Cyber Battle

March 01, 2017
The War Against Scammers

By Randy R. Werner, J.D., LL.M./Tax, CPA
To paraphrase a famous quote: The price of security is eternal vigilance. Accordingly, as cybercriminals continue to develop new ways of impersonating legitimate organizations and email senders, computer users need to become more vigilant and circumspect in their daily practices. 

Users have long been advised to never click links or open attachments if the email is suspicious or questionable, but scammers are extremely adept at making email look legitimate. Some email even appears to be from colleagues or friends. Users should, therefore, avoid clicking any links or attachments if the email containing them was unsolicited, unexpected or not representative of past client behavior.

If you’re uncertain about an email’s legitimacy, call the sender to verify attachments and links. It’s best to verify authenticity with a trusted source before complying with any requests or taking any actions that may harm your firm’s computer system and cause operations to grind to a halt. Instead of clicking a link, a user should go to the trustworthy website to access information and updates.

Hackers Controlling Messages
Phishing or spoofing email that appears to come from a legitimate sender is often the result of a cybercriminal having hacked into the sender’s email account and taken it over, controlling messages coming from the account and enabling the hacker to convince the recipient that the email is trustworthy. 

Sophisticated social engineering attacks may employ corporate logos, high-grade counterfeit documents and bogus websites to mimic organizations and companies, such as clients or tax software vendors. Counterfeit documents may include investment direction letters, insurance policies, credit card notices or any item that makes the sender appear to be a part of your network. Some fraud schemes have even set up phone numbers answered by fraudsters to vouch for illegitimate checks, thereby fooling bank employees, attorneys, CPAs and others.

In the middle of tax season CPAs are very busy, and a phishing or hacker scheme may be so well-disguised that a link is clicked on, enabling a hacker to commandeer an email account, or launch a malware or ransomware attack. Backups should be secure and frequent (at a minimum, daily) for files you cannot afford to lose. 

Recent Scams
Following are examples in which scammers have disguised themselves well enough to dupe computer users. Scammers have successfully posed as:
  • Clients or potential clients soliciting tax professional services. If the professional responds, the scammer then sends a second email with an embedded web address that collects email addresses and passwords when clicked. The IRS has issued a warning about this scheme.
  • Clients requesting that the tax professional change their bank account numbers. The change enables fraudsters to divert tax refunds into their own accounts.
  • Clients requesting wire transfers of funds into a new or foreign bank account, which is actually the fraudsters’ account.
Training Recommended
By providing regular staff training to enhance awareness of potential threats, a firm can make all the difference between the success or failure of fraudulent schemes. Some experts recommend scheduling data security training at least once a year. Security awareness can be tested by “inoculation,” in which all users are sent benign phishing e-mail. Those who err are then educated on avoidance. 

Many professionals (CPAs included) make the mistake of believing that they are too small to attract the attention of hackers, resulting in a lack of preparation for an incident. A hacker or ransomware attack can put the firm at the mercy of someone whose top priority is extorting money. If unprepared, the firm may suffer unnecessarily prolonged setbacks and expense once an event occurs.

The good news is that expertise and resources are available to help firms avoid or mitigate any damages, including ways to minimize and repair damage to assets such as data, work products, reputation and brand value. Cyber insurance programs should include education on how to safeguard information, increase awareness of cyber risks and assist the firm in responding to potential data incidents. Cyber coverage should provide risk and legal advisory services to guide investigations, ensure compliance with applicable laws and protect confidential communications and information. 

In the event of a potential incident, consult with your cyber insurance carrier or attorney before hiring a forensics investigator. If an investigation is conducted outside of the firm’s relationship with an insurance carrier or attorney, the communications produced by the investigation may not be protected by attorney-client privilege.

Firms should have a cyber security expert evaluate, test and secure their computer systems before an incident occurs. The expert will then be familiar with the firm’s systems and can work with insurance and breach response service providers in reducing damages from a breach, reducing the costs to eradicate problems and enabling the firm to get back to functioning sooner.
Randy R. Werner, J.D., LL.M./Tax, CPA, is a loss prevention executive with CAMICO.
Back to News