Although it’s well-documented by the IRS and there are numerous and frequent warnings about fraud at this time of year, phishing is still the number one tax scam that many people—including accounting firm clients—fall victim to. With this in mind, tax season is the ideal time to look at how your firm is handling cybersecurity threats, such as phishing, both on desktop applications and in the mobile realm. The latter platform is an area that is still often overlooked by many firms, when it really deserves additional attention given that the line between work and personal computing is becoming increasingly blurred, and your employees and clients are likely using their personal devices to take care of work tasks and vice versa.
No matter what device is being used, the best defense against phishing and other cyber threats is a good offense. From a firm perspective, this should mean crafting a proactive policy for how your staff and your clients handle data and keep up to date on the steps they need to take to avoid phishing scams over the long term. Here are some tips to help you get your policy started:
1. Provide ongoing cybersecurity education to staff and clients. Some of your clients and staff may be well aware of what phishing is, but some may not. Make sure that your policy is clear about both the nature and the seriousness of potential cyber threats. At minimum, your clients need to know that phishing (pronounced “fishing”) is a form of social engineering that happens online. Phishers, also known as hackers, use many different techniques to try to fool people into providing their credentials to gain access to financial or other confidential data from internet users.
Incorporating education about phishing and other cyber threats is recommended both during your onboarding process and throughout the year as part of your communication plan since fraudsters continually up their game with schemes that can confuse even the most cautious and experienced person.
2. Make sure your clients know how to identify and avoid a phishing scam. Consider this: according to the 2017 Data Breach Investigations Report compiled by Verizon's Enterprise Solutions division, 90 percent of data breaches are caused by users falling prey to phishing scams. According to the report, while just a small percentage of users fall for phishing attempts (approximately 7 percent in Verizon’s case), those who do are likely to be victimized more than once—often in the same year. With the aggressiveness and level of sophistication rising in phishing schemes, remind your clients and staff that in email phishing schemes:
- Criminals may pose as a person or organization that they are familiar with.
- A “phisher” may hack an email account of someone they know and send mass emails under that person’s name.
- Data thieves may pose as financial institutions, credit card companies, the IRS or other government agencies or even tax companies.
- The emails used in phishing scams look like they came from legitimate businesses and either infect your machine with malware or the link in the email takes you to a page that looks totally legitimate, but isn't and is designed to steal your private information.
Steps you can take to protect yourself against cybersecurity attacks:
- Be wary of links. Carefully review any emails containing links that urgently request you to change a password, state that your account has been compromised, etc. Hover over the links in emails to display the true link destination. If the link does not match the “from” name in the email, this could be a phishing attempt.
- Bolster your defense by taking all cybersecurity precautions. Enable two-factor authentication on all accounts that offer it. Use a password manager to maintain unique, strong, random passwords and be diligent about backing up your data.
3. Create a standard procedure for updating mobile devices. You and your staff are well aware of tax and other deadlines, but how diligent are you when it comes to updating your mobile devices? Smartphones, tablets and smaller connected devices create a new level of security risks because unlike desktop computers, you have less control over who completes software updates and when they do it. Make updating devices part of your employment policy for staff, and send reminders to clients to do the same, these steps can make mobile devices less susceptible to hackers and keep security top of mind for users as well.
4. Develop a protocol for keeping track of digital devices. An often overlooked security threat in today’s mobile age is the loss of portable devices which are used to access vital gateways of information. For example, if your staff and clients regularly log in to their portals, Quickbooks, and other workflow platforms on their phones and tablets and these devices are lost, do they have the proper safeguards set up (password or PIN protection, geometric security measures and GPS tracking enabled, remote control for shutting off the device, etc.)? Do they know what to do and who to notify if these devices become lost? If you are not sure, take a few moments to outline and communicate what your firm’s minimum safeguards standards are for these devices.
5. Position your firm as a partner in protecting your clients’ sensitive information. Your clients are likely hearing about tax season phishing and other scams in the media and through social media channels right now. Having a proactive policy in place that you can share with your clients as proof of your partnership with them to protect their data can be both reassuring and add more value to your relationships.
Beyond explaining how you store, secure and exchange tax documentation, share with your clients all of the information security protocols and training you implement internally with your employees and within your workflow to give them additional peace of mind and confidence in your firm.
6. Include easy, do-it-yourself safeguards for your clients and employees. As a firm owner, taking the lead when it comes to reducing the risk of cybersecurity threats for your employees and clients is your responsibility, but it is one that should be shared. Let your employees and clients know that they need to do their part in avoiding scams. Providing information on simple safeguards like these in your cybersecurity policy will help to empower clients and staff:
- Avoid the use of email to transmit sensitive information and instead using the secure tools provided by your firm such as client portals, collaborative document sharing platforms and cloud-based data storage.
- Delete suspicious emails.
- Do not click on email links or open attachments if something seems "phishy" or otherwise unsafe.
- Change email and computer passwords often and do not share them with others, or better yet, adopt the use of a password manager to strengthen your security posture.
Unfortunately, no matter where you, your clients, or your staff go, or what devices are used, you could be the target of a scam. However, by taking proactive measures in educating your staff and clients and by having a cybersecurity policy in place, you’ll reduce the chances of being victimized by these crimes while advancing your firm’s information security protocols and its image as a trusted advisor to your clients.
Written by Ben Oliver, Chief Technology Officer at SmartVault.