Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/696186
38 June 2016 • www.CPAPracticeAdvisor.com BRIDGING THE GAP By Jim Boomer, CPA.CITP Scammers Move From Phish to Whales What is Whaling? W haling is a form of phishing atack where senior executives and others with access to valuable and sensitive data are sent very personal and well researched emails. Te atacker may send the target an email that appears to be from someone they trust in order to extract valuable information or direct them to a malicious website. W hat makes this trend so scary is the level of sophistication that recent atacks are achieving. Te personal, one-of nature also makes them more difcult for IT to detect than the traditional phishing emails where hundreds of versions of the same message food the email server. Te criminals are doing their research including study ing communica- tion styles to make the messages look real. Some even include closely held information and the names of individuals expected to be involved in the exchange. Making It Real O ver t he last mont h, we have facilitated almost 100 mid- to large- sized CPA frms in our various peer communities and heard too many stories about these ty pes of atacks. Let me give you a couple examples to make it real. Example 1: Te CFO of one frm recently received an email from the managing partner asking her to wire money to a client's account. Te email showed up as a legitimate email address and was writen in the exact tone and words used in count- less previous exchanges between the two. Te CFO did as she had been instructed and contacted the bank to wire the funds. Fortunately, she also cc'd the managing partner and it was caught before the frm was out more than $30,000. Example 2: Tis one was a per- sonal atack and, unfortunately, did not end as positively. In this atack, an individual was in the process of helping his son buy his frst house. He was expecting the fnal numbers and had an estimate of what to expect. Within the timeframe expected, he received a spoofed email from the mortgage company with an amount very similar to the estimate to wire to the escrow account. Te email used the company's header and appeared to be from the person with which this individual had been corresponding. It also made mention of and appeared to copy other legitimate people involved in the transaction. Ultimately, the funds were transferred and he was out $67,000. What You Can Do to Protect Yourself Scary stuf right? My goal in this col- umn is not to terrify you but rather to motivate you to take actions to protect yourself. Here are some things you can do to protect your corporate whales, or yourself, from being harpooned. • Secur it y awareness training – Knowledge and awareness are the best weapons against these types of atacks. Talk to your team and pro- vide real world examples of what's happen i ng – bot h persona l a nd professional. Ultimately, we don't have time to confrm the legitimacy of every email we receive but when it involves personal, f inancial or sensitive data, make it part of the mindset to independently confrm. • Conduct your own penetration and social engineering testing – W hether you hire an outside party or have internal resources conduct the test, just do it. Te initial test will provide you a baseline of how savvy your team is on these scams. And, subsequent testing will show if you're making improvements. • U s e c o m m o n s e n s e w i t h t h e information you put in the public domain – Train your team to limit the types of information they put on social media and other publicly ac c e s s ible s ite s . I n gener a l , be sensible about publicly providing information that could be used to impersonate you. A nd don't trust every invitation you receive. If you don't know them, it's best to decline. Even if your friends or connections have accepted. • Bu i ld cont rols i nto you r pro- cesses – Again, this is important to both your frm and personally. Look at the process for approving w i re t ra n sfers a nd send i ng out other sensitive information. Build in a multi-party approval process to ensure that multiple people are involved. A lso talk to your banks and request confrmation of wire transfers over a certain threshold. Especially if they are international. Bottom Line We unfortunately live in a world where criminals are constantly try- ing to take what we've worked hard to earn. You have to be on alert and skeptical continuously. Education is the foundation to protecting yourself from falling victim to these scams. Trough continual security aware- ness training and monitoring as well as building safeguards into your processes, you can protect yourself and your frm from falling victim to one of these atacks. 3 8 J u n e 2 0 1 6 • w w w . C P A P r a c t i c e A Jim Boomer is a shareholder and the CIO for Boomer Consulting , Inc. He is the director of the Boomer Technology Circles™ and an expert on managing technology within an accounting frm. He also serves as a strategic planning and technology consultant and frm adviser in the areas of performance and risk management. In addition, Jim is leading a new program, Te Producer Circle, in collaboration with CPA2BIZ and the AICPA. jim.boomer@cpapracticeadvisor.com W e've all received the email. A Nigerian prince wants you to help him move money into the United States. In return, you'll get to keep a piece of the for- tune. With typos and grammatical errors aplenty, most (but not all) are savvy enough to recognize the scam and hit delete. Unfortunately, the criminals are geting much more sophisticated and personal in their tactics and seting their sights on higher profle targets. Tese new atacks are going afer the "big fsh" or in security lingo, they are whaling.