This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

By Tony Carothers

Bad actors know a crisis when they see one, and they are adept at quickly adapting their tactics to leverage current events. These past months of global pandemic are a testament to that. While many of us remain working from home, we must remain diligent of potential security threats as we would when we are in the office, if not more so. As a security systems engineer, I want to share my observations and takeaways from this experience.

Changing Tactics

This may come as a surprise, but there has not been a significant increase in fraud attempts over the past few months. Our internal tracking shows fraud counts closely matching the 2019 trends. There was a 50% spike in April 2020 (compared to April 2019) as personnel acclimated to remote forms of work, and May 2020 had fewer fraud instances than May 2019, by 60%.

What we have seen, though, is a shift in content. Bad actors know that those of us in the workforce are hungry for updates about current events, and they use that as leverage to trick their victims into engaging with them. They view chaos as an opportunity to confuse users into interacting with fraudulent content such as clickbait articles.

The best way to prevent against this type of threat is to be mindful of what you are clicking on. Hover over hyperlinks before clicking them to review the URLs. Make sure you only click on sources you recognize and trust.

Security Flaws Exposed

From a technology standpoint, the business world faces vulnerabilities that they never considered when they developed their enterprise strategies and architecture.

Most enterprise IT architectures use the "eggshell" or "castle and moat" defenses, where big firewalls keep things out. With those models, all users inside the walls become trusted. Now, however, the walls have been rendered ineffective (or at least weakened) by current events, exposing internal systems to a world in which they were not built to operate. This leaves users vulnerable due to the many vectors bad actor can use to leverage their way into a laptop or home network using phishing campaigns.

According to the Association for Financial Professionals' 2020 AFP Payments Fraud & Control Report, business email compromise (BEC) remained the highest source of security risks at 61%, with external sources (such as check washing) following at 58%.

One type of BEC attack, for example, sends a hyperlink via email. Clicking the link routes the user to a server containing a simple "Hello" message, and nothing more—no malicious code or script or anything that may seem out of the ordinary. What the user does not realize is that by clicking on the link, they provided a bad actor with the source IP for their machine, compromising its security.

While at home, user's computers lay outside the castle walls that they had been accustomed to when in the office. Bad actors rely on that lack of knowledge.

Physical Security Limitations

Physical security methods, while touted as a failsafe by some, do little to add to the safety of your business. For example, let’s say your controller takes home a folder of unsigned checks for the weekend. He then stops by the gym (a prime spot for car theft) on the way home and left them in the car. The fact that you continue to do some things in the physical realm instead of electronically offers no benefit in such cases: your company information is still at risk.

Don't let electronic fraud scare you away from embracing automated solutions for your back-office. By teaching your employees to identify potential risks and alert your security team, your company becomes safer without sacrificing important operational efficiency.

Key Takeaways

When considering the best method for protecting your company against security threats, don't ignore the forest for the trees. Protecting against one scenario may leave you open in another avenue, which in turn limits the flexibility your company demands.

The best and most surefire way to protect against email threats is to show your team how to identify them. Teach them to exercise suspicion toward unsolicited email communication and react accordingly:

• Do not click on a hyperlink unless you trust it.
• Do not open email attachments unless you trust the sender and are expecting the file (even trusted sender's emails may be compromised).
• Do not provide user credentials to anyone over email or phone.
• Lock your computer every time you step away.

Bad actors know the methods companies take to protect themselves, and they shift their attacks to circumvent those defenses. Continually working with your employees to identify new threats is a surefire way to protect against fraud. Make your entire team fraud experts, and you will ensure that your security team can dedicate more of their time on more significant threats.

Tony Carothers is the security systems engineer at Nvoicepay, a FLEETCOR company. He has over 30 years of experience in information security in both the public and private sectors. 

Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.