Email Security for accountants: How to secure your most vulnerable application

This blog post is a transcription of our webinar held by Jon Melloy.

  • Why is email the #1 target in accounting firms?
  • Real-life examples of email hacks
  • Five simple steps to secure email in accounting firms

So what we’re going to be looking at is these three main points. Firstly, we’re going to look at why email is the number one target in accounting firms. Secondly, we’re going to look at some real life examples of some hacks that we’ve seen, and then we’re going to finish it off by keeping it really practical. We’ll talk about five simple steps, which you can take to secure email in your firm, okay?

Why email is the #1 target for accounting firms

To start off with at a high level, why is email the number one target for accounting firms? And really the first point is, is because it’s very easy to compromise, and as well it’s easy to target. So if you think about businesses in the world, in the States. When it comes to accounting apps they could be using one of five, 10 different applications, and then would be other applications as well. Not all businesses are using them. When it comes to email every single business in the world, or 99% of businesses in the world, have an email account. Okay, and then when it comes to email as well you’ve got two big providers, Office 365 and Google, so from a numbers game alone, from a targeting sense alone, it makes sense to target business because you’ve got 95% of businesses using one of two applications. So it makes sense for firms to be targeting them, it’s a numbers game.

Secondly, when it comes to email it’s a public facing application, so when it comes to Office 365, G Suite, you’ve got two logins to target Office365.com, Gsuite.com. So that’s really I guess a honey pot for hackers, they know that through targeting this one login they can potentially get access to millions of businesses. And another reason why email is such a large target for accounting firms is because of the damage you can do once you’re in there. So with email you can then impersonate and you can propagate and once you really get hold of someone’s email, it’s almost the equivalent of identity theft. It’s basically the same, you can impersonate them and that’s what we see so many of these hacks are doing and I’ll highlight one of these in a second.

And another reason why email is the number one target is because of the data within it. So people blend their personal with their business accounts, but also I’d want to highlight when it comes to email now it’s not just email that we’re talking about and that’s the risk. Usually the email account is the gateway to every other account, okay? Because if you just take a second and think about it, how many accounts is your email account then linked to? Through the one’s which set up, QuickBooks, Xero, Ignition, other applications. So the risk is with email, if that gets breached then that can have a knock on effect and could potentially affect all of your other applications that you’ve got linked with your emails and that’s what hackers will do.

So they get access to an inbox they’ll then go through, see what accounts it’s linked with and see what other information they can get. And as well it’s important to know with email, but it’s not usually just email too. If firms are using Gmail, they’ve usually got some information in Google drive, maybe some save passwords in Google Chrome. If they’re using office 365, they’ve usually got some data in SharePoint or OneDrive as well. So that’s what makes it such a honey pot for hackers because through accessing just one system, they can then get proxy access to everything else.

How Hackers are getting access to email systems

Okay. So I’ll talk a little bit about the how then, so how are hackers getting access to this sensitive application? And really the first risk is through breaking in through the front door, using a brute force bot. So for those of you who haven’t heard what a brute force bot is before, brute force bots are essentially bots, which get hold of your username, so they just get your email address. And then they use a bot to try a random combination of commonly used passwords, known passwords, which have been leaked before until it eventually breaks in. And these bots are incredibly sophisticated.

So you can see the table on the right here. This shows on average how long it would take a brute force bot to break a password. So you can see here, if you’ve got a shorter, weaker seven character password, then it could take that brute force bot, just 0.29 milliseconds to break in. And then you can see the longer you make your password the more protection you have. So if you’ve got a 16 character password, then the brute force bot isn’t breaking in today, or tomorrow, or anytime soon, but too often we’re seeing firms aren’t setting secure passwords.

And as I said, Microsoft login site, Google’s login site. They’re both honeypots for hackers in these kind of attacks, they’ll target these URLs. And what they’ll do, they’re not going to sit there and try to break one for weeks. What they’ll do is they’ll then cycle through a list of email addresses and move on to the next one. So they might try yours for five hours, if they don’t break through, then they’ll move on to the next one, move on to the next one. So it’s always the people with the weakest security, with the seven character passwords, with the password, “123” that are going to be breached by this method.

And this is a real issue. Microsoft released some statistics earlier this year that said in 2021, there were 800 brute force bot attempts every second. So every second, if it was trying to get through 800 times on different accounts. Okay, so that’s one of the first risks there. The second one is around phishing, and this is such a common one that we’re seeing. And again, I’ll just explain why it’s so common. The reason why it’s so common is because it’s so easy for hackers to do. Okay, so phishing is really… if you wanted to set up your own hacking business, this would be the entry level hack, the easiest one to set up. Okay, because what hackers do is they go online, they get access to a phishing automation system.

