An Accounting Firm Gets Phished: A Play in Two Acts

The different day — OK it was truly 12 days in the past — we received a random e-mail in our editor inbox. This isn’t unusual, stated inbox serves as the rubbish disposal into which reader complaints go. Just kidding, we love suggestions. Really. The editor inbox is a hub for reader feedback, promoting requests, story requests, complaints, butt emails consisting of lengthy nonsensical rows of b’s and x’s, and infrequently some previous man complaining about how one F-bomb is simply too many and I must cease being so disrespectful. And once in a while, we get an e-mail like this one beneath.

I’ve redacted the sender’s data for apparent causes.

Your disclaimer has no power here, [redacted]! Moving on…

Moments later — OK it was truly an hour and 25 minutes later — we obtained this:

We’ll give the agency’s safety credit score right here for catching it as shortly because it did. The identical can’t be stated for Deloitte. In 2016, a “hacker” compromised the firm’s global email server by an “administrator’s account” which didn’t have two-factor authentication on; the breach was not found till 2017. Using scare quotes right here as a result of the original article from The Guardian did the identical and in addition as a result of when your nice aunt will get her Facebook “hacked” for the tenth time this yr, it probably be as a result of she was phished someplace between the sketchy “Which Potato Species Are You?” quizzes and sketchy apps she gave full permissions to. Much like your nice aunt, we use “hacked” right here as an umbrella time period to explain exterior people having access to issues they shouldn’t by sketchy means.

Deloitte and our sufferer agency above are actually not alone. An Albany, NY agency was hit with a ransomware attack in late 2019. That identical yr, Wolters Kluwer had to temporarily take CCH offline due to a malware attack. In 2021, Oregon-based Gustafson & Company was fined by the state for failing to reveal a 2020 data breach that compromised the personal and financial information of nearly 1,900 Oregonians. A Chicago firm is facing a class-action lawsuit for letting personally identifiable data (PII) and guarded well being data (PHI) fall into the incorrect palms [PDF here]. And then there’s this: from January 2014 to February 2018 there have been 132 accounting agency breaches in the state of Maryland alone in line with information analyzed by Christine Cheng, Ph.D., Renee Flasher, CPA, Ph.D., and James P. Higgins, CPA, CGMA and reported in Journal of Accountancy. Check the desk:

Shout out to these eight lacking USB drives and laptops. That’s truly not dangerous for each single accounting agency in Maryland over a 4 yr interval.

The listing above is under no circumstances an exhaustive one. It’s not an accounting agency however let’s not overlook about the time the AICPA’s Twitter account got hijacked by Bitcoin scammers.

What is the lesson right here? Well I hope no refined, tech-smart Going Concern readers must learn this however DO NOT OPEN STRANGE ATTACHMENTS. I’m going to go away some useful hyperlinks beneath for anybody who might have them simply in case so that you don’t find yourself like [redacted] and make your agency’s safety workforce do extra work than they should, and in case you do learn how to proceed from there.

10 Ways To Avoid Phishing Scams []
A cyber-attack might spell catastrophe to your CPA agency [AICPA Member Insurance Programs]
Why Preventing Data Breaches Should be a Top Priority for CPA Firms [CPA Practice Advisor]
Data Breach Recovery Tips for Accounting Firms [AccountingWEB]

Photo by Tima Miroshnichenko from Pexels

Latest Accounting Jobs–Apply Now:

Have one thing so as to add to this story? Give us a shout by email, Twitter, or textual content/name the tipline at 202-505-8885. As all the time, all ideas are nameless.

Related Posts