The Hacker in Client’s Clothing

Devious fraudsters target clients through you


We often feel obligated to follow our clients’ and customers’ directions, rules, requests and commands — and woe be to the person who questions those edicts. After all, clients are the ones who keep our businesses alive. Unfortunately, cybercriminals are exploiting these realities.


Hackers harness the value of a client’s power in order to carry out destructive data breaches. For most, this puts business owners squarely in their crosshairs as the target for fraud attempts. If a cybercriminal can infiltrate a company’s main man, they are in the optimal position to extract their clients’ money. Accountants, specifically, are the gatekeepers to a plethora of clients’ funds and sensitive information — and attackers know this. This is why phishing e-mails in which an attacker disguises themselves as a client can be devastating to a business.

The statistics aren’t encouraging. Organizations are falling victim to phishing attacks at an ever-increasing pace. In fact, the Federal Bureau of Investigation warned earlier this year of a “dramatic increase in business e-mail scams.” Attackers are rapidly victimizing businesses, leveraging customers’ authority as an “all-access pass” to whatever they want, whenever they want it.



A hacker will research a business owner, often performing searches on the company’s Web site and LinkedIn profile to understand the organization’s key customers. With their homework complete, the games begin. Hackers start with a phishing e-mail or set up fake Wi-Fi networks that allow the attacker to take control of a device. If this is successful, hackers can obtain the person’s credentials, passwords and even corporate credit card information. But it doesn’t stop there. The real damage is about to happen.

Just like a tiger in the jungle, the cybercriminal then pounces on its prey. They begin sending e-mails to the company executive, pretending to be a client. This goes on for days, if not weeks, until the hacker gets the keys to the kingdom. Hackers are able to perform psychological jiu-jitsu when they are able to utilize the client’s persona, and often get what they are looking for.



Protecting a company from phishing attempts requires a blend of education and sound security policies. Here are a few recommendations when developing a sound cybersecurity strategy:

Limit the amount of funds you are able to transfer without a personal confirmation. Clearly communicate a limit on the amount of money that can be sent outside your organization’s walls without the client’s verbal permission (on the phone or in person). This way, any request outside of this range automatically generates a “red flag.” This system is also effective because it creates an offline layer of security as a hacker can’t imitate a face-to-face confirmation or a phone call.

Never rush to pay a client. A hacker preys upon the sense of urgency within the workplace. They use the words “quickly” or “immediately” when speaking about a payment. Do not fulfill a rushed payment; make sure everyone is on the same page and that the proper authentication policies are in place.

Invest in user education and proper phishing training. Accounting professionals and their firms are a hot bed for phishing attacks. Incorporating training into the office makes everyone smarter about what they click and download so attacks can be mitigated before they even start.

Cybersecurity hygiene is critical. Basic security measures like ensuring systems are updating their software are critical to keeping hackers away from sensitive information. Avoid using “free” wireless networks in public places. The investment in a good wireless data plan will pay dividends in this case.

Despite their cunning, hackers are relatively predictable in terms of how they prefer to attack accounting firms. Understanding not only how cybercriminals are trying to steal money but who they disguise themselves as can serve as the foundation of a highly successful data security plan.

Todd O’Boyle is CTO and co-founder of Percipient Networks, creators of the StrongArm malware protection software.

Comments (4)
I appreciate the three posted comments for their insight and advise.
Posted by NancyLMorton | Tuesday, November 29 2016 at 11:34AM ET
I have a strict policy that I DO NOT email anything that I would consider sensitive information, which is just about everything, so my clients are required to use my secure portal, drop off, pick up, snail mail, secure fax, anything but email to exchange sensitive information. If they cannot do one of the above to get something to me or them, then they simply are not sjbea client material. I don't babysit. :D
Posted by sjbea | Tuesday, November 29 2016 at 11:15AM ET
I get these requests periodically. One pretended that we already had a relationship, with the hacker as my Client. I pretended right back at them and sent them a PayPal invoice to their email address for the $1,500 retainer that they were "past-due" in paying. Unfortunately, they still have not paid their "invoice." Fortunately, I never heard from them again.
Posted by Mike Chaffee | Tuesday, November 29 2016 at 8:18AM ET
I have had a number of emails lately, asking for accounting assistance. They send a file, which directs me to what appears to be a secure site, for download. I have never seen or heard of those sites, so I appologize and say if they can't use my avenue of security, then I can't access their information - you understand security. Surprisingly never hear from them again.
Posted by pbenson | Monday, November 28 2016 at 2:36PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Register now for FREE site access and more