With a wealth of sensitive client information, accounting practitioners are prime targets for cybercriminals such as hackers and scammers intent on stealing data.
By Adam Turner
Scammers are stepping up their attacks on Australian businesses, often targeting human frailties rather than technological weaknesses as they aim to take small businesses to the cleaners.
Confidence scams have become more sinister and difficult to spot in recent years as scammers shift their attention from individuals to businesses.
Along with tempting the public with offers that appear too good to be true, like winning a foreign lottery, scammers are also luring people in business with claims that appear too mundane to be false – from outstanding bills to unclaimed tax refunds.
Even ransomware infections like WannaCry, which spread quickly throughout an organisation, usually get a foothold by first tricking a staff member into opening an infected attachment or clicking on a malicious link.
Related: How to protect yourself from ransomware
Nearly 6000 businesses reported being targeted by scams in 2016, according to the Australian Competition and Consumer Commission’s Targeting Scams report, with total losses increasing 30 per cent to around $3.8 million.
Accountants in the firing line for cybercriminals
It's a threat that Australian accountants can't afford to ignore, as the nature of the client data they handle means they have a high-risk profile, says Drew Fenton CPA, managing director of Fenton Green & Co insurance brokers.
"Don't make the mistake of thinking these kinds of attacks only happen to other people,” Fenton says.
“Even if you're a small accountant out in the suburbs you're still at risk and it's important to understand that risk if you want to mitigate it.
"For accountants, it's not just the risk of a ransomware-style attack. The sensitive client information you handle also puts you at extra risk of data theft with hackers looking to sell your customers' details on the dark web."
Related: The accountants' role in combatting cyber crooks
Regularly backing up data offers protection against ransomware by allowing businesses to restore from backups rather than giving in to demands. Using cloud services and storing data in enterprise-grade cloud storage, rather than onsite, can also help foil hackers.
Even backups can backfire
Even with backups in place it's easy for small businesses to underestimate the threat of an attack and the wider consequences, with Fenton citing the example of a sole practitioner who elected to wipe her computer and restore from data backups rather than give in to ransom demands.
"She thought her data backup strategy was foolproof, but unfortunately she didn't have the discs to reinstall all her old software," Fenton says.
"When she purchased a new version of the software it wouldn't load data backups in the old file format.
"She would have been spared this pain if she was using subscription cloud services, paying a few dollars per month to securely store her data online with access to the latest version of the application."
Some ransomware attacks spread rapidly through an organisation, encrypting important files and then demanding payment for their release. Others silently gain a foothold, after which the scammers extort the business and threaten to unleash the attack if their demands aren't met.
The networked nature of modern organisations makes them extremely vulnerable to such attacks.
Indeed, Fenton cites the example of an Australian manufacturer which saw an infection spread from the back office to the factory floor, where it felled production line robots. The incident brought the business to a standstill and resulted in four weeks of downtime.
"The impact of these attacks can be far wider than just the computer on your desk, as in this situation it disabled an entire factory," Fenton warns.
Cyber risk management and cyberattack prevention
"Your risk assessment needs to consider the wider implications of an attack so you can prepare accordingly,” adds Fenton.
“For example, you might run administration and production machines on separate networks to limit the spread of infections."
Top tips to combat cyber attacks. This recent webinar reveals useful tips on cyber security along with some public accounting claims examples.
Businesses can also reduce their vulnerability by ensuring security software – such as firewall, anti-virus and anti-malware – is up-to-date. It's also important to install all the latest patches for the software and operating system.
Organisations can also be subject to "phishing" attacks, with scammers hoping to trick staff into handing over logins and passwords or other valuable information – perhaps as the first step in a multi-stage attack.
Once again, these attacks rely on social engineering techniques, deceiving people into cooperating. Often the attacks will direct victims to a spoof website, perhaps masquerading as their bank or cloud service provider, in the hope of stealing logins and passwords.
Simple phishing attacks can be easy to spot due to their broken English, stilted grammar and deliberate vagueness, but some scammers do their homework. "Spear phishing" attacks are aimed at specific businesses and even specific staff members, with scammers tailoring their messages to appear legitimate and convincing.
Fraud through impersonation
Likewise, Business Email Compromise attacks (also known as “whaling” or “CEO fraud”) can appear extremely convincing. They involve scammers infiltrating email systems to impersonate senior staff and send emails to subordinates instructing them to urgently transfer money to offshore accounts or hand over sensitive information such as customer lists.
The scammers bide their time and strike when victims are most vulnerable, such as when the senior staff member they're impersonating is in transit so it's difficult to confirm the urgent request.
"Big businesses have lost millions of dollars to these attacks but local accountants and bookkeepers could also fall victim, with scammers posing as their clients and taking advantage of an overseas trip or a long weekend to sneak in a legitimate-sounding urgent request," Fenton says.
Put the right cybersecurity protocols in place
"Protecting against phishing scams and these kinds of advanced threats clearly isn't as simple as keeping your anti-virus up to date,” notes Fenton.
“It's about putting the right policies in place to ensure that proper procedures are followed to safeguard against the threats."
Businesses need clearly defined processes for verifying and paying accounts and invoices, as well as sharing sensitive information. It's also important to make all staff aware of the risks and potential consequences and cultivate a healthy sense of skepticism when it comes to emails, even from seemingly trustworthy sources.
To reduce the likelihood of scammers tricking staff members, best practice might demand that all such requests go through designated people who are authorised to handle transactions and trained to spot fakes.
Top tricks favoured by cyber scammers
Some business scams rely on the same old tricks, such as sending bogus invoices – for supplies which were never ordered or advertisements that were never placed – in the hope that a well-meaning staff member will pay them without close examination.
Others disguise infected attachments or malicious links as innocent-looking business emails, relying on an unwitting staff member to take the bait. They can masquerade as:
- Overdue utility bills
- unpaid fines
- outstanding invoices
- pending purchase orders
- regular bank statements
- undelivered parcel notifications
- unclaimed tax returns
- unexpected refunds
- unscheduled password reset requests.
Read next: 7 ways to protect your business against a cyberattack