Hacking and Accountants: Reducing the Risk of Security Breaches

View all blog posts under Articles | View all blog posts under MAcc

Hacking and Accountants: Reducing the Risk of Security Breaches

Accountants are a primary target for hackers or, more accurately, identity thieves. With an accountant’s credentials, thieves can access a range of sensitive information.

Hackers target accountants because of their privileged access to clients’ most protected information – information that is especially valuable on the dark web. Clients trust their accountants, and a breach can be devastating to a firm’s reputation and bottom line.

For example, the financial impact of a hack on Deloitte Touche Tohmatsu Ltd. in 2017 was hard to calculate, according to Accounting Today, but any breach is a major blow to an accounting firm’s reputation.

In another well-known attack, the CEO of FACC, an aerospace parts manufacturer, was fired after his information was used to create a fake letter that ordered transfer of funds to hackers

Most such attacks can be prevented with strong passwords, encrypted files, and careful guarding of account access. Because fraud prevention and account protection are crucial to modern accounting practice, cyber security in accounting has become an essential part of the curriculum for masters in accountancy online programs.


Why Do Hackers Target Accountants?

Accountants collect an abundance of information that is useful to hackers. Accounting Today lists the type of information accountants have that hackers want:

  • Client Social Security Numbers provide many fraud and identity theft opportunities, such as the ability to sign up for credit cards with stolen identities or compromise bank accounts.
  • Address, phone number, and date of birth are standard fields on 1040 forms that allow hackers to create fictitious accounts and take over existing ones.
  • Names of a spouse, children, places of employment, and annual income can help a hacker get by challenge questions and gain access to an account.
  • Health records allow hackers to commit insurance or prescription fraud. “Health records currently fetch the highest price on stolen information exchanges,” Accounting Today
  • Employer information such as Employee Identification Numbers and contact names in an organization’s accounting department allow criminals to file fraudulent expense reports or insurance claims.
  • Financial Records and year-end financial documents contain clients’ account numbers.
  • Email addresses often allow hackers to gain access to banking or stock accounts through a “forgot password” process.


How Accountants Can Protect Clients

Paper records may seem outdated, but they offer greater protection than documents stored online or in the cloud. Once a document becomes an electronic file, the information it contains is at greater risk.

Two-factor identification for hard drives or cloud storage can improve safety, and software subscriptions should be singular instead of shared to further deter hackers.

The IRS has also been warning tax-preparation accountants to increase their cybersecurity efforts so they are not compromised. A security expert at Hold Security told Krebs on Security about a malware group that focused on accountants, using a keylogger that recorded keystrokes on the target’s machine.

For months, the CPA’s daily records were uploaded to a website that anyone with the right URL could see. The CPA had ignored messages from Microsoft about the need to apply security updates. Even after he received notice that the IRS had rejected many of his clients’ returns, he didn’t immediately suspect his computer had been compromised, according to Krebs.

Microsoft Windows is particularly vulnerable to hacking because the majority of malicious software targets Windows computers. But no matter what system accountants use, they are vulnerable to spear-phishing attacks, in which one member of a firm is targeted with an email from someone posing as a member of a trusted organization, such as the IRS.

The IRS warns that tax professionals may be unaware that they are victims of data theft, even long after their data has been stolen by digital intruders.

Signs of a hack include:

  • Clients’ e-filed returns are rejected because returns with their Social Security numbers were already filed.
  • The number of returns filed with a tax practitioner’s Electronic Filing Identification Number exceeds the number of clients.
  • Clients who haven’t filed tax returns receive authentication letters from the IRS.
  • Network computers are running slower than normal.
  • Computer cursors move or change numbers without a touch on the keyboard.
  • Network computers lock out tax practitioners.


Preventing Phishing

When one of a firm’s accountants receives an urgent email with a request for funds, the company can take some simple steps to make sure the request is valid. The first thing is to avoid replying to the email, even if it appears to be from inside the company. Instead, contact the sender through an established in-company method, such as a company email address or phone number, according to “The Dirty Dozen: The 12 Most Costly Phishing Attack Examples.”

The Internet Crime Complaint Center reports a “136% increase in identified global exposed losses” relating to BEC/email account compromise scams between December 2016 and May 2018, according to the article.

Attacks are successful because they don’t target technology, they target people.

“They’re counting on employees responding in a frenzy to urgent emails that appear to be from their executives or vendors,” the article noted.

Another way to protect accountants from phishing is email-signing certificates, which enable email signatures that make clear that the senders are who they say they are.

Tax pros must make cyber security an everyday priority with the 90/10 rule. Ten percent of cybersecurity relies on technology, and 90% of cybersecurity depends on the actions of individual users, according to the IRS as reported in Accounting Today. “Put another way, data security in a tax professional’s office is only as strong as the least informed-employee.”


University of North Dakota’s Master of Accountancy online degree

University of North Dakota’s Master of Accountancy (M.Acc.) online program helps students master accounting principles as well as related skills for successful careers in accounting.

UND is accredited by the Association to Advance Collegiate Schools of Business International, which only recognizes about 30 percent of business programs in the United States. The Master of Accountancy online program offers practitioner and fundamentals tracks. Coursework is done online, which allows busy professionals to study accountancy and earn their degree without disrupting their work or personal lives. For more information, contact UND today.



4 Top Concerns of the Hack-Proof Accountant: Accounting Today

A Massive Hacking Accounting Hack Kept Clients Offline and in the Dark: Bloomberg

When Identity Thieves Hack Your Accountant: Krebs on Security

The Dirty Dozen: The 12 Most Costly Phishing Attack Examples: The SSL Store

10 Tips for Tax Pros to Avoid Phishing Scams: Accounting Today