The Busiest Time is the Riskiest Time for Cyberthreats

Want more great content like this? Subscribe to the IPA Monthly.

It’s during the most harried times of year that accountants are most likely to let security slide, but it’s also when hackers get busy with sophisticated phishing emails, the No. 1 vector for a cyberattack.

And AI tools are making phishing emails more difficult to detect. “When people are tired and their defenses come down a little bit, they’re more apt to click on it, particularly if it’s targeted,” saidd Roman Kepczyk, director of firm technology strategy for Rightworks.

“It’s not like the Nigerian scams we heard about so long ago. They are error-checked, they sound like they’re from a person who’s very intelligent, they use good nomenclature and they know how accounting firms operate. What you have to understand is hacker groups now are becoming very specialized.”

Security expert Nick Macsanders, reminds firms; “A lot of people sacrifice security for convenience.”

Kepczyk and Macsanders, executive director for business innovation and technology at Engineered Advisory, offered some back-to-basics tips for increasing security at all times of year, but particularly during the spring and fall busy seasons.


Kepczyk said most firms hold weekly meetings during tax season, and a simple explanation of the various phishing schemes out there may be enough to keep staff alert to the threats. An email may come from someone who sounds like a client who “forgot” to add a tax document to the portal or a job candidate with an attached resume that downloads malware in the background. Macsanders goes so far as to say Outlook should be set up to not accept documents at all.

Kepczyk recommends simulating phishing attacks – companies like KnowBe4, Proofpoint and Cofense can do this – so staff can learn on the spot. Macsanders shares real-life examples of what phishing emails look like and holds open chats where others can share what they’ve encountered. Ban use of USB flash drives, which can easily introduce malware, Macsanders advises.

Strict Access Controls

Mandate multi-factor authentication when anyone logs into firm resources or cloud applications, Kepczyk advises. He added that 42% of people reuse passwords and a third of them include their birthdays. A hacker can steal a password from a Facebook account and use password-guessing software to come up with millions of combinations that can be used to access firm information. He recommends using a password manager that automatically generates complex password strings that are nearly impossible to guess.

New applications are another threat, Macsanders said. “Allowing your employees to just constantly add on new applications as they find them is actually a scary thing when it comes to passwords because you no longer are managing it as a company, they’re just freewheeling it. And that’s when a lot of accounts can be hacked.” If an application must be used, make sure it is approved and installed by IT, he said. Also, make sure no one in the organization that’s an active user is an admin over the entire company, and keep log-ins separate.

Software Updates

While it sounds obvious, firms that manage their own IT are typically understaffed and overworked and are dealing with immediate emergencies like a portal that locks up or a printer that malfunctions when a partner needs it. Kepczyk recommends hiring a managed security provider. “We know it’s just too much work for an internal IT person.” Updates on laptops, phones and tablets are also critical. Set them to update automatically and reboot computers daily, as it’s the only way to load the updates. “We’ve got to change the habits we’ve had to what are required today.”

Backup and Recovery Plans

Firms typically use backup systems but the problem is that the logs aren’t often examined during busy times so anomalies aren’t detected. “Your only defense against ransomware is being able to recover.” A full system backup should be conducted daily, and firms should make hourly copies of changed files.

Macsanders recommends two backups. If the organization is held ransom, MacSanders said, you’ll need a cybersecurity company that can respond in under an hour, preferably in the first 15 minutes. This is particularly important during busy season. “Especially for larger organizations like ours, we’re going to lose a lot of data and it’s going to cause a lot of havoc if we lose an hour in the middle of the day.”

Secure Client Communication

Firms should mandate that client information can’t be changed or given out on one request. The firm must contact the client again through a secondary means, text or email for example, to verify it, Kepczyk said.

Macsanders goes so far as to say that Outlook should be set up to not accept attachments from clients at all. Practitioners can email back and explain the policy. “That way it doesn’t end up in your inbox and you don’t have to manage that.” Macsanders emphasized that professionals can take a second look to make sure the email is really coming from a client by setting email to detect whether it’s someone you have emailed before. Pay attention to display names versus email domains. If the domain looks suspicious, don’t open it.

Note: INSIDE Public Accounting is part of the Engineered Advisory family of companies.


Recent Posts


Sign up for the IPA INSIDER: a bi-weekly news round up sent directly to your inbox.

Related Stories