By Maureen Renzi, vice president – communications

Cybercriminals continue to get more creative in their schemes to access confidential data. At a recent PICPA Corporate Finance Cabinet meeting, CPAs were swapping stories of recent breaches (or near breaches) and lessons learned. Sometimes these tales have a costly lesson. Here are some of the CPAs' experiences and tips on how to protect your data.

The Stories

Sales staff misstep – My company moved to a major cloud email provider a few years ago. Despite an annual security education program, one of our sales staff fell prey to an email phishing scheme. This salesperson was tricked into providing his email credentials after one of his contacts had been phished and sent him a legitimate-looking email. The compromised credentials would have allowed the hackers to access the salesperson’s email account via the cloud email provider. Thankfully, the salesperson immediately realized the error and notified the tech team so we were able to quickly change the credentials and mitigate the situation.

Accounts receivable phishing bait – We believe the accounts receivable clerk clicked on a file or link and then gave her credentials when asked for Office 365 login information. Hackers obtained access to her email account, and they started contacting customers with bogus email addresses that resembled the original email address (extra letter, etc). They also drafted letters with the names of people in the organization and created fictitious email chains with multiple bogus email addresses to make the correspondence and topic seem plausible, and also conducted follow-up phone calls to convince customers to change bank information. The intent was to solicit payments to a fraudulent account. Even after access was removed by password changes, there was information that had been obtained that was used for additional weeks. Only one customer was tricked into paying the wrong account. Most customers called or emailed other contacts in the organization to verify the requested change. We also emailed/called our customers when we realized they were being contacted.

The HR payroll payout – In December 2018, my HR manager received an email from our director of sales, or so he thought. He went into our payroll system, changed the employee’s banking information, and thought everything was good to go. He never picked up the phone to confirm; just emailed back and said the change was made. The Saturday after Christmas, I received a phone call from the director saying he never got paid. I looked in the system, saw we processed a direct deposit, and mentioned to him about a change of account. He explained he never changed his information. We looked back at the email and saw it was the sales director’s name but not his address. At that point, it was too late. The money we deposited was gone. It was a very expensive lesson for our HR manager.

Kidnapped data – We had a fairly large client with 20 to 30 computers attached to their server and network. One staff member clicked on a virus that encrypts all files. All it took was one click and that virus infected their entire network, including their server and the backup drive that was attached to the server. The client was unable to recover their data, and had to pay ransom of about $6,000 to get the key to decrypt the files. Even after decryption, there was still a lot of work to do to get everything back up and running. All told, this cost the client somewhere around $30,000.

Tips to Protect Data

Throughout the discussion, a common theme was the need for continuous security education of all employees. Those who experienced a hack accelerated routine phishing training for all email users. Some companies are regularly sending out test email hacks to ascertain employees’ awareness of questionable email. Here’s a quick test to measure your savvy when it comes to identifying hacks. Educating customers and clients is also key, as demonstrated by the accounts receivable story.

In two of the scenarios, the companies initiated a two-factor authentication to mitigate risk in the future. Explains one victim, “If we had dual-factor authentication set up, we would have prevented access, even if credentials were improperly given out. If the collections emails were all flowing through the accounts receivable email address, the fraudulent access would not have provided information on customers we were sending collection emails to.”

For the kidnapped data case, daily backups would have been the simple solution. The CPA observed, “Had the client been taking backups off site on a daily basis, the backup could have been restored with minimal effort and expense. They left the backup drive on site and attached to the network, which left it vulnerable to infection.”

Here are a few tips to consider in your fraud prevention and training efforts:

• Look out for unexpected requests to validate your Office 365 security. If you open a file and it requests login credentials, it is likely a phishing attempt to gain access to your Office 365 account.
• Notify customers if you suspect unusual communications may be sent to them.
• Ensure there are validation processes to accept a change to payment instructions.
• Scrutinize communications from trusted people to detect minor changes to email addresses, etc.
• Be sure to make online transactions only on secure websites that use the “https” protocol.
• Schedule annual training on anti-phishing trends and techniques.
• Randomly send out spoof emails to employees to see if they take the bait, and provide additional anti-phishing training to those that respond.

Online fraud attacks are a drain on technology resources, and some estimate it costs organizations more than $1.5 billion annually. CPAs can take a lead role in providing education to employees that will both benefit the company and help employees spot fraudulent emails that could impact their own personal assets.

Special thanks to the PICPA Corporate Finance Cabinet members who shared their stories and tips to make this blog possible: Marlene Haws, Aaron R. Risden, LeeAnne N. Stump, and Robert J. Swetz.