We’re in a new era of work in America, and like all periods of swift change that came before this one, there’s no guidebook to reference.
However, there are plenty of experts to offer their takes on the best steps forward. Two of those experts are CPA Jody Padar and Botkeeper Chief Technology Officer Justin Whitehead. Recently, the two met virtually to talk about ongoing cyberthreats facing remote workers, in particular remote accounting firms.
According to Trend Micro, there were nearly 200k malicious spam emails sent between January 1 and March 27, 2020. And with more accounting firms working remotely, the risk of a hacker stealing sensitive information is even greater. In this interview, Justin and Jody talk through how phishing attempts take place and what you can do to prevent them.
You can watch the full 20-minute interview below, or keep reading for an edited version complete with Justin’s top tips for staying cyber-safe during the COVID-19 crisis.
Are you interested in learning more about what your accounting firm can do right now to maintain growth toward your goals while working remotely? Click here to save your spot on our next Accounting Presentation.
Jody Padar: Hey, it's Jody Padar here the radical CPA, and I am so excited to give you some really important information for CPA firms right now because I know we're all working virtual and there's a lot of things that are happening in the cyber world that we need to be concerned about for our firms and to make sure that our firms are protected. So, I have Justin Whitehead here. He is the CTO of Botkeeper, and he keeps us kind of safe and secure in this uncertain world of cybersecurity. So, Justin, Can you go ahead and introduce yourself to our watchers and listeners so they can have a better understanding of what it is you do in your role at Botkeeper?
Justin Whitehead: Sure. So hello everyone, my name is Justin Whitehead. As Jody mentioned, I'm the CTO at Botkeeper. I've been with Botkeeper for almost 11 months now. My role and what I care about and focus on varies quite wildly. Everything from the AI behind the scenes, all the way up to—and especially front and center in my mind right now—the cybersecurity threats that are growing and evolving in the industry.
Jody: Well, thank you for taking the time out of your busy day to join us. So, can you tell us what the biggest threat is today going on for CPA firms? I know you were talking a little bit about something with Microsoft Office—what's happening there?
Justin: Yeah, so COVID-19 is spreading around, and a lot of businesses are shutting down or going pure virtual. Yeah, unless you're a tech company that you know you've got these systems in place, a lot of people are figuring this thing out for the first time.
With that, there's change, and when change happens, it ends up posing a new opportunity for cybercrime to happen. And this is something that we've actually been seeing rampantly over the past week.
In fact, just within the last 48 hours, we saw two waves of emails going. This was a phishing attack that was going on, specifically trying to lift Office 365 accounts. We don't happen to use Office 365 at Botkeeper, so it didn't stand out to us. But it was a very interesting attack, and I wanted to quickly go ahead and share the attack that we've witnessed, and what it could end up doing and how that could be a risk to the CPA firms. I know that with cybersecurity, it's a much longer discussion as to how to get yourself into it, but I've got a couple quick pointers to do right now. It shouldn't cost you anything, and all that will get you a little bit more sleep at night, or in my case, fewer gray hairs on the side.
So here's the attack. We saw the same attack, and it came through to two different emails. For those that don't know what a phishing email is, that's when a cybercriminal from the outside is sending in some convincing-looking email trying to get you to do some action—usually it's click a link or download a document—and generally they're trying to inject malware into your machine or your browser.
In this case, one of the two was an email that would come from a coworker and/or somebody that you know. It was a familiar email and it said, “Hey, I've got this document to share with you,” and the language is around a contract to sign. And you would click on the link, and it would take you to this very convincing looking Office 365 signup page where you enter in your username and password.
And once that happened—that wasn't an actual Office 365 sign-in page—they would go ahead and log into your email account and send the same exact email to your contact list. And why this is a particularly nasty cyberattack or phishing scheme is because the email is not coming from some bogus, fake looking email address. It's coming from somebody that you probably know or work with; it could be coming from a family member, that sort of thing. It more easily tricks people.
Back in the day, we would store it on a post-it note and put it in a folder. Now, that doesn't scale—that's pretty safe from cybercrime, but things have been moving towards people storing things into shared Excel files. So guess what? Once you've entered your username and password into that [phishing] website, not only does that cybercriminal have access to your email—they've also got access to your documents. And they could potentially have access to your shared XML files that you use to store client credentials.
So, advice number one: if you see any email that's coming from someone and you accidentally click the link, and it's making you login, just pause. Look up at the address bar and see if that looks like a legitimate Microsoft domain. If it doesn't, back out.
Additionally, follow-up with that person that sent you that email, and ask that person individually. “Hey, did this come from you?” And if they say no, that means they fell for the attack and your job is not to perpetuate it.
So one, check the address, always check the address bar when you're clicking on something like that.
Two, in this particular attack, make sure that you follow up with a user before actually clicking the link and doing an assignment.
Be Aware of Phishing Attempts!
1. Check the domain to make sure it’s legitimate.
2. Verify with the sender.
3. Set up two-factor authentication (aka 2FA, MFA, or OTP).
And then three—this doesn't really prevent this first wave of the attack. This will prevent the second wave of the attack when your credentials are being sold.
