Safeguard your accounting firm and clients from phishing attempts with these secure browsing tips

Safeguard your accounting firm and clients from phishing attempts with these secure browsing tips

As accounting firms and the clients they serve spend more time online, it’s no surprise that cyberattacks continue to rise. That being said, there are many ways to fend off these online fraudsters, preventing your personal and business data from being compromised. 

Companies and their customers can be exposed to these virtual villains in a variety of ways, including spam emails, searching online for products or services, and even through unsolicited text messaging. So, before you click on that website link or enter your login credentials, it can be a good idea to check for any signs of “cyber shenanigans” that could put your or your customers’ data at risk. 

In this guide, we’ll discuss how staying on top of security measures and adopting a few smart browsing habits can go a long way toward reducing the risk of online threats to your business and clients.

Understanding what a phishing attempt is

Simply put, a phishing attempt is a digital scam that some cybercriminals use to dupe people into disclosing sensitive information such as passwords, credit card numbers, or other account credentials. The messages, also known as phishing attacks, typically appear in the guise of companies that business owners expect to hear from, such as financial institutions, internet service providers, or other vendors your firm regularly does business with.

Typically, the most common phishing attempts begin in a recipient’s inbox. These emails usually contain unsettling language with urgent requests to immediately provide or verify account information. Many messages get a person’s attention by claiming that an account has been compromised, that unusual activity has occurred, or that a payment has been missed. The image below is an example of a phishing email, and here’s another resource with a list of many others that have surfaced over the years.

Almost always, the sender is acting in bad faith and is waiting to pounce the moment the recipient on the other end of the email shares their information. This is due to the fact that a successful attempt typically creates instant access to the individual’s existing accounts as well as the authority to open new ones. In fact, phishing scams are one of the most common online tricks, according to a 2022 report from the Federal Bureau of Investigation.

That being said, if you know what to look for, you can spot threats long before any data is at risk. Let’s talk about some tactics that can keep you safe and help you avoid these digital evil-doers.

Examine domain names and URLs carefully

It’s no secret that firm owners and their clients use the internet daily, whether for work-related tasks, completing transactions, or business-related communication. In fact, there’s even some data that suggests the average internet user visits more than 100 websites per day

With that much activity, those surfing the web are bound to come across sites they will be visiting for the first time, so paying attention to the small details can make a big difference (while keeping business data safe and secure).

Domain names that seem dodgy

See any words or characters in a website’s URL that look off? That could be a sign to keep searching for a different resource. For instance, any misspelled words or variations in the domain name should raise a red flag. That’s because phishing websites often use domain names that may look legitimate at first glance but are problematic upon closer inspection. For instance, instead of “,” you may come across something like “” or “” Remember to proceed with caution if the URL appears to be slightly off or different from what you or a client expect. 

Dicey domain extensions

Another thing to consider is the domain extension at the end of the URL. The most common extensions are “.com,” “.org,” or “.net” and are used across the internet. If you come across a website with an extension such as “.xyz,” “.info,” or “.biz,” it might indicate a higher risk. If the characters in the extension appear unfamiliar or strange, it may be a website to avoid.

Suspicious subdomains

Another thing that aspiring digital detectives should be aware of is subdomains, as these types of attacks are becoming more common. In 2022, more than two-thirds of campaigns reported to the Cofense Phishing Defense Center (PDC) involved URLs with subdomains.

These types of phishing attacks can be especially hard to notice as subdomains are inserted before the main domain name in the URL, separated by a dot. This technique is sometimes used to deceive consumers. For example, a legitimate bank’s website may have a subdomain like: 


On the flip side, a phishing site could use something like:


If you notice a strange subdomain or one that’s unexpected, you’ve likely spotted a website to stay away from.

Put together a powerful password

Now that we know what to look for in domains, let’s touch on credentials. The key to coming up with a password that’s difficult to crack is being unique. For clients and your employee accounts, this means avoiding using just the names of favorite pets, family members’ birthdays, or anything else that can be easy to unravel, such as simple number sequences like 123456. One way to do this is by using a complex string of characters, which can be almost impossible to guess. If you’re going in circles trying to think of one, try using a password generator like the one Practice Protect offers

The main takeaway is that you want to encourage clients and your employees to create passwords that are hard to guess — and try not to use the same password for anything else For more guidance, the Cybersecurity and Infrastructure Security Agency (CISA) has a good primer with dos and don’ts when it comes to passwords.

Let’s talk about some other ways to keep yourself from visiting a website that can be problematic.

Signed, sealed, delivered

All reputable sites should be secured with SSL (also known as Secure Sockets Layer) encryption, which is used to prevent any sensitive information from being intercepted as it’s transmitted. In a nutshell, it means data entered on the page can’t be read, which can: 

  • Protect user privacy 
  • Prevent data breaches
  • Make sure online transactions are secure. 

