Cybercriminals Are Now Targeting CPA and Accounting Firms

Reasons for targeting accounting firms is almost obvious. Consider if you are trying to get sensitive information such as bank accounts, access to retirement and investment accounts, social security and EIN numbers.

What industry would you turn to as a hacker ? The answer is clear,

✅ CPA and accounting firms.

Unfortunately, too many of these firms have much of this sensitive client information sitting on a network drive or local computers as simple jpeg, pdf and text docs.

This creates a perfect opportunity for hackers because not only is there opportunity to extort firms for cash but it also gives them the added benefit of gaining unprecedented access to clients’ data.

Personal data such as this is as good as money on the dark web where it can be sold for huge profits. 💲💲

Every dollar paid as ransom or data sold just continues to fund their criminal enterprise.

A common thought process, regarding cybercriminals and their attacks, is that it can only happen to large firms.

According to digital forensic experts however, that is not the case.

Small to medium sized firms are typically a much easier target because those sized firms generally lack system security and proper policy and procedures for safeguarding client’s information.


Ransomware is a type of malware that encrypts personal computers, networks, and files and blocks owners’​ access. Recently a variation of this process has been developed in which the data is now downloaded to an external server before it is encrypted and a ransom is demanded.

One system in the organization infected with the ransomware possesses the potential to spread across the network. In a matter of a few days that single infected system has now granted the ability to the attacker to have all the client’s data offloaded to another server and all host machines encrypted.

 The most common way these attacks happen!

Socially engineered attacks targeting employees is the fastest and most common way that hackers gain system access.

Phishing attacks are targeted at naïve and un-trained employees making them the most susceptible. Phishing emails are usually disguised as legitimate email requests from a company’s domain and will often ask for sensitive information such as passwords or financial data.

All employees need to know how they can spot these types of scams before it is too late! All it takes sometimes, is for example: a part time secretary to input their login information by clicking on a phishing email. That action in turn could open the doors for the attackers.

At this point is where employee security awareness training comes to the forefront of preventing these attacks. Webroot offers a great security awareness training, and it is very affordable to get all employees to complete it.

This type of training course contains engaging and interactive videos and provides explanations on how to not only detect but just generally be more aware of these threats.

It even has a phishing simulator that can be used to test employees’ level of competence after they have completed the training. T

hose results then help identify employees that are still most vulnerable to that type of attack. Ultimately, end user training is the best first step in preventing an attack.


Have network traffic monitoring.

Unusual network activity is the first sign of trouble that should raise a red flag. There are many network monitoring tools available that are cloud and on-premise based systems; they all work in a similar way.

☑️ The first step is to establish a baseline of normal network activity. That baseline is then used as reference to detect any activity that falls outside of the ”norm.”

☑️ Your IT provider should be notified at the first sign of unusual activity and, if quick defensive actions are taken by the IT provider, most of the attack can be prevented.

Do not store client data in plain text! 

Accounting firms generally receive and scan sensitive documents frequently between their clients. It is extremely important to not store those documents on a network drive in plain text format.

Instead, the use of applications such as:

👉 Thomson Reuters FileCabinet CS or

👉 eFileCabinet should be implemented.

These applications store scanned data fully encrypted and organize them according to the clients.

The reason for using these applications is simple: without appropriate credentials, no data can be retrieved. Password locking the data further mitigates risk if the attack does happen sensitive client’s personal information won’t be leaked.

🎯 Have a good disaster recovery plan.

Disasters can take many forms including ransomware attacks. Just ask yourself these questions:

Would your practice survive right now if your data drive or server disappeared?

⚠️ How long would it take to get back up and running if that where to happen?

⚠️ How much money would you lose in that down time of no productivity?

These questions are just some of the things to consider when it comes to DR planning. An important key of course is to always have your data stored off-site.

If that is the case, you are looking at a worst-case scenario where data can then always be re-treated, your systems can be rebuilt, and you can be back in business within several days.

In a case where having operation shut down for several days would be too costly, then the DR plan must include local backups for quick restore. These local backups must include images, as well as daily data, and must also include a sufficient number of restore points to go back far enough in time to restore.

The use of immutable storage is a particularly good way to fight against ransomware.


Immutable Storage

Data in immutable storage remains unchanged and has a fixed address enabling you to prevent tampering, modification, or removal of specific data. So, it can be used to store system image backups effectively making them immune to ransom attacks.

Combining immutable storage with a cloud backup is a low cost protection plan against a ransom attack that could cripple your firm.

Look… the cybercriminal enterprise is globe wide and is a multi billion dollar industry. We have to all do our part to fight back. Employee training, having proper security systems in place, procedures on how data is stored and good on-site and offsite backup are the first things that every Accounting and CPA firm must consider.

This is especially true in the coming months as the phishing attacks are getting more and more prevalent. I have noticed many of our clients getting phishing emails almost one every week. Stay safe out there!


If your CPA practice firm is in need of a security assessment to determine if your backups, firewall and security software is properly configured to reduce the change your organization might be the next victim of a cyber attack.  Please contact AlphaCIS for help! We perform penetration testing (Pen Test), Network scan for misconfigurations and proper security settings along with providing you a detailed list of all of your network assets in an infrastructure map.  This document can be given to any Managed IT Services in order to provide you with the best support possible and give you the peace of mind that your systems are secure. If your business is located in Metro Atlanta or the surrounding areas please contact us for a quick discovery phone call with an engineer here.