Skip to main content

Firm Management

Is Your Accounting Firm at Risk from Identity Thieves?

How to keep sensitive client data out of the hands of identity thieves.

security1_11074722

Personal documents and data are an identify thief’s dream…their ticket to accessing financial accounts, applying for loans and credit cards, and other credit-destroying behavior. Take this a step further to include tax documentation, and now you’ve got a one-stop shop for social security numbers, employer and financial information, addresses, and employer identification numbers.

It’s personally identifiable information to the extreme. The fact is that scammers are always “on” and looking for ways to snatch sensitive information in order to wipe out bank accounts, receive medical care, and steal identities—the big take. And while fraudsters are enjoying a financial heyday, it’s your clients who will get the bills.

With so much personal information online, the probability of data theft these days is extremely high. As such, it’s critical that accounting professionals understand the risk and how to protect their firms and their clients. With a little insight into best practices for your firm and your clients, you can avoid the world of hurt and anxiety that comes with having sensitive information compromised.

Common data-compromising positions

There are so many ways scammers can get to data. Being aware of these tricks is the first step in protecting your firm and your clients.

Social engineering: This is an all-too-common method that tricks individuals into giving out personal information. In fact, this method is so effective that it boasts an 80% success rate. Common scams include a phone call from “customer service” or an onsite visit from someone claiming to represent a company or agency and requesting personal information to solve a fictional issue. And no agency is safe from impersonation; just consider the sophisticated phone scam of 2014, where crooks posed as IRS agents demanding tax payments.

Phishing: This is simply the digital equivalent of social engineering where scammers impersonate a company or well-known agency online. Victims often receive an official looking email asking for their personal information or are invited to click a link that leads to a phony website designed to capture personal data.

Physical access/shoulder surfing: This is exactly what it sounds like. If scammers can access your hard copy documents or your computer, then they can easily get to your personal information. Don’t be surprised either if your information is stolen by someone simply looking over your shoulder and surfing your device’s screen. Scammers have even been known to use mirrors to read computer screens with their backs turned to the victims. All too often, individuals get lost in their technology and forget that their data is exposed.

Expired access: Many businesses forget to remove former employees or contractors from their systems after these folks depart, opening the door to data theft. The fact is that most system hacks are inside jobs, performed by former and/or disgruntled employees.

Dumpster diving: Believe it or not, people still throw out fully intact documents and devices that house personal information, like credit card statements or hard drives. Scammers are not above getting their hands dirty (literally) to uncover sensitive information.

Vulnerable machines and networks: Unprotected machines and networks are sitting ducks for attackers—for example, machines with outdated operating systems or expired antivirus software and networks that are unsecure and wide open, such as public WiFi. Security weaknesses are bait for scammers at the ready to track key strokes, capture unencrypted data, and flog users with ransomware.

Data-protecting tips

For all the scams identified above, there are basic tips that help bar attackers from infiltrating your firm. This information is also gold in supporting ongoing education for clients.

Outsmart the social engineers and phishers: The basic rule is to never give sensitive information to anyone just because they ask. Legitimate inquires most often will come via mail, and rarely by phone or through email. Challenge inquiries by asking requestors to verify their identity and then direct them to send the request via mail.

Secure your physical fortress: You heighten the security of both hard and electronic documents and data by simply limiting access. Enforce strict onsite visitor policies (require badges and sign-in), lock file cabinets and encrypt documents, secure computers with complex passwords (and change your passwords regularly), and install privacy screens on all devices.

Eliminate expired “goods”: We throw out expired milk for fear of the nauseating physical consequences, so why do we put our personal data at risk by maintaining logins for expired staff? The consequences are just as nauseating. Avoid the data-theft plague by establishing a structured security policy. Strictly enforce rules for who has access to what information, and adhere to the “principle of least privilege”—give the minimum access required to perform the job. Also, be sure to discontinue system access immediately after an employee, contractor, or vendor no longer requires it.

Clean out your dumpster: Keep scammers out of your physical and digital dumpsters by destroying information up front. Shred paper docs and wipe all media including disks, drives, and other devices.

“De-vulnerablize” your machines and networks: For machines, keep your operating system and apps up-to-date. Use a firewall and current antivirus software and choose complex passwords. In relation to networks, avoid joining random public hotspots, and use a VPN to connect to your firm and SSL to connect to the internet. Also avoid emailing sensitive data and use a secure portal instead.

Proceed with caution

While many of these data-protection tips seem common sense, it’s surprising how many people do not employ them. The consequences of being hacked can be devastating to both your firm and your clients, so take heed and proceed with caution by applying these tips, while also reviewing the IRS guide, “Safeguarding Taxpayer Data” (https://www.irs.gov/pub/irs-pdf/p4557.pdf). Avoid the “Big Take” by shutting down attackers before they infiltrate.