Karbon: Why email is the most significant cyber threat to accountants in 2023

Initially, focus centered on safeguarding client data to prevent financial and reputational harm. This resulted in investments in single sign-on (SSO), multi-factor authentication (MFA), and a shift to cloud-based software with robust online security. 

But with this improved data protection, hackers shifted their attention to exploiting vulnerabilities within the communication medium itself: email.

Email: The hacker's key to the kingdom

Consider this: controlling someone’s email account equates to possessing their identity. In essence, email gives hackers access to relationships, applications, and data—a digital key to their kingdom.

Let’s look at some of the factors that make email the primary cyber threat for accountants in 2023.

1. Surge in email activity since the pandemic

The pandemic catalyzed an escalation in email activity among accountants, reflecting the evolving ways businesses now communicate and collaborate. 

And hackers are capitalizing on this surge in volume. The increasing influx of emails makes it challenging for time-strapped accountants to discern legitimate messages from potential threats, allowing well-crafted phishing emails to blend in seamlessly.

2. Targeted phishing is taking center stage

Email compromise techniques have grown more sophisticated, with hackers abandoning the ‘spray-and-pray’ approach. 

Instead, they employ targeted phishing tactics, particularly against industries housing sensitive information and trusted payment partners. ‘Spear-phishing’ attacks often focus on leadership within accounting firms, as executives possess valuable financial data and may lack proper cybersecurity training. 

Shockingly, 2022 recorded the highest rate of mobile phishing attacks in history, as highlighted by Lookout.

"Mobile phishing attacks are often more successful than traditional phishing attacks, as people are more likely to open emails and click on links on their mobile devices." 

— Cybersecurity and Infrastructure Security Agency (CISA)

3. AI is making it easier to impersonate people

AI-powered tools make it easier for hackers to launch impersonation attacks. 

A recent study revealed that 67% of email-based cyber attacks leverage AI technology, rendering them harder to detect and counter. 

Tools like ChatGPT have transcended language barriers, enabling hackers from non-English speaking countries to replicate communication styles seamlessly. This surge in high-targeted impersonation attacks leaves firms grappling with detection challenges.

An example of how a hacker can utilize ChatGPT to compose a convincingly deceptive email

Introducing Business Email Compromise (BEC) attacks

With these factors in mind, accounting firms handling sensitive client data face a rising wave of email-based cyber attacks called Business Email Compromise (BEC) attacks. 

BEC attacks involve identity fraud, a form of social engineering where cyber criminals exploit trust to manipulate individuals into divulging confidential information or performing actions that benefit the attacker.

BEC attacks appear as diverse as business emails themselves, with some common examples listed below. It's essential to note that this list isn't exhaustive—hackers continuously devise new ways to camouflage their attack.

CEO fraud: Hackers impersonate high-level executives, often CEOs or CFOs, to solicit unauthorized payments or wire transfers.

Vendor email compromise: Attackers infiltrate a vendor's email account to send fraudulent invoices or payment requests to customers.

Data theft: Cybercriminals access an employee's email account to pilfer sensitive data, which can be exploited in future attacks or sold on the dark web.

Gift card scams: Attackers impersonate executives or suppliers and prompt requests for gift card purchases from employees.

Account compromise: Hackers gain access to employee email accounts, sending fraudulent payment requests or accessing sensitive data.

How to defend against a BEC attack? 

Effectively thwarting BEC attacks relies on three pillars: 

1. Technology

2. A well-informed team

3. Comprehensive policies

1. Technology

Defense against BEC attacks demands security measures that transcend conventional data protection. 

This means it’s wise to prioritize identity and permission protection at your firm, using industry-specific access management platforms like Practice Protect. 

Practice Protect’s access management portal that allows a single-click login to all accounting cloud apps

It’s also important to Incorporate multi-factor authentication, restrict log-ins by country, monitor suspicious activities, and enable notifications. 

Practice Protect's Email Hub ensures email confidentiality and integrity, fortifying your firm against phishing, malware, and spam.

With the rise of cloud technologies, accountants are juggling multiple unique identities for various cloud apps. Cybersecurity solutions have adapted to this new reality, shifting from securing data storage to safeguarding access to cloud apps.

2. Team

Remember, BEC attacks target individuals, not just systems. Proper education is vital—train your team to identify BEC attack signs, spot spam, and respond appropriately. 

Leverage resources like the Small Business Cyber Security Guide and Practice Protect University's security training for comprehensive insights.

3. Policy

Some ways to safeguard your firm with policies and procedures: 

• Ensure all your critical processes are documented

• Ensure payment policies mandate phone confirmations for new account details

• Extend similar procedures to clients with secondary confirmation protocols

• Review cyber insurance policies and check whether there is coverage for BEC attacks

• Scrutinize insurance policies for social engineering attack coverage like BEC

• Establish clear IT and internet usage policies and ensure they are understood by all employees

Fighting BEC attacks is an ongoing process

Guarding against BEC attacks is a collective effort, safeguarding your firm's integrity, client trust, and financial security. Act now to protect your digital kingdom.