It doesn't matter whether you use Office 365 or GSuite for your business. If you have the ability to set up two-factor authentication, sometimes it's called 2FA, sometimes it's called two-factor authentication or 2SP for two-step verification. Sometimes it's called MFA for multi-factor authentication or OTP for a one-time password. If you hear any of those buzzwords in and around log-ins, enable that.
This is something that all businesses should do. This is something that I would also recommend people doing on their personal accounts, as well. That prevents someone who got possession of your username and password from being able to actually use that and leverage that. It's scary.
Jody: This doesn't matter if you have virus protection software—that had no effect if it was someone who actually thought they were doing something they were supposed to by clicking on a link. Not that it doesn't matter, but you can have all the virus protection software in the world, but if your employee clicks on something that they're not supposed to click on—they're not doing it intentionally, they just do it by mistake—they're still opening up your firm to this kind of chaos. Right?
Justin: Exactly. And this is something that your email providers have—Office 365, GSuite, and all that. They actually have pretty, pretty darn good phishing protection built into their system, so they're firewalling a lot of this. But it takes a while for them to see enough examples of something getting flagged as phishing before that gets shut off, and by then, the damage has already been done.
So there are these campaigns that go out, they're running for a day. And then, the email providers have shut them down—that type of thing.
Justin: So step one: the account that it came from—disable that account. And we're going to change that password immediately. This is also a good opportunity to turn on two-factor authentication for that one account. So that's step number one.
Step number two would be having a follow-up account. This would be from someone else at the CPA firm—an IT person or someone who's delegated to go ahead and to make this response. Anyone that receives the thing, say, “If you received an email with this line, don't click the link.” Mark it as spam or mark it as phishing, depending on what type of browser they have, or at a minimum just delete it so it's off the system. The email—not being clicked on—isn't going to do anything, but you want to prevent people from [clicking].
If someone did click the link, have them respond to you, and explain to them what this attack happens to be doing.
Again none of this is ever malicious or anything like that; it happens by pure accident. Explain that what ended up happening is this email got shot out to a bunch of people on his or her behalf. So explain that behavior because if they click the link, they've probably also gone and accidentally sent out that as well.
Again, at some point, like down the chain, the email providers themselves are basically going to be blocking this because there's going to be enough people marking it as phishing. If my account was compromised, nobody's receiving that email because an email provider is blocking that from entering their system anyway. But again, if you're in this type of situation, you're in that early cycle of the wave.
Securely Accessing Your Files
1. Work from a VPN if possible.
2. Talk to your IT specialist for how to work from home securely.
Jody: Yeah, that's all really good information because I think a lot of times maybe we know we've been phished, but then we're like, “Oh my gosh—now what do we do?”
I think a lot of times, we know something happened, but we don't know what we're supposed to do. Thank you for the follow-up steps.
So what else should we be aware of? Now that we're all working from home, all these hackers are out to kind of get us, right?
Justin: So, again, this is not something that particularly pertains to Botkeeper because we don't traditionally use things like QuickBooks Desktop and all that, but there are environments that rely on having a shared Windows server, and maybe you're in an office setting where there’s physical workstations. And then you're kind of remoting into this terminal server, this Windows server to do your work. That might be where you had your client data and QuickBooks and all that.
Obviously, when we as a country are turning more and more into a work-from-home type of environment, people need to access that server to do their work from the outside, not in the sanctity of having a private office network or something like that.
Make sure when you are doing this, you're not leaving naked open Windows servers out onto the internet; it is easy to connect, but it's not behind a VPN, or there isn't any sort of protection like that. I have not seen evidence yet of port scanning, so hackers are looking for these Windows servers, looking for this thing called RDP, which is called Remote Desktop.
But in case you have a provider, talk to that IT provider. And if you have people accessing this Windows Server for the first time from home, versus from the safety of an office environment, talk to that IT provider to make sure that the server is secure—they're using a VPN. Go ahead and protect that connection. I don't have any insights as to whether or not they are active attacks going on like that. But again, with working with our clients and all that kind of stuff, we get to see a lot of existing systems that are out there doing things. Make sure you double-check that you're good in that regard. So that'd be another thing to do.
Jody: Awesome so Justin this has been amazing! So, just from a standpoint of getting information out to the CPAs—this is all new for us. A lot of us have had the opportunity to work in virtual environments before, but we haven't been forced to. And we haven't been forced to do it all at once. So, I think this conversation has been really helpful.
So one quick fun thing. What has been the most interesting thing or fun thing that you've noticed being at home for the last couple of weeks?
Justin: Something myself and I think everybody is seeing is how much more time people are spending outside, which is great. So that's been the fun thing. I also made a comment to my wife this morning that over the past week that we've gone through a lot of coffee mugs. We're both software engineers; we drink a lot of coffee. But we only have like two or three remaining coffee mugs on the shelf, and you just feel like every single room has three or four empty coffee mugs. So it's just what happens when you've got two working parents with two little kids, and you know, a desperate need for coffee fast.
Jody: It's just another podcast so coffee is keeping you sane. Awesome coffee!
Following Justin’s tips for keeping your firm cyber-secure during this unknown phase of work can help make the difference between maintaining your accounting firm and letting it become another liability.
We at Botkeeper are here to help support you and your clients during this time, so If you have any additional questions about how to make your accounting firm more secure, leave a comment below or shoot us a message on social media.
You can also click below to join our free presentation on how Botkeeper is committed to helping you and your firm succeed.