how hacker-proof is your firm?

thieves always build a better mousetrap, so stay vigilant.

by donny shimamoto, cpa, citp, cgma
on cybersecurity for accountants

in 2018, fraudsters posed as tax authorities and state accounting and tax professional associations. these were simple phishing attacks trying to get tax practitioners’ email usernames and passwords, allowing fraudsters to obtain client contact information and perform email-based password resets for other systems.

more: future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.

the irs reported seeing threats specifically targeting preparers in illinois, iowa, new jersey and north carolina. additionally, the irs received reports tied to a canadian accounting association.[i]

sadly, this means tax practitioners need to be extra vigilant about being targeted by phishing attacks. if fraudsters obtain client contact information, they can also use that to do “spearphishing” attacks, where they pose as you (a trusted person) telling your client that you need banking or other information from them. if your email username and password are compromised, they can monitor your inbox to see if a client responds and reply to them as if it came from you. they can also delete the client email and response they send from your inbox and sent items, respectively, so you never know it even happened.

in 2019, the irs saw fraudsters go back to attacking taxpayers directly—this time impersonating the irs itself. email subject lines like “automatic income tax reminder” or “electronic tax return reminder” had links that took people to an irs.gov-like website with details pretending to be about the taxpayer’s refund, electronic tax return or tax account. the emails contained a temporary password or one-time password to access the files to submit the refund request. these files were trojans that, when opened, installed malware onto the person’s computer.[ii]

the scary thing about this type of attack is that malware like this can go undetected on a computer for a long time…sometimes even years. we see thieves sit and wait and gather information over time—passwords, account numbers, contact lists—things that could be used to create more attacks later. some will also wait to see if a person connects to a corporate network via vpn or by going into the office. once they see that they’re in a network, they try to go into the servers there and spread further—to other users or to other servers—even eventually potentially getting admin access to the entire network, giving them access to a lot more data.

over the course of the covid-19 pandemic, with everyone working from home and wanting to get their stimulus monies, there was a spike in phishing attacks posed as providing taxpayers with information about their eligibility for or payment status of stimulus funds.

ransomware attacks ran rampant during the pandemic as well. there were 1,251 ransomware-related incidents in 2021, up from 602 in 2020.[iii] the cost of these incidences also escalated. the cost of incidences in 2021 was $1.2 billion, almost triple the $416 million cost in 2020.

consider what would happen if you were hit by ransomware right before a tax deadline. do you know which clients you would need to extend (assuming that was an option)? do you have the contact information for clients available offline so that you can contact them to let them know what is happening? further, the ftc safeguards went into place on june 6. are you at least in compliance?

hackers are consistently evolving. as prime targets of cyber attacks, accounting professionals should always make cybersecurity a top priority.

[i] ir-2018-125, may 14, 2018 | [ii] ir-2019-145, august 22, 2019 | [iii] https://www.accountingtoday.com/news/ransomware-attacks-doubled-from-2020-to-2021-especially-from-russia, nov 2022

where intuit is at with accountants

why vendors need to start with "why." by seth fineberg

ask 卡塔尔世界杯常规比赛时间 | beta 1.1

now, with more than 21,000 pages of actionable intelligence. ask me anything! (or choose one of today's latest queries...)

koziel to succeed melancon as aicpa ceo

mark koziel, currently president and ceo of allini...

ten great topics for your firm blog | listicle

stuck for ideas? let us help. by 卡塔尔世界杯常规比赛时间 research

alan whitman: stop accepting the status quo | the disruptors

the firms that shift from billable hours to value outcomes will win. plus 10 more key takeaways. the disruptors with liz farr

brenda sleeper: the journey to the hall of fame | capstone conversations

capstone conversations with jean caragher

posted on july 16, 2023

donny shimamoto

about the author

donny c. shimamoto, cpa.citp, cgma, is the founder and managing director of intraprisetechknowlogies llc, a specialized cpa firm dedicated to helping small businesses and middle market organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, it governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.

click here for more by donny shimamoto

as the founder of the center for accounting transformation, shimamoto is leading a movement to change the world for the better by empowering and equipping accountants with the leading-edge tools and techniques.

donny was the first certified information technology professional (cpa.citp) in the state of hawaii and is one of only four in the state. the citp credential is a specialty designation of the american institute of certified public accountants (aicpa), that identifies certified public accountants (cpas) with the unique ability to bridge between business and technology; meeting the strict requirements for a cpa license as well as additional training and experience in technology strategic planning, it architecture, business process enablement, system development and acquisition, it audit and control, and it governance.

the immediate past chairman of the aicpa’s imta executive committee, donny has been both influential and critical in several aicpa initiatives including the development of an it competency model for cpas, and redesign of the citp credential. donny previously co-chaired the aicpa’s business intelligence working group, researching and creating practice aids in the area of evidence-based management, application & data integration, and information assurance. donny has also been involved in the authoring of guidance published by the aicpa on it considerations for risk-based auditing and enterprise business intelligence. as a subject matter expert, donny is often an invited speaker at national and international webinars and a familiar key-note speaker at national-level conferences.

donny obtained invaluable knowledge and exposure to a wide range of industries and sectors (retail, hospitality, state government, defense, and higher education) while earning his cpa license as a member of pricewaterhousecoopers llp's business assurance services, operational & systems risk management services, and management consulting services lines of business. with itk he has expanded his industry expertise to include not-for-profit (social services, foundations, and membership organizations), professional services, small businesses, technology, and mobile professionals.