Cybersecurity for CPAs: Don't recycle passwords

It sure can be tough keeping track of multiple passwords across different accounts. Who among us hasn't paused on a login screen as we frantically tried to remember what to key in? While there are many possible solutions to this problem, using the same password for multiple accounts is definitely and absolutely not one of them, as this real-life tale illustrates. 

A client — a regional retail chain — called their CPA on a Saturday night to report their email account had been taken over, and whoever did it also contacted the phone company to transfer access and control of the device to them. How did this happen? A devastating hack that took advantage of database injections to bypass the firewall? No. The client used the same password for both their email and their bank accounts (note the plural). 

Cybercriminals first stole the email password. Using that password, they were then able to call the phone company and transfer ownership of the device to themselves. Once they had control of the phone, they then were able to log into the bank using the same password as the email address. While the account was protected with two-factor authentication, the verification text went to the device they took control of, which then allowed them to access the bank. 

Once logged in, the threat actor transferred $2.4 million out of the account. 

Though the bank called to verify the transaction, the call went to the attacker, who confirmed these funds should indeed be transferred elsewhere. 

The client thankfully did the smart thing afterward and called their CPA. Once the professionals were brought in, they assisted with the initial lockdown of the accounts and had the number ported back. In parallel, they started the process of initiating a report to the FBI using the Internet Crime Complaint Center. This is a key first step in trying to get the money back. Once they filed a complaint, a claim number was assigned. They then contacted the local FBI office and provided that number so the process of getting the money back could be escalated. 

Once the initial "bleeding" was stopped, an analysis was performed of the email platform to confirm no additional compromise existed. 

Because of the quick action in contacting the firm and following its guidance, $2 million has been returned to date. The remaining balance is still potentially recoverable; however, it is possible that amount will never be returned. 

This real-life tale came from PKF O'Connor Davies. Thomas J. DeMayo, a partner in the firm's cybersecurity and privacy advisory practice, noted that an incident response plan needs to exist for any business that includes the steps to perform in the event of a business email compromise and associated funds transfer. He also recommended people not use text messaging as the second factor versus an authenticator type of application and that if text messaging is the only option, make sure they have account takeover protection with their phone carrier to prevent SIM swapping. Further, he said people should ensure no one person can initiate and release an electronic funds transfer, ensure multifactor authentication is consistently applied across all important online accounts, train employees to identify phishing emails, perform routing annual cybersecurity risk assessments and, most importantly, treat cybersecurity as a necessary business investment and not as an expense. Being proactive will cost far less than being reactive in the event an incident occurs.

SEC approves new cybersecurity disclosure rules: The Securities and Exchange Commission approved new rules that will require entities to disclose material cybersecurity incidents.

IRS encourages tax pros to adopt a written security plan: The Internal Revenue Service and its security partners want practitioners, particularly in smaller tax practices, to use a new template to create a data security plan.

Senate investigation and report confirms data leakage from tax prep software: A recent Senate investigation report says that major tax preparation software companies have been sending sensitive personal information to tech companies like Meta and Google, in possible violation of taxpayer privacy laws.

Growth in cryptocurrency scam losses from 2021-2022: 

U.S.: 88% ($1.2 billion to $2.3 billion)
Rest of world without U.S.: -51.7% ($373 million to $179 million)

Source: Surfshark