Bean Phishing Attack: Was Your CPA Duped?

A fraudulent email scam has been using the logo of the American Institute of CPAs, a non-profit industry association, to entice AICPA members and others to share sensitive financial data. More details are available here.

Tactically, it sounds like a fairly basic attack; the emails say recipients have been implicated in tax fraud and that their CPA licenses may soon be terminated. Links in the emails lead to third-party sites that contain viruses designed to compromise data on the computers of recipients.

But strategically it’s quite clever and shows how cyberthugs are getting ever more creative in seeking vulnerabilities. Obviously, the firewalls and security systems of the Big Four accounting firms are tougher to crack than going through an independent, non-profit trade group, which surely offers openings to similarly valuable information. And the production value of the email (see image) is a good bit better than your standard scam involving, say, money stuck in Nigerian banks.

So the questions companies must ask themselves are:

• Were any of your CPAs, auditors or employees dim enough to click on the links?
• Would they be able to save confidential files or sensitive data on their own devices?
• How do you know for sure your data is safe?
• Who can provide answers to these questions – and are you confident in their answers?

The bottom line? As cybercriminals get more creative and innovative, your risk management approach must be similarly forward-looking and thoughtful. Innovations like risk visualization and third-party profiling can be a difference makers in terms of protecting key assets and information, even when hackers are willing to try anything and everything to get a peek.