers shifted their attention to exploiting vulnerabilities within the communication medium itself: email.
Consider this: controlling someone’s email account equates to possessing their identity. In essence, email gives hackers access to relationships, applications, and data—a digital key to their kingdom.
Let’s look at some of the factors that make email the primary cyber threat for accountants in 2023.
The pandemic catalyzed an escalation in email activity among accountants, reflecting the evolving ways businesses now communicate and collaborate.
And hackers are capitalizing on this surge in volume. The increasing influx of emails makes it challenging for time-strapped accountants to discern legitimate messages from potential threats, allowing well-crafted phishing emails to blend in seamlessly.
Email compromise techniques have grown more sophisticated, with hackers abandoning the ‘spray-and-pray’ approach.
Instead, they employ targeted phishing tactics, particularly against industries housing sensitive information and trusted payment partners. ‘Spear-phishing’ attacks often focus on leadership within accounting firms, as executives possess valuable financial data and may lack proper cybersecurity training.
Shockingly, 2022 recorded the highest rate of mobile phishing attacks in history, as highlighted by Lookout.
"Mobile phishing attacks are often more successful than traditional phishing attacks, as people are more likely to open emails and click on links on their mobile devices."
— Cybersecurity and Infrastructure Security Agency (CISA)
AI-powered tools make it easier for hackers to launch impersonation attacks.
A recent study revealed that 67% of email-based cyber attacks leverage AI technology, rendering them harder to detect and counter.
Tools like ChatGPT have transcended language barriers, enabling hackers from non-English speaking countries to replicate communication styles seamlessly. This surge in high-targeted impersonation attacks leaves firms grappling with detection challenges.
With these factors in mind, accounting firms handling sensitive client data face a rising wave of email-based cyber attacks called Business Email Compromise (BEC) attacks.
BEC attacks involve identity fraud, a form of social engineering where cyber criminals exploit trust to manipulate individuals into divulging confidential information or performing actions that benefit the attacker.
BEC attacks appear as diverse as business emails themselves, with some common examples listed below. It's essential to note that this list isn't exhaustive—hackers continuously devise new ways to camouflage their attack.
CEO fraud: Hackers impersonate high-level executives, often CEOs or CFOs, to solicit unauthorized payments or wire transfers.
Vendor email compromise: Attackers infiltrate a vendor's email account to send fraudulent invoices or payment requests to customers.
Data theft: Cybercriminals access an employee's email account to pilfer sensitive data, which can be exploited in future attacks or sold on the dark web.
Gift card scams: Attackers impersonate executives or suppliers and prompt requests for gift card purchases from employees.
Account compromise: Hackers gain access to employee email accounts, sending fraudulent payment requests or accessing sensitive data.
Effectively thwarting BEC attacks relies on three pillars:
A well-informed team
Defense against BEC attacks demands security measures that transcend conventional data protection.
This means it’s wise to prioritize identity and permission protection at your firm, using industry-specific access management platforms like Practice Protect.
It’s also important to Incorporate multi-factor authentication, restrict log-ins by country, monitor suspicious activities, and enable notifications.
Practice Protect's Email Hub ensures email confidentiality and integrity, fortifying your firm against phishing, malware, and spam.
With the rise of cloud technologies, accountants are juggling multiple unique identities for various cloud apps. Cybersecurity solutions have adapted to this new reality, shifting from securing data storage to safeguarding access to cloud apps.
Remember, BEC attacks target individuals, not just systems. Proper education is vital—train your team to identify BEC attack signs, spot spam, and respond appropriately.
Some ways to safeguard your firm with policies and procedures:
Ensure all your critical processes are documented
Ensure payment policies mandate phone confirmations for new account details
Extend similar procedures to clients with secondary confirmation protocols
Review cyber insurance policies and check whether there is coverage for BEC attacks
Scrutinize insurance policies for social engineering attack coverage like BEC
Establish clear IT and internet usage policies and ensure they are understood by all employees
Guarding against BEC attacks is a collective effort, safeguarding your firm's integrity, client trust, and financial security. Act now to protect your digital kingdom.
Latest news, events, and updates on all things app related, plus useful advice on app advisory - so you know you are ahead of the game.