Share This:

cyberattack on CPAsApril tax deadlines are looming, and that means accounting firms are neck-deep in returns as everyone races to file on time. While accountants are focused on deductions and earned income credits, bad actors are watching and waiting, ready to pounce the moment they detect a vulnerability. And that’s where an engaged MSP partner can save everyone involved a great deal of grief.

MSPs are often the only line of defense that small and medium-sized firms have between their customers and those with ill-intent looking to leverage data for financial gain.

“Accountants are being targeted because they are the key small business that holds the keys to all other small businesses. The cyber criminals are hoping to collect enough information about the CPA’s clients that they can file fake tax returns and get paid directly. Today’s cybercriminal is all about getting cash over collecting things of value they may or may not be able to sell on the black market,” Adam Anderson told Smarter MSP. Anderson, an author and speaker, is CEO of the Element Group, a technology and asset management advisory firm.

Because accounting firms hold data of such value, Anderson says that MSPs really do need to pay close attention to their CPA clients.

“2018 will be the year of the targeted cyber attack on CPAs. The cybercriminals are after personal information on their customers and are looking for ways to pull money directly out of accounts,” Anderson says, adding that they will attempt to gain access by sending targeted spear phishing emails to trick employees into giving away usernames and passwords as well as installing malicious software such as ransomware or key loggers.

Email vulnerabilities

A 2016 study by the Ponemon Institute found that 55 percent of SMBs experienced a cyberattack in the previous 12 months, and 50 percent experienced a data breach over the same period.

Cyberattackers will look for any vulnerability to exploit, and one of the “soft underbellies” in the ecosystem is low tech: accountants and clients getting complacent and using unsecured email to communicate.

Bruce Ball is vice-president, taxation at CPA Canada, Canada’s largest professional association of accountants. He outlines this type of complacency in an interview with Smarter MSP:

“The biggest risk I see out there in terms of the pure IT aspect is conveying information between you and your clients. If you are a paid tax preparer, you e-file everything. That means you are quite often sending a client something to sign. They have to give back the authorization to file and send back and forth by email,” Ball says.

Ball calls it a “risky practice” because social security numbers within those emails would be the gateway to all sorts of personal information. Ball suggests an MSP set up a secure portal with secure login for the accountant and client to trade information back and forth.

Another risk Ball points to are emails that look like they are from the IRS or the Canada Revenue Agency. MSPs need to have the most up-to-date email tools installed to intercept those.

Precautions to take now

Meanwhile, Adam Anderson suggests several steps that accounting firms and/or their MSPs should take to safeguard customer data.

  • Accounting firms should start backing up all data through a managed service provider.
  • Use two-factor authentication for logins to the firm’s tax planning software and email. (This means end users need a second thing, such as their phone, in addition to their user name and password.)
  • Make sure all of your clients’ computers and phones are patched and updated on a regular basis.   
  • Familiarize clients with non-administrative login techniques. They should never log into their work computers as an administrator.  Most cyber attacks that try to install things on a computer, such as ransomware or malware, need administrator rights. By limiting end users’ ability to install things on their computers, you lower the impact of someone accidentally clicking on something they shouldn’t.
  • Educate customers’ employees. Social engineering is the primary attack vector used against CPAs. This means cybercriminals send emails that look legitimate but are designed to fool employees into giving away their usernames and passwords.

Other advice that CPAs have given us include to avoid getting sloppy by using a public WiFi network in, say, an airport to finish a client’s tax return. And if CPA employees must use mobile devices for client work, make sure the device is encrypted and that the firm’s cloud communications are behind a firewall. MSPs need to play a role in educating accounting firms about the security risks in unsecured areas.

And, lastly, taxpayer data security is a year-round threat. So, while we’re most focused on it now, MSPs need to be just as vigilante in August or September as in March or April, perhaps more so. 

Photo: Mega Pixel/

Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *