Log in
Get Started

Top Cyber Threats Facing Accounting Firms and How to Avoid Them

Corey Philip
October 27, 2024
6 min read

Handling confidential client information like taxpayer identification numbers and bank account details is part of the job for accountants. Unfortunately, this makes accounting firms, regardless of size, prime targets for cybercriminals. For small and mid-sized firms, the challenge is even more pronounced as they often lack the IT resources of larger organizations. However, cybercriminals don’t discriminate based on firm size—every firm managing sensitive data is a target.

Take, for instance, BST & Co. CPAs LLP, a smaller accounting firm in New York, which experienced a ransomware attack in 2020 that encrypted client data and caused significant disruptions. And then there is the recent (May 2024) class action lawsuit again regional firm Berry Dunn McNeil & Parker LLC for a data breach. These incidents, along with others like it, demonstrates the pressing need for robust cybersecurity, even for smaller firms.

In this post, we’ll discuss some of the most common cybersecurity threats accountants should remain aware of and offer practical solutions to avoid falling victim to them.

Phishing Attacks

Threat: Phishing attacks are cyber threats that involve tricking targets in an attempt to steal information for financial gain. These attacks commonly involve emails mimicking trusted sources that lure the recipient into clicking a malicious link or downloading an attachment. One wrong click by an unsuspecting employee can cause a business thousands of dollars in financial loss. In fact, the FBI’s 2023 Annual Report stated that the agency received over 21,000 business email compromise complaints resulting in losses of over $2.9 billion, making email scams a lucrative option for cybercriminals. With the amount of sensitive information accountants deal with daily, they are prime targets for phishing attacks.

How to Avoid: The easiest way to avoid phishing emails is to ensure you and your colleagues can detect them before clicking on any harmful links. A practical way to learn how to respond to a phishing attack is to simulate one for employees to practice. You can test professionals by sending a fake phishing email from an address closely resembling one of your vendors. If a professional clicks a link, direct them to a page that informs them of the phishing email and leads them to a training video so they can learn from their mistake. The training should include signs to recognize phishing emails like deceptive email addresses, typos, or impromptu requests for personal information.  

Employee Email Mistakes

Threat: Email mistakes happen all the time, but with the level of confidential information accounts handle, the stakes for emails are much higher. A common mistake for professionals is sending an email to the wrong address. Some email service providers like Outlook allow users to autofill email addresses based on the first few letters of an address. While this is a helpful tool, it can lead to users inadvertently adding in the wrong email address and sending someone else’s information to another client.

Another common mistake some accountants make is including sensitive information in an email that isn’t encrypted or should instead be sent via a more secure portal. A cybercriminal can access unprotected personal information if the client’s inbox is compromised.

How to Avoid: The best way to avoid email mistakes is to have safeguards in place so they can’t happen in the first place. If your email service has an address autofill feature, turn it off. While it may take more time to type in an address or go through your contacts, the extra step will make you double-check that you are sending the email to the proper recipient.

Additionally, don’t allow sending of sensitive information over email without requiring passwords to protect the files. If your IT department has the capability, see if they can bounce back emails that include files that are not password protected. Implement protocols that require sharing of certain documents like client tax returns only via secure portals and not email.

Cloud Storage Security

Threat: Gone are the days of printing and storing physical copies of client files. Now, accounting firms rely heavily on storing data in the cloud. With cloud storage comes the threat of cybercriminals gaining unauthorized access to client files by exploiting vulnerabilities or cracking weak passwords.

The attack on BST & Co. CPAs LLP in 2020, mentioned earlier, highlighted how ransomware attacks can target even smaller firms reliant on cloud systems. The firm’s inability to access critical client data without paying a ransom underscored the importance of securing cloud storage environments.

How to Avoid: Accounting firms must prioritize cloud security to protect client information. Requiring multi-factor authentication is one option firms can implement to safeguard information. As the name suggests, multi-factor authentication requires clients and employees to use more than one method to validate they are allowed to access the cloud storage platform. An additional precaution is password-protecting files shared with clients through the cloud portal. This measure makes it tricker for cybercriminals who gain unauthorized access to cloud storage to open documents containing confidential information. Tax accounting firms commonly use this additional security measure when posting client tax returns to their shared portal.

Remote Work Environments

Threat: Since working from home has become popular in the accounting industry in recent years, so has the threat of data leaks caused by uncontrolled work environments. With remote work, employees can work from anywhere, including their homes, coffee shops, libraries, etc., making them vulnerable to unsecured internet connections or theft.

How to Avoid: Employers can mandate that employees only work where they have a secure internet connection, but if they allow remote work, they have limited control over whether employees actually follow their policies. Accounting firms should require employees working remotely to use a virtual private network (VPN) to connect to firm applications so they can ensure a secure connection. Additionally, firms should provide employees with training on handling company equipment outside the office. Instruct them not to leave laptops unattended in public or in cars overnight.

Data Protection Plans

Accounting firms should annually review their data protection plans to ensure they comply with regulations and practice standards. Firms should also consider how any changes to how information is shared or stored may impact the data protection plan and make updates as appropriate. Firms should share these plans with employees and ensure they receive adequate training regarding data protection protocols.

Clients trust accountants with their confidential and financial data, and accountants have an ethical responsibility to protect this information. Accounting firms must remain aware of the cyber threats they face and implement policies and procedures to prevent data leaks and attacks from cybercriminals.

About the Author

Corey Philip

Corey Philip

Continue Reading

Corey

Corey is the owner of Wisdify.  He is passionate about learning and development, he loves helping people achieve their professional and personal goals. Corey is a big believer in the power of online learning and community with 15 years of finance and accounting experience.

Joe

Joe is the owner of Wisdify.  He is passionate about learning and development, he loves helping people achieve their professional and personal goals. Joe is a big believer in the power of online learning and community with 20 years of finance and accounting experience.

 

Kelsey Murphy

Kelsey is Wisdify’s expert content developer. Taking feedback from our students, Kelsey creates extremely relevant blog posts and leads the development of Wisdify’s other free resources.

Prior to Wisdify, Kelsey worked as a business technology strategy consultant for Forrester, a global research and advisory firm. While there, she acted as project manager for numerous research-based consulting projects.

Kelsey earned a BA in Economics and Mathematics from Wellesley College.

Madison Bess

Madison oversees the social media strategy at Wisdify and makes sure we stay closely connected with our students, receive their feedback, and provide our students with valuable information.

Prior to Wisdify, Madison successfully ran the social media accounts for multiple companies. She also found time to start her own personal training company (which she still runs).

Madison earned a BA in English from Brigham Young University.

Maryn Coughran

Maryn is a co-founder and leads the marketing and outreach efforts at Wisdify. She ensures we are connecting with our customers, hearing their feedback, and then implementing their suggestions.

Prior to Wisdify, Maryn co-founded (along with Nate) BostonExcel, a Microsoft Excel training company that worked with dozens of companies in virtually every industry. Maryn’s clients included numerous Fortune 1000 companies, prestigious universities, startups and everything in between. She also happened to write and illustrate a children’s book. Let’s just say she’s a woman of many talents.

Maryn earned a BA in Economics from Wellesley College.

The Buckaroos

Gwyn, Jack, and Kate are the adorable tow-heads that lead up Wisdify’s campaigns on cuteness, energy, and sleep-deprivation.