So I know that a lot of accountants that we work with use MailChimp for marketing automation to reach out to their firms, hackers can use equivalent systems, call it HackChimp, whatever it is, but they can just purchase these systems online. And then what they can do is they can then also purchase lists of scraped data. So email addresses, which have been found online, and then they can plug them into this hacking automation system and then send it out. And they can literally send out hundreds of thousands of emails a minute. And when it comes to these phishing games, sorry, when it comes to these phishing hacks, it’s a numbers game. So they’re just trying to send it out to hundreds of thousands, millions of people, and then all they need is just 0.1% to click on it, but then they get their return. Okay, and that’s why we see so much spam coming into our inbox because it’s relatively low cost, cheap, and easy for hackers to set up. And because of the numbers involved, it is effective.

How Hackers get in: Phishing

Okay, so I’ll just flag up this hack, which we’re seeing on the screen here because this is one of the most common ones which we’re seeing. Okay, so when you receive a phishing email, what it’s usually trying to do is get you to hand over your sensitive information. Okay, so we see lots of these going around targeting both 365, Google, other providers. I’ve just chosen to have one on 365 on the screen here. And what this email was saying is that it’s detected some spam messages in your inbox and your account is going to be blocked, and if you don’t verify your mailbox, then you’ll be blocked. So what it’s trying to do then is get you to click on the link and then it would send you to a fake version of the Office 365 website. And then once you’re on there, it would ask you to hand over your username and password.

These ones as I said, are very effective because all it takes is just 0.1% of recipients to click on it and then hackers would get their return. So obviously if we’re looking at this now there are some red flags, and I just want to point this out to educate you guys on how to spot a scam. So the first thing to obviously be aware of and check is the email address. So you can see the hackers have changed from saying Microsoft 365 team, but clearly that isn’t a official Microsoft 365 login address, so that’s a red flag there. Secondly, you can see there are a couple of typos and grammatical errors in the email here. So again, those would be red flags. And then secondly, this screen here, it does look similar to the 365 login screen, but you can see here it is slightly different. So again, that would be another red flag for your business, but we do often see it’s usually once or twice a month we’re contacted because we’ve heard of firms have handed over details to hackers through these kind of scams.

All it takes is just one team member to have not had their morning cup of coffee. Maybe they started at 4:00 AM for a webinar and then that could lead to a potential incident. And then as I said, once hackers are in there’s multiple different hacks which they’ll do. They’ll either send out ransomware to all of your contacts, or mine out and see what information they could get and do a more targeted attack.

Email Hack Example: Business Email Compromise

In this example, the hacker was prepping this accountant to set up a fake transfer. So what happened is the accountant, their email address hadn’t been hacked. Their accountant, Sarah is working online and she hasn’t been hacked or compromised, but one of her clients has been. A hacker has gotten into the client inbox, and what they’ve done is they’ve seen that the accountant processes international transfers, and then they’re like, “Okay, we are going to target them for a certain amount of money.” So then there’s some emails which are going across, which are agreeing the transfer. And then in the last minute in email seven, that’s when it’s sent to Sarah, to the accounting firm. It’s saying, “Hi Sarah, can you please organize payment today? As per David’s request, details are below, he will forward me an invoice later today.” With this email it is very targeted. Sarah is this person’s accountant, and Mary isn’t a made-up person, and she does often request transfers like this.

But what’s happened is the hacker has got access to Mary’s account and is impersonating her. And it’s really important to note that with these kind of emails, when hackers do it they’re very targeted and are very smart about this. So they’ll often… or, what they’ll do is they’ll use the exact kind of wording, address you in the same way, format the email in the same way as those that you’ve seen previously. So with these emails, and they’re very hard to spot because they are all… They’re very hard to spot because there are no red flags when it comes to these kind of emails, they are not in a way in which any spam filter could pick them up on. So in this instance with this kind of scam, it actually then was successful. And the accountant, Sarah then sent $42,000 to the wrong inbox.

And this has then got quite nasty because they’re currently litigating against each other. Okay, so the firm is trying to claim that it’s the accountant’s fault because they processed that transfer, they sent $42,000 to hacker’s account, but the accountant is arguing that it is the business’s fault because they were the ones who were compromised. And it hasn’t yet been resolved, but that’s where it’s at, where they’re currently litigating against each other.

Ultimately when it comes to these kind of scams, the most important thing to do is always check, so if you are getting any payment requests, especially if it’s requested to new accounts which haven’t been used before, and which you’re unfamiliar with, make sure, pick up a phone, send a text, contact over a different method to email to confirm the transfer and to confirm that it’s going to the correct account.

The 5 Simple Steps To Secure Your Email

Going to move on now, as I said, I really wanted this to be a practical session as well. So we’ll finish off by looking at five simple steps which you can use to secure your email.

Multifactor Authentication

So firstly, the most basic step to have in place is multifactor authentication. So this is so important because too often we’re seeing with the brute force hacks hackers are able to break in and there’s not multifactor authentication set up around email. I know multifactor authentication, isn’t anything new. Most of us use it for at least some kind of application, but most people don’t have it switched on all of our applications, or across ones where it isn’t mandatory. And at the moment currently with Office 365 it isn’t mandatory, so important that you do go in and activate this across that, and also across some of your other applications as well. Also, I know that this is a webinar for accountants, we’re talking specifically about business email here, but it’s just as important that you take these security steps with your personal data as well. So really important that you put two factor authentication on your personal Gmail, Hotmail, and Live account, whatever it is that you’re using, because that could contain a lot of sensitive data as well.

