Cybersecurity for CPAs: Don't empower imposters

This month's real-life tale from the cybersecurity frontlines reminds us that seemingly innocuous clicks can have dire consequences down the road. Beware, this story does not have a happy ending. 

We begin our story with a CPA firm employee who likely had a lot of things on their mind (though between keeping up with client expectations and staying up to date on regulation, what CPA doesn't?) This could be why they clicked a malicious link launched by an unauthorized third party and, when prompted, entered their login credentials. As soon as they did, they exposed the firm's cloud-based email solution to the attackers. The cybercriminals were able to gain control over the CPA's email account, which was a treasure trove of sensitive data, including contact information for the employee's clients. 

This was how the attackers were able to then send out fraudulent invoices totaling more than $250,000 under the guise of legitimate communication from the firm. With this veneer of authenticity, several clients wired the requested money to a fraudulent account linked to the fake emails. Since the funds were transferred intentionally, the clients had no recourse to recover the misdirected funds. They just lost the money. As one might imagine, the incident severely damaged the relationship between the firm and its clients, and damaged the firm's overall reputation. 

This real-life tale comes from professional liability insurance provider CNA. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. The company noted that email is one of the most frequently threatened technologies targeted by malicious actors across businesses of all sizes and industries. 

CNA said it is vitally important that firms guard access to email with both proactive and reactive strategies. This can include phishing exercises that train employees to spot potentially malicious emails and scams in a safe environment, as well as multifactor authentication to provide a technical safety net in the event an employee's credentials are stolen. Finally, this tale emphasizes the importance of fostering a "see something, say something" security culture. If the firm had been alerted to a possible breach earlier by the employee, preventive actions could have been taken to thwart the attacker's ultimate goals.

Companies shift disclosures in response to SEC cybersecurity rules - New cybersecurity rules recently approved by the Securities and Exchange Commission are already having their effect on corporate disclosures.

How an IRS contractor leaked tax data on Donald Trump, Jeff Bezos and Elon Musk - A former Internal Revenue Service contractor used a private website to store secret tax return information he stole about former President Donald Trump and leaked to the New York Times, court records show. 

Auditors more worried about cybersecurity than AI risks - A majority of chief audit executives and information technology audit leaders consider cybersecurity to be a top risk over the next year, but they're less concerned about artificial intelligence, according to a new survey.

Increase in data breaches from Q1 to Q2 2023: 153%

Drop in data breaches from Q2 to Q3 2023: 75%

Source: Surfshark (Q1 to Q2 data) (Q2 to Q3 data)