April 27, 2023
Hackers Love Accountants: Tips From Cyber Security Expert
Article adapted from a recent digital event hosted by Chartered Accountants of New Zealand and Australia, where Theta's Head of Cyber Security Liz Knight was invited to speak about the cyber threat landscape.
It's time to face the facts – cybercriminals are becoming more sophisticated and difficult to detect. Their toolsets have evolved - they are criminal organisations operating cloud-based SaaS services to perpetrate advanced phishing and hacking campaigns, preying on anyone they can, but those with access to financial systems and payment processes are especially attractive targets. Fortunately, simple measures can be taken to give your company the best possible defence against these cyber criminals.
Here's some advice from Theta's Head of Cyber Security, Liz Knight.
Cyber-criminals seek to gain access to systems and data in order to monetise it; hence financial data is the ultimate prize for them, with no regard for the consequences of their actions on their target organisations.
As chartered accountants, you are prime targets for phishing and hacking attacks because you hold the keys to tax numbers, customer-identifiable information, and numerous logins to the financial footprint of the average customer and are usually responsible for payment processing.
You are trusted with sensitive customer data:
• Bank accounts
• Address & contact details
• Date of birth
• Family information
• Sensitive information
• Logins to systems
Cybercriminals want to penetrate your finance systems to intercept payments and gain access to unauthorised confidential information advising of a change in bank account number: always phone the sender to check that the request to make payments to a new account advising of a change in bank account number: always call the sender to check that the request to make payments to a new account came from them, and demand ransom payments, often using untraceable digital currencies such as Bitcoin.
The main ways hackers gain access to financial systems:
• Unpatched servers and apps that contain vulnerabilities.
• Weak passwords and lack of multi-factor authentication.
• Poorly written software that is easy to hack.
• Misconfiguration of systems that allows easy access.
• Deceiving individuals into providing confidential information through the use of deceptive emails.
Your cyber security duty as accountants
Good cyber security should be regularly implemented and improved throughout all organisations; however, given the heightened risks associated with individuals and teams responsible for financial processing, you have a duty to protect your company's and customers' sensitive data. Taking such measures will safeguard your business and the interests of your customers and stakeholders.
Here's a checklist to work on:
• Protect sensitive data, such as financial records, client information, and other confidential records.
• Ensure systems are secure from cyber-attacks and data breaches.
• Be aware of and comply with applicable laws and regulations.
• Ensure that only authorised personnel have access to sensitive data and intel.
• Ensure offices and systems are secure from physical threats.
How to stay ahead of attackers
1. Watch for the digital warning signs
In the physical world, there are numerous warning signs and safety features implemented in products to help us avoid harm. However, it can be exceedingly challenging to recognise the warning signs of a phishing email. On average, staff members receive up to 49 malicious emails a year; it only takes one of those attempts to be successful for your data to fall into the wrong hands.
Here's how to spot them:
- Messages with poor grammar or typos: many phishing emails are written by people who don't speak the target language, although the use of AI is making malicious emails harder to spot!
- Requests for personal information: legitimate companies will never ask for your credit card details or passwords via email – never go outside of your normal process to access accounts.
- Unfamiliar senders: be wary of emails from unknown senders, even if they appear to be from a trusted company. Verify the sender via a phone call or other trusted verification method.
- Links to unfamiliar websites: only click on links in emails that you are sure are legitimate.
- Messages that create a sense of urgency: often, scammers create a false sense of urgency to get people to act quickly.
- Messages that advise of a change in bank account number: always phone the sender to check that the request to make payments to a new account actually came from them, not a scammer.
"I’ve actually made myself a rule not to process emails I am not sure about on my mobile as the smaller screen makes it even hard to detect the subtle differences between a legitimate email and a phishing email.”
~ Liz Knight, Head of Cyber Security at Theta.
2. Phishing and Security Awareness training
Invest in training your team to recognise the warning signs of phishing attacks and cyber security best practices. You can achieve this through online security awareness training services, like KnowBe4, regular communication and discussions about security threats, and practising phishing simulations throughout the year to help people spot malicious emails.
3. Enable multi-factor authenticator
Multi-factor authentication is an effective barrier. Even if your username and password have been compromised, a second factor of authentication protecting your account can stop hackers in their tracks. These days multi-factor is easy to enable and should be a mandatory feature of any application you invest in.
4. Use long, strong, unique passwords & password managers
This may come as nothing new to you; however, you’d be surprised how many people still use weak passwords. You should use a different password for each system you access – that way, if one system gets compromised, the same password cannot be used to access other systems. Passwords need to be long, strong and personal to you so no one else can guess them. The days of starting your password with a capital letter are over – try mixing it up with lowercase and numbers as well. Use a trusted password manager to store your passwords instead of writing them down!
5. Keep your software patched
Software patching is essential for ensuring systems remain free of bugs and vulnerabilities that could render them vulnerable to cyber threats. Whenever feasible, enable automatic software updates, keep laptop and device operating systems up to date, and replace outdated software.