How cyber criminals are picking off accountants at year-end

aat comment

The following is an extract from a webinar by Gabrielle Fontaine and George Kizis of SmartVault, showing the growing risk to accountants.

Over the past 12 months, the number and frequency of data security breaches among firms of all sizes have massively increased. Accounting professionals are especially vulnerable to cyber attacks because they deal with finances and handle sensitive client data.

Cyber criminals aim to “follow the money”. While some want to hack into systems just to wreak havoc, for most the main goal is to swindle and make money.

Accountancy firms are in the top three organisations that cyber criminals target. This means accountants have to be especially vigilant, and ensure that our systems are up to date, our policies are robust and our people are alert to the risks and trained to spot them.

Webinar: cyber threats and responses

Learn strategies to defeat the growing threats being aimed specifically at accountants in this webinar by Gabrielle Fontaine, bookkeeper and small business consultant. Sponsored by SmartVault.

View webinar

Why do criminals target accountants?

Criminals are choosing to target government organisations, medical organisations, and accountancy firms, in that order. Accounts handle a lot of sensitive information and deal with finances, and that information is valuable to criminals because they can sell it or use it, or they can defraud other people.

No firm is too small to be targeted and all accountants are at risk. Your practice is not too small to be at risk, especially now, because risks have increased and our world has changed due to the pandemic. Organised crime has moved online.

With the need to use a remote workforce, there has been a 300% increase in cyberattacks on accounting practices of all sizes. Attackers are sophisticated and often strike when accountants are busy and have deadlines to meet, such as at year-end or when tax return deadlines are looming.

According to Accounting Today, “With the increase in the remote workforce and ongoing COVID pandemic, there has been a 300% increase in cyberattacks on accounting practices of all sizes.”

In addition, the UK Cybercrimes Trends 2020 by HMRC shows a sharp spike in cybersecurity breaches in 2020.

The Cyber Security Breaches Survey, which is a quantitative and qualitative study of UK businesses and charities says that cyberattacks have evolved and become more frequent.

“Almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months,” it says. “Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%).”

What methods do the criminals use?

Criminals seek to expose the vulnerabilities in our systems. Accountants are handling a lot of sensitive information but working from home.

One common method of hacking is “phishing” emails. Another is ransomware, which encrypts data until a ransom is paid. Malware can spy and collect data from your system without you even being aware of it.

There are two recent examples where cyberattacks were targeted at small accountancy firms, and they illustrate the threats and dangers to companies in the accountancy field.

Budget 2021: review and analysis

Join us for an in-depth analysis and review of the Chancellor’s latest plans to balance the Covid deficit and support struggling businesses.


How two accountants fell prey

A common theme is that the attacks start with phishing emails that appear to be from clients.

Take the example of Pillow May, a small accountancy practice in Wiltshire. The owner received an email that appeared to be from a client requesting payment of an attached bill.

The message was so plausible it even sounded like it was from the client concerned. The firm paid the bill, and it cost them thousands of pounds, not knowing it was a fraudulent email and a false invoice.

The firm used turned this destructive experience as a spur to transform its approach to cyber security completely. But it was a lesson learned the hard way.

A second case study started with a similar pattern but led to a far more severe breach. The victim was an accountancy practice that also provides insurance to accounting professionals.

Despite being trained to email risks, an accountant with the organisation was taken in and opened a phishing email. That response opened the way for the criminal, who then sent a file supposedly containing tax information. The message was highly convincing and, because it arrived in the busy tax period, slipped through.

The unwitting accountant opened it, releasing malware onto the company’s system. The programme was able to access – and steal – confidential information, which was then used to access bank accounts and send fraudulent emails to the individual’s contacts.

Which firms are most at risk – large or small?

Smaller firms are now being targeted because large corporations have the deep pockets to invest and update their cyber protection. Smaller companies are a softer target – their systems are easier to crack.

A security breach can cripple your business so make sure that all your software is updated. One small false step can lead to a disaster so revisit the basics on how to protect yourself cybersecurity. Here are some vulnerabilities you should consider:

Using WiFi on the move: Be aware that if you use mobile devices where you are using public Wi Fi you are at risk for what is called “eavesdropping” where the criminal has access to your private information because you are using an open Wi Fi system. Using a VPN system can protect you again this.

Staff working from home: are your staff keeping their browsers and all their software up to date, including operating systems on their laptop and phones?

Passwords and security: How are you handling our passwords? Use different passwords for different logins and make them difficult to guess. Do not put them on sticky notes on your computer. Do not put them in a spreadsheet on your computer. A good solution is to use a program that manages your passwords. Also do not use the built in Password Manager that is in your browser because that is more easily hacked.

Be alert to human error: Overall, 95% of data breaches can be traced back to human error at some level, so accountants need to continue to stay educated about the risks and stay aware. Take a look at your workflow, take a look at all the apps that you are using and the data that you’re handling. What is the path that your data follows through as you are handling taxes, payroll and bookkeeping?

Data storage: Where is your client data stored, is it being stored locally is it being backed? What devices are staff using? Who else has access to their devices and what kind of protection is in place? Don’t give everybody administrative rights. Think principle of least privilege, which means, think about what do staff need access to in order to do whatever they’re doing – and do not give free access to important data to everyone.

Cybersecurity insurance: this is not cheap but I believe that all accounting professionals should have it as the threat posed is so great.

Interested in finding out more and learning how to protect your business from cybercrime? Watch the webinar.

Marianne Curphey is an award-winning financial writer and columnist, and author of the book How Money Works. She worked as City Editor at The Guardian, deputy editor of Guardian online, and has worked for The Times, Telegraph and BBC.

Related articles