Signs of security

Looking for the padlock icon next to the URL in your browser is one way to tell if you are on a secure website. If you come across a site without one, it’s likely not secure and potentially dangerous. To get a closer look, here are some examples of the padlock in use on Chrome, Firefox, and Safari browsers. 

Padlock in the Chrome browser

See more information from Google on how to make sure a connection is secure using their browser.

Padlock in the Firefox browser

More information from Mozilla on their product security.

Padlock in the Safari browser

Apple has more information on how their browser encrypts sessions to protect users.

Look for the letter “S”

Another indicator that a website has an SSL certificate is if the address begins with “https://” (the “s” is intentionally bolded), rather than just “http://” in your browser window. 

The extra “s” stands for “secure” and is generally a good sign that the website is using a protocol that encrypts information before it’s sent from your computer to the website’s server. Without the “s,” it could pose a threat and is likely a website to avoid. 

Watch out for dupe pages

Another strategy phishers use to take advantage of consumers and business owners is creating dupe login pages. These dupe pages intentionally mirror the look of well-known brands to build trust, which can lead people to let their guard down. If you have ever received an email, clicked a link, and ended up thinking something didn’t add up, know that you’re not alone. In fact, Security Magazine published research that found over 50,000 dupe pages exist on the web.

What are some items that could indicate a fake website or login page? There could be: 

  • Numerous spelling errors and typos 
  • Low-resolution or pixelated images
  • Contact information is missing or ambiguous
  • No website terms and conditions or private policies are listed

Accounting firms and their clients should be skeptical and ignore unsolicited messages with these phony dupe pages, especially those that are requesting personal information or financial details. Should you receive an email from an organization you expect to hear from but something looks off or you’re just unsure, there’s always an option to verify its legitimacy in other ways, such as contacting the organization directly using their official contact information. 

Multi-factor authentication

In addition to watching for red flags, it is a good idea to take extra precautions with any online accounts or subscriptions you have, especially those that employees may have access to. For example, a number of payroll software companies like OnPay offer multi-factor authentication, or what’s commonly referred to as MFA. This is an extra layer of security that protects users by having them provide two different types of identification factors to verify their identity when logging in or performing certain actions (such as accessing a bank account or a cloud-based tool). 

For example, when the user attempts to log into an account online, they’ll be prompted for their username and password. If they are using MFA, they’ll receive a separate authentication code to their mobile device or email. They would then need to enter that code to access the account. MFA use by consumers is on the rise, jumping 51% from 2017 to 2021, according to the digital news site, Gitnux.

Report scammers

If you or your clients receive an email message that appears to be a phishing attempt, you can usually report it to your email service provider with a few clicks. This can sometimes be as simple as looking for options like “Report phishing” or “Report spam” within the email application you or your customers use. 

Keep in mind that different email service providers have different ways of reporting phishing, so how your accounting firm reports phishing attempts may differ from how a customer does. 

For example, in Gmail, you can click the three dots to the right of an email message and click the “Report phishing” option. You can see an example of this below.

Want to go a step further with your reporting? Another way to keep scammers at bay is to report any cyber shenanigans you come across to anti-phishing organizations that work to detect and combat phishing attacks.

Agencies like the Anti-Phishing Working Group (APWG) or the Internet Crime Complaint Center (IC3) both have ways you can report cyber schemes that you or customers come across. By doing this, you can help others on the web from becoming victims down the road too. In addition, the Federal Trade Commission (FTC) as well as other government agencies, are also on the lookout for these practices in order to protect consumers. 

Regularly update software

According to the FTC, it is a good idea to update your operating system, web browser, and antivirus software on a regular basis to protect against known security vulnerabilities. This can help ensure that you have important patches and protections in place — as they are issued — to protect you against security threats. If you need help with the best way to go about this, reach out to your information technology department or the person who is in charge of your computer networks and devices.

Stay Safe and Secure as You Navigate the Web

Staying alert while using the web keeps your accounting firm (and clients) a step ahead of potential cyber threats and can go a long way toward keeping confidential data secure. While the tips outlined above can give you a general idea of a website’s security, they are not foolproof.  The takeaway is that it’s always a good idea to exercise caution when visiting unfamiliar websites or sharing sensitive information online. Ignore the bait and resist the urge to click if something appears “phishy,” or suspicious. We hope these tips help you and your clients browse with confidence while keeping your personal information safe!

Please keep in mind that this information is not intended to be legal or information technology advice. If you have any questions about how to avoid phishing attempts on your devices, laptops, computer workstations, or other technology, it is best to consult with a professional information technology specialist, provider, or security firm that specializes in this area.

Guest Author: This article was provided by OnPay, Practice Protect’s payroll software partner for accountants, bookkeepers, and CPAs.