We actually saw an example of a breach last year that came about as a result of somebody’s personal email being hacked. So what happened was the accountant, their personal Gmail was hacked. The hacker got in, they had business passwords stored in their Google Chrome, and then the hacker was then able to log in and access business accounts all from this person’s personal Google account. So it’s so important that when you’re looking at this and you are reviewing your security also apply these learnings to your personal accounts too.

Identity Management & Single Sign-On

The next step to take is to put identity and single sign on in place. And I guess that really flows on from the last example I shared. So when it comes to logging into cloud applications, cloud security, the biggest risk is around password management. Okay, so 81% of data breaches are due to passwords being compromised. And we saw earlier the scams that we’re talking about were Office 365, it’s not because hackers are breaking into Microsoft’s data centers, okay? They’re either cracking weak passwords, or tricking people into handing over their passwords. So it’s so important that as a business, you put in place the correct structure to securely manage this for your team. And again, with that last scam we spoke about with the Google account being compromised, that was then nasty for the business because there were business passwords stored in a personal Google account, which they never should be.

Okay, so it’s so important to put in place an identity and single sign on management solution to secure your business. And this is an area where Practice Protect helps businesses, so our platform as part of it does provide a single sign on to integrate and securely manage all of your different passwords. As well, when you’re looking at the solution like this it’s important that it does have strong integrations, so one of the things that we set up in Practice Protect is we directly integrate it with your email system because as you can see the theme of webinar, emails are the most vulnerable application, okay? So that’s why whenever we bring a firm on board, we always integrate our security with their Office 365 to provide greater security around that.

Location Control

Great. Next up to location control. So when it comes to these applications, email applications put in place some controls around where and when people can log in from because cloud is really a double edged sword, so over the last couple of years lots of businesses have moved to working online, they’ve moved to having remote team members and who have access of their systems. Which is great because it does provide us flexibility. Obviously I’m hosting this webinar from home, which I wouldn’t have done a few years ago, but the biggest risk of this then is that anyone can access your data from anywhere. So it’s really important that you do set up some kind of location restrictions to lock down access to only approved locations.

So what you can do is you can lock it down to specific offices, so you could say that team members can only log in from your work office, or from a VPN. Or, what most firms are doing as well is locking down to the country. Okay, so saying that the team could only log in from States, or from Canada. Okay? The reason why that’s so important is because the majority of hacks don’t come from within our own country. They’re not usually from the States, they’re from Russia, they’re from China, okay? So locking down that access provides a lot more security around it. As well, this is a key area where Practice Protect helps, we do make sure that with all of the firms we’re working with we lock down access to your most sensitive data.

We actually had an instance where one of our clients of ours reached out to us, and he asked us why he was locked out of his account. And we pulled up the logs and we checked them, we’re like, “Well, are you in China, sir?” And he was like, “No.” And we’re like, “Okay, well someone’s been trying to log into your account. We flagged it for suspicious activity and completely locked it out.” And that then prevented a breach from taking place because he’d actually handed over his passwords in a phishing scam. But by having this location control in place, it meant that once for hacker had the password, they weren’t then able to log in.

Educating your employees

Next up is around education because when it comes to these scams, they all take place… Or, sorry, not all of them. The first one is with a brute force bot, but when it comes to phishing scams, they take place because somebody clicked on them, so one of the biggest risks when it comes to cyber security is your team not being trained and not knowing what they should and shouldn’t do. Okay, so it’s really important that you do have training with your team to constantly remind them about the risk posed to them by cyber scams.

So a few examples, a couple of different options you’ve got. So if you Google online, there’s heaps of different cyber security training out there. As well, if anyone on here’s a client of ours, we’ve got the Practice Protect University, which has lots of cybersecurity training available to all of our clients. And as well, one other area which we’d also recommend is just using and setting up regular reminders. So one thing which we do internally is whenever you receive a phishing email, take a screenshot of it and send it around to everyone. Obviously don’t send that actual phishing email with the dodgy links and attachment. But if you take that screenshot and send it around, then you can also provide some education to your team about how you knew it was a scam. So this helps because it then alerts your team and it provides a constant reminder and education to them.

Put policies in place

And lastly, what we recommend to secure your business and secure your emails is to have policies in place. So the reason why this is important is because it’s not just a recommendation, it is the law to have policies in place. So there’s the FTC Safeguards Rule, for IRS 4557 legislation, which is saying that firms have to have a data security plan in place. So it’s so important that when you’re considering anything in cyber security, you make sure that you’ve got the correct policies in place to be compliant with the legislation. We do have a data security plan template available, which you can download via this link.


With Practice Protect, we help with a number of the areas above. Practice Protect is a complete holistic end-to-end cyber security platform, which provides security around the risks highlighted in this webinar around access management, password management, cyber security training, and also the policies.

Want to see how Practice Protect can help your firm put these security measures in place? Book an obligation-free call with our team today.

Categorised in: Blog

This post was written by Practice Protect