Hackers are capitalizing on an increase of email activity, largely thanks to the transition to remote work during and after the pandemic.
There is a surge of Business Email Compromise (BEC) attacks, which involve identity fraud.
AI is making it easier for hackers to impersonate people, making it more and more difficult to detect attacks.
Defending against these attacks involves secure technology, a well-informed team, and comphrensive security policies.
Over recent times, security discussions have undergone a transformation in order to counter evolving cybercriminal tactics.
Initially, focus centered on safeguarding client data to prevent financial and reputational harm. This resulted in investments in single sign-on (SSO), multi-factor authentication (MFA), and a shift to cloud-based software with robust online security.
But with this improved data protection, hackers shifted their attention to exploiting vulnerabilities within the communication medium itself: email.
Email: The hacker's key to the kingdom
Consider this: controlling someone’s email account equates to possessing their identity. In essence, email gives hackers access to relationships, applications, and data—a digital key to their kingdom.
Let’s look at some of the factors that make email the primary cyber threat for accountants in 2023.
1. Surge in email activity since the pandemic
The pandemic catalyzed an escalation in email activity among accountants, reflecting the evolving ways businesses now communicate and collaborate.
And hackers are capitalizing on this surge in volume. The increasing influx of emails makes it challenging for time-strapped accountants to discern legitimate messages from potential threats, allowing well-crafted phishing emails to blend in seamlessly.
2. Targeted phishing is taking center stage
Email compromise techniques have grown more sophisticated, with hackers abandoning the ‘spray-and-pray’ approach.
Instead, they employ targeted phishing tactics, particularly against industries housing sensitive information and trusted payment partners. ‘Spear-phishing’ attacks often focus on leadership within accounting firms, as executives possess valuable financial data and may lack proper cybersecurity training.
Shockingly, 2022 recorded the highest rate of mobile phishing attacks in history, as highlighted by Lookout.
"Mobile phishing attacks are often more successful than traditional phishing attacks, as people are more likely to open emails and click on links on their mobile devices."
— Cybersecurity and Infrastructure Security Agency (CISA)
3. AI is making it easier to impersonate people
AI-powered tools make it easier for hackers to launch impersonation attacks.
A recent study revealed that 67% of email-based cyber attacks leverage AI technology, rendering them harder to detect and counter.
Tools like ChatGPT have transcended language barriers, enabling hackers from non-English speaking countries to replicate communication styles seamlessly. This surge in high-targeted impersonation attacks leaves firms grappling with detection challenges.
An example of how a hacker can utilize ChatGPT to compose a convincingly deceptive email
Introducing Business Email Compromise (BEC) attacks
With these factors in mind, accounting firms handling sensitive client data face a rising wave of email-based cyber attacks called Business Email Compromise (BEC) attacks.
BEC attacks involve identity fraud, a form of social engineering where cyber criminals exploit trust to manipulate individuals into divulging confidential information or performing actions that benefit the attacker.
BEC attacks appear as diverse as business emails themselves, with some common examples listed below. It's essential to note that this list isn't exhaustive—hackers continuously devise new ways to camouflage their attack.
CEO fraud: Hackers impersonate high-level executives, often CEOs or CFOs, to solicit unauthorized payments or wire transfers.
Vendor email compromise: Attackers infiltrate a vendor's email account to send fraudulent invoices or payment requests to customers.
Data theft: Cybercriminals access an employee's email account to pilfer sensitive data, which can be exploited in future attacks or sold on the dark web.
Gift card scams: Attackers impersonate executives or suppliers and prompt requests for gift card purchases from employees.
Account compromise: Hackers gain access to employee email accounts, sending fraudulent payment requests or accessing sensitive data.
How to defend against a BEC attack?
Effectively thwarting BEC attacks relies on three pillars:
A well-informed team
Defense against BEC attacks demands security measures that transcend conventional data protection.
This means it’s wise to prioritize identity and permission protection at your firm, using industry-specific access management platforms like Practice Protect.
Practice Protect’s access management portal that allows a single-click login to all accounting cloud apps
It’s also important to Incorporate multi-factor authentication, restrict log-ins by country, monitor suspicious activities, and enable notifications.
With the rise of cloud technologies, accountants are juggling multiple unique identities for various cloud apps. Cybersecurity solutions have adapted to this new reality, shifting from securing data storage to safeguarding access to cloud apps.
As CEO of the world’s most widely used cybersecurity platform for accountants, Jamie Beresford has decades of experience in the IT, cybersecurity, and data security sectors. With a holistic view of digital security, few are as experienced and knowledgeable on accounting firm-specific security needs than Jamie.
Having spoken at conferences around the world, Jamie continues to dedicate his professional life to teaching and training accountants on avoiding cyber breaches (externally and internally) and leveraging the future of work.