Please ensure Javascript is enabled for purposes of website accessibility

An Accounting Firm Gets Phished: A Play In Two Acts

The other day — OK it was actually 12 days ago — we got a random email in our editor inbox. This is not uncommon, said inbox serves as the garbage disposal into which reader complaints go. Just kidding, we love feedback. Really. The editor inbox is a hub for reader comments, advertising requests, story requests, complaints, butt emails consisting of long nonsensical rows of b’s and x’s, and occasionally some old guy complaining about how one F-bomb is too many and I need to stop being so disrespectful. And every now and then, we get an email like this one below.

I have redacted the sender’s information for obvious reasons.

Your disclaimer has no power here, [redacted]! Moving on…

Moments later — OK it was actually an hour and 25 minutes later — we received this:

We’ll give the firm’s security credit here for catching it as quickly as it did. The same can’t be said for Deloitte. In 2016, a “hacker” compromised the firm’s global email server through an “administrator’s account” which did not have two-factor authentication on; the breach was not discovered until 2017. Using scare quotes here because the original article from The Guardian did the same and also because when your great aunt gets her Facebook “hacked” for the 10th time this year, it likely be because she was phished somewhere between the sketchy “Which Potato Species Are You?” quizzes and sketchy apps she gave full permissions to. Much like your great aunt, we use “hacked” here as an umbrella term to describe outside individuals gaining access to things they shouldn’t through sketchy means.

Deloitte and our victim firm above are certainly not alone. An Albany, NY firm was hit with a ransomware attack in late 2019. That same year, Wolters Kluwer had to temporarily take CCH offline due to a malware attack. In 2021, Oregon-based Gustafson & Company was fined by the state for failing to disclose a 2020 data breach that compromised the personal and financial information of nearly 1,900 Oregonians. A Chicago firm is facing a class-action lawsuit for letting personally identifiable information (PII) and protected health information (PHI) fall into the wrong hands [PDF here]. And then there’s this: from January 2014 to February 2018 there were 132 accounting firm breaches in the state of Maryland alone according to data analyzed by Christine Cheng, Ph.D., Renee Flasher, CPA, Ph.D., and James P. Higgins, CPA, CGMA and reported in Journal of Accountancy. Check the table:

Shout out to those eight missing USB drives and laptops. That’s actually not bad for every single accounting firm in Maryland over a four year period.

The list above is by no means an exhaustive one. It’s not an accounting firm but let’s not forget about the time the AICPA’s Twitter account got hijacked by Bitcoin scammers.

What is the lesson here? Well I hope no sophisticated, tech-smart Going Concern readers need to read this but DO NOT OPEN STRANGE ATTACHMENTS. I’m going to leave some helpful links below for anyone who may need them just in case so you don’t end up like [redacted] and make your firm’s security team do more work than they need to, and if you do how to proceed from there.

10 Ways To Avoid Phishing Scams []
A cyber-attack could spell disaster for your CPA firm [AICPA Member Insurance Programs]
Why Preventing Data Breaches Should be a Top Priority for CPA Firms [CPA Practice Advisor]
Data Breach Recovery Tips for Accounting Firms [AccountingWEB]

Photo by Tima Miroshnichenko from Pexels