Cybersecurity for CPAs: When your client gets hacked

As accounting firms are increasingly targeted with cyber attacks, cybersecurity has become essential for every professional. Between data breaches, phishing attacks and malware, criminals are increasingly going after the sensitive financial data held by accountants. The modern accountant, then, must take their cyber defenses seriously for the sake of themselves and their clients.

With this in mind, we present the latest edition of our monthly series, Cybersecurity for CPAs. This regular feature will bring you the best cybersecurity stories from Accounting Today, as well as lessons drawn from real-life cybersecurity incidents, plus stats and charts to help you better understand the current landscape. It's our hope that readers will be able to use the news and insights offered in this feature to make their own firms safer in an increasingly dangerous world.

For last month's Cybersecurity for CPAs, click here.

Cybersecurity Tales: When your client gets hacked

impostor-ts81811.jpg
You could be the best driver in the world and still get rear ended by someone who's distracted or drunk. Likewise, your firm could have top-notch cybersecurity yet still get hacked through less fastidious third parties. This is what one CPA firm learned all too late. Our tale starts not with the accountant but the client. Little is known about who they were or what they did. Maybe they clicked a link they shouldn't have. Maybe they configured their security software wrong. Maybe they tried to stream a movie from an obscure pirate website while battling a million pop-ups (which this writer certainly has not done). Regardless, the end result is the client was hacked. That's bad enough, but it gets worse. 

Whether due to premeditation or opportunism, the hacker used the client as a jumping off point to then target the CPA firm. The client emailed several requests to the firm to wire funds to a new account. Each time, the accountants emailed the client back to confirm that, yes, this is indeed what they wanted. 

The problem was they weren't actually talking to the client at the time. They were talking to the hacker, who had co-opted their email and was answering their correspondences through them. Every time the firm asked the client whether they really wanted these funds transferred, the hacker—as if speaking through a sock puppet—answered yes, and the accountants sent the money. Eventually the ruse was discovered, but by then it was too late. The hacker had already directed significant amounts to this new account. The specific amount lost was not disclosed, but it was categorized as a large-dollar loss. 

This real life example is brought to you by professional liability insurer Camico, which said such scenarios are becoming all too common.

"We are seeing a significant rise in fraudulent email requests to CPA firms and these fraudulent wire transfer requests frequently cause large-dollar losses," the company warned. "When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws often limit their risk exposures and enable them to deny responsibility. With the increased number of claims related to fraudulent wire transfers, best practice in the absence of any written protocols to the contrary would be to verbally confirm all wire transfer requests with these clients to minimize risk."

April's top cybersecurity stories

KPMG spins out new AI security company: Big Four firm KPMG said its incubator, KPMG Studios, has successfully spun off its very first startup: an AI security firm called Cranium, which was developed in collaboration with AI security experts in the firm's advisory practice.

How vulnerable is your state to cybercrime?: A recent study found the state most vulnerable to cybercrime is North Dakota, followed by Alabama, then New York.

Gov't wants suit over IRS data leak tossed: The U.S. asked a judge to dismiss a lawsuit by hedge fund manager Ken Griffin against the Internal Revenue Service after the billionaire accused the agency of failing to protect his confidential financial information. 

Cybersecurity stat shot

Ransomware attacks in March: 453

% change from February 2023: 91

% change from March 2022: 62

Source: NCC Group
MORE FROM ACCOUNTING TODAY