In most accounting firms, email remains the primary communication channel.
It’s easy to think that just because you use email passwords or even a password management tool, you’re safe from cyber threats. This is not the case.
In fact, email is the most common method of attack for cyber-criminals targeting accounting firms.
In this article, we’ll review the top 9 reasons why email is such a popular target for hackers, before explaining the 7 email security best practices that will keep your firm, your data and your clients safe.
Top 9 Reasons Why Email Is The #1 Hacking Target In Accounting Firms
#1: Email is a soft target
Hackers are lazy. Penetrating an accounting app is very hard because they are typically protected by industrial-grade security. Email is a much softer target.
#2: Using a generic “password management tool” alone won’t protect you
It’s more than possible to store a WEAK password in a password app. And weak passwords can be cracked in seconds. Passwords must be strong (16+ characters, alphanumeric, non-guessable and unique).
#3: Email providers compete on convenience by making it easy to log in
Major email providers such as Office365 and Gmail compete on convenience for the user. They don’t enforce strong measures such as Multi-Factor Authentication by default. (Most accounting apps do enforce such measures.)
#4: Multiple devices means multiple targets
Most professionals use email on their phone or other devices. This represents a greater number of targets for criminals. One stolen smartphone may give access to your whole firm’s data.
#5: Hackers can outsmart legacy mailbox protocols
Legacy login protocols such as SMTP, POP and IMAP make it possible for an account to be accessed from multiple devices. In addition, these protocols don’t support Multi-Factor Authentication.
#6: Hackers use techniques such as “password spraying” to sniff our vulnerabilities.
A traditional “brute force” attack involves multiple login attempts on the same email address.
On the other hand, “password spraying” is an attack method where thousands or millions of email addresses are “scanned” for the most commonly used passwords. As soon as the hackers make a successful hit, they dig deeper.
#7: Email is easier to exploit than phone or face-to-face scams
Face-to-face scams are relatively hard to pull off. The scammer has to be present in your location, and they run the risk of being caught. Phone scams are a little easier, but may arouse suspicion if the accent or tone of voice isn’t on point.
By contrast, with email the hacker can hide behind a keyboard from anywhere in the world, with very little risk of being caught.
#8: Scammers rely on habit to trick the unwary
Scammers use social engineering to perpetrate crimes. They are skilled at studying habits such as the timing of payment runs and the language used, then seek to copy that behaviour.
#9: Email attacks are swift and broad
It only takes one compromised account for a hacker to send malicious emails to hundreds of clients. Then it only takes one client to be fooled for a serious and costly problem to result.
Real-Life Case Study: One Bad Password Causes Chaos
In one recent case, an IT contractor reset a firm Director’s email password to password1.
The Director was advised to reset the password to something stronger, but he got busy and forgot.
Sure enough, his email address was hacked and this access was used to authorise a number of dodgy payments.
The hacker also targeted a couple of clients who the director was in frequent contact with with phishing emails. This resulted in one client’s network being taken down by ransomware.
As a result, the firm lost time, money, and most importantly of all, trust.
The firm tried to blame the contractor for not setting a secure password. However, as it was the firm that owned the data, they got saddled with the liability. And their insurer wouldn’t pay out because password1 is a such a weak password.
Now that we’ve highlighted the real risks of lax email security, let’s take a look at practical measures your firm can adopt to ensure you don’t become a victim…
7 Best Practices For Hardening Email Security In Your Firm
#1: Mandate strong email passwords
The human element is one of the greatest challenges to email security. Your accounting password app should force team members to adopt strong passwords that are 16+ characters, alphanumeric and unique.
#2: Set Up Single Sign On (SSO) Authentication
Single Sign On (SSO) is a modern identity protocol that allows each user to log in once daily with one Multi-Factor Code. Then for the rest of the day, they can log into all cloud apps (including email) with one click. This adds security, while eliminating the need for dozens of multi-factor codes.
#3: Disable legacy mailbox protocols
Legacy mailbox protocols such as SMTP, POP and IMAP are outdated and should be disabled. Check out our help article on how to disable SMTP/POP/IMAP for Office365 Mailboxes.
#4: Remove employee email addresses from your website
We recommend you don’t post team members’ email addresses on your website. This can provide hackers with a target which can be used for social engineering. Instead, use a generic address such as firstname.lastname@example.org.
#5: Train your team to be vigilant
Most data breaches occur because of human error. It’s not intentional; it’s simply that employees haven’t been trained what to look for.
Basic cyber security training goes a long way toward arming team members with the knowledge they need to avoid costly mistakes. Here’s an example of some of the telltale signs to look out for:
#6: Always verify sensitive requests via phone or in person
It is best practice to verify sensitive requests via phone. For example, prior to authorising a payment or changing bank account details, call the other party to confirm the request.
#7: Restrict administrator privileges
Email addresses with “Administrator” privileges have great power to affect your whole organisation. You should limit administrator privileges to the fewest possible accounts. In addition, we recommend conducting a periodic audit to ensure that administrator accounts don’t remain active after they’re required.
Conclusion & Next Steps
Email is a vital tool for the modern accounting firm, but it does come with risks. Providing you follow the advice in this article, you’re very unlikely to experience any problems.
Practice Protect users can solve all the problems described in this article for around US$10 per month per user (even less for larger firms). To find out more, register for a Free Demo with one of our team.