New Business Direction LLC
We’ve heard numerous horror stories over the years of business owners falling victim to sophisticated phishing scams that compromise their operations, cost them thousands of dollars, and expose their customers to risk. Hackers are evolving rapidly, making it harder to distinguish between malicious threats and everyday emails.
Our goal here is to empower, not scare you. The good news? Many of these threats are avoidable with vigilance. Hackers are even craftier than before, and phishing schemes have adapted to exploit newer technologies. However, with a few best practices, you and your team can keep your data safe from current phishing trends.
Below, we outline some common phishing threats and offer ways to safeguard against them.
Common Threat 1: Impersonation of Accounting or Financial Software
Phishers continue to target users of popular accounting software, impersonating platforms like QuickBooks with claims such as “Your file is corrupted,” “Your payment method is expiring,” or “Your software needs an urgent upgrade.” The goal is to either convince you to pay for a fake service or grant them access to your system.
How to dodge the threat: Always verify the sender’s email address. Emails from Intuit or QuickBooksⓇ will end with “@intuit.com” or “@quickbooks.com.” If you receive a suspicious email, permanently delete it. Do not provide sensitive information or remote access to anyone unless they are a trusted, verified partner.
Common Threat 2: The Rise of AI-Assisted Phishing
Hackers are now leveraging AI tools to generate phishing emails that mimic legitimate communications. These emails may come from familiar addresses or look nearly identical to a colleague’s typical correspondence, including personalized details that make the email seem even more credible.
How to dodge the threat: Never click on links or download attachments from unexpected emails, even if they appear to come from trusted contacts. Always hover over links to preview the URL and verify its legitimacy. AI tools are being used both by hackers and cybersecurity experts, so staying ahead of phishing trends is more important