We often feel obligated to follow our clients’ and customers’ directions, rules, requests and commands — and woe be to the person who questions those edicts. After all, clients are the ones who keep our businesses alive. Unfortunately, cybercriminals are exploiting these realities.
OWNERS IN THE CROSSHAIRS
Hackers harness the value of a client’s power in order to carry out destructive data breaches. For most, this puts business owners squarely in their crosshairs as the target for fraud attempts. If a cybercriminal can infiltrate a company’s main man, they are in the optimal position to extract their clients’ money. Accountants, specifically, are the gatekeepers to a plethora of clients’ funds and sensitive information — and attackers know this. This is why phishing e-mails in which an attacker disguises themselves as a client can be devastating to a business.
The statistics aren’t encouraging. Organizations are falling victim to phishing attacks at an ever-increasing pace. In fact, the Federal Bureau of Investigation warned earlier this year of a “dramatic increase in business e-mail scams.” Attackers are rapidly victimizing businesses, leveraging customers’ authority as an “all-access pass” to whatever they want, whenever they want it.
HOW IT ALL STARTS
A hacker will research a business owner, often performing searches on the company’s Web site and LinkedIn profile to understand the organization’s key customers. With their homework complete, the games begin. Hackers start with a phishing e-mail or set up fake Wi-Fi networks that allow the attacker to take control of a device. If this is successful, hackers can obtain the person’s credentials, passwords and even corporate credit card information. But it doesn’t stop there. The real damage is about to happen.
Just like a tiger in the jungle, the cybercriminal then pounces on its prey. They begin sending e-mails to the company executive, pretending to be a client. This goes on for days, if not weeks, until the hacker gets the keys to the kingdom. Hackers are able to perform psychological jiu-jitsu when they are able to utilize the client’s persona, and often get what they are looking for.
Protecting a company from phishing attempts requires a blend of education and sound security policies. Here are a few recommendations when developing a sound cybersecurity strategy:
Limit the amount of funds you are able to transfer without a personal confirmation. Clearly communicate a limit on the amount of money that can be sent outside your organization’s walls without the client’s verbal permission (on the phone or in person). This way, any request outside of this range automatically generates a “red flag.” This system is also effective because it creates an offline layer of security as a hacker can’t imitate a face-to-face confirmation or a phone call.
Never rush to pay a client. A hacker preys upon the sense of urgency within the workplace. They use the words “quickly” or “immediately” when speaking about a payment. Do not fulfill a rushed payment; make sure everyone is on the same page and that the proper authentication policies are in place.
Invest in user education and proper phishing training. Accounting professionals and their firms are a hot bed for phishing attacks. Incorporating training into the office makes everyone smarter about what they click and download so attacks can be mitigated before they even start.
Cybersecurity hygiene is critical. Basic security measures like ensuring systems are updating their software are critical to keeping hackers away from sensitive information. Avoid using “free” wireless networks in public places. The investment in a good wireless data plan will pay dividends in this case.
Despite their cunning, hackers are relatively predictable in terms of how they prefer to attack accounting firms. Understanding not only how cybercriminals are trying to steal money but who they disguise themselves as can serve as the foundation of a highly successful data security plan.
Todd O’Boyle is CTO and co-founder of Percipient Networks, creators of the StrongArm malware protection software.