A phishing scam is an attempt to collect sensitive information from users by deceiving them into thinking that the phishing email came from a legitimate organization, and/or a trusted individual. The majority of phishing articles in the press are focused on the dangers to individual users. However, over the past few years, the phishing problem has also plagued organizations of all sizes. Smaller companies are often more vulnerable to phishing threats simply because they have limited resources to dedicate to educating their users, and investing time and money into technology tools to help prevent the problem from occurring.
Spear Phishing is the scam that most often affects organizations. Most people would automatically trust an email if it appears to have come from someone inside their organization. These are highly targeted attacks, where scammers get ahold of the corporate directory of the company they target. Masquerading as an employee’s colleague, they often choose to impersonate someone in the position of power (CEO, CTO, etc.) to persuade the individual they target from revealing information without questioning the reasons as to why they are requesting it.
Accounting firms are great targets for phishing attacks. They are often small organizations without an IT and legal department to warn and protect them from potential threats. They handle valuable information of their clients, such as social security numbers, addresses and financial data.
Just recently, the IRS issued a warning to tax preparers about a phishing message sent out by criminals impersonating the IRS, and asking tax preparers to update their IRS eServices information (Accounting Today, November 2015).
According to the IRS, the above example is not an isolated incident. In fact, these types of scams have increased by about 400% over the past year (the Naked Security report by Sophos, March 2016).
Filing fraudulent tax returns by using stolen W2 forms is yet another popular phishing scam that can affect both accounting firms and HR departments. A number of companies have recently been defrauded via spear phishing attacks designed to steal W2 forms, including Kantar Group (28,000 employees), Sprouts Farmer’s Market (17,000 employees), and many others (Krebs on Security, March 2016).
Even though accounting firms often lack resources of larger organizations, there are simple things they can do to protect themselves, and their customers:
• Educate their employees – Being aware of the problem is the first and most important step to preventing users from falling victims to phishing attacks. Each company needs to develop simple-to-follow rules on how to use email inside their company. Employees should never send out sensitive information using unprotected email, and without double-checking the source of the request.
• Software updates – Always keeping their software applications and browsers updated will help reduce the number of scams delivered to the user inbox, as well as help protect users from accessing fake websites.
• Email Security – Email encryption solutions will enable the recipient to ensure a received message came from a legitimate source. To open messages, the recipient has to enter agreed upon information specified by the sender, and known only to the recipient. Such solutions also ensure content of messages cannot be read if ever intercepted while in transit, offering double protection for senders and receivers.
Accounting firms that continue to ignore phishing threats leave themselves exposed to lawsuits by their clients. Protecting their sensitive information should be a top priority for any organization. With a wide variety of security solutions available to organizations today, it’s easy to pick a user-friendly system that is not expensive or time-consuming to maintain.
Todd Sexton, MBA is the CEO and Director of Identillect Technologies. Sexton specializes in security and compliance and frequently consults, lectures and publishes on security related topics.
Comments powered by CComment