Combating online crime

Cyber crime is a problem that is constantly evolving, so to keep their organisations safe, accountants need to stay ahead of the online criminals. Here are some tips.

Types of cyber crime: Don’t get hooked by phishers

Falling victim to phishing scams can prove devastating. A traditional phishing attack aimed at an accountant could lead to their professional network being compromised. This would then mean the company (or companies) for which they work would be rendered vulnerable to financial crimes, via the theft of personal details which could provide access to the network; or via malware which could provide a back door to the network.

While you can be caught on the cyber criminals’ hook, you can even be bait for the more deceptive form of phishing: BEC (business email compromise) fraud, where a cyber criminal impersonates a member of staff in order to extract data or elicit a fraudulent transaction.

For example, as an accountant in practice you could be impersonated by a BEC scammer who sends an email to one of your clients requesting an alternative method of fee payment. If the client fails to flag this as unusual, the cyber criminal could be paid the fee for your work.

Individuals and businesses both have a role to play in keeping themselves safe from phishing. Organisations need to invest in email filtering systems, which can accurately identify and block phishing scams. But the sad reality is the increasing sophistication of phishing scams means that they won’t catch them all.

The final line of protection is human intuition: if something seems unusual, it’s always best to check with the sender for authenticity.

Corin Imai is senior security advisor at DomainTools

Affecting your organisation: The high price of transaction fraud

Despite advances in technology and targeted campaigns by financial institutions to educate their customers, transaction fraud is still a regular occurrence. Cyber criminals are continually thinking up new ways to outsmart their victims: whether it’s through clever phishing emails designed to impersonate senior executives or scare-tactic phone calls to demand outstanding payments.

The increasingly global nature of business means companies and teams are working differently, and accountants are no exception. They’re more mobile and, having taken on more strategic functions within their organisations or for clients, face growing pressure to make fast and informed decisions wherever they are.

Technology can help to improve productivity and facilitate real-time information-sharing on the go. But, while functionality is important, so too is robust security – especially when high-value transactions are in play amid a sea of special regulatory requirements.

Up until now, standard approaches to two-factor authentication in online and mobile corporate banking have mostly centred on the one-time password (OTP). But OTP generator hardware is a hassle to carry, and entering strings of digits can be error-prone. In addition, even when supplied via SMS (text), OTPs are susceptible to SIM swap or number-porting attacks, fake caller IDs, and call-forwarding scams operated by dishonest customer service representatives at mobile carriers.

Worse still, OTPs do not guarantee protection from phishing attacks and malware-enabled account takeover fraud.

There is good news, though: while SMS may not be secure enough to deliver OTPs, the mobile device itself can be used to authenticate financial transactions. Leveraging the ubiquity, computing power and connectivity of the mobile device not only provides the potential to bank anywhere, anytime, but allows banks to quickly authenticate and secure interactions of all kinds.

Frans Labuschagne is UK & Ireland country manager of Entersekt

Mitigation strategy: Don’t leave yourself open

Malware, ransomware and DDoS attacks often take aim at financial and accountancy firms because of the sensitive and valuable data their servers store. Personal identifiable information (PII), in fact, can be used for further criminal activities.

Also, with the introduction of the General Data Protection Regulation (GDPR), any type of security breach or non-compliance will have serious financial consequences for firms and could significantly damage a business. Other regulations and standards, such as the Network and Information Systems directive (NIS), and ISO27001, drive businesses to adopt strong, repeatable and measurable cyber security controls that are designed to improve continuously.

Accountants in business and practice are adopting technologies to speed up workflow, but with rapid digitalisation comes certain risks. Using tools connected to the internet opens security vulnerabilities and widens the attack surface. Firms need to be aware of how they mitigate the security risks.

The visibility of the business’ IT network is important: you can’t protect what you didn’t know was there. Plus, the IT team needs to apply scheduled security maintenance aimed at updating systems and applications with the most current security patches, using a risk-based approach.

Outsourced vulnerability management can help implement this security model without the need for a large IT security function in-house. Cyber crime trends in 2019 show no sign of a decline.

Without a simple vulnerability management process or controls in place, underestimating the vulnerabilities in a network, large or small, will result in a catastrophic, and costly, security incident that could have been avoided.

Eoin Keary is CEO of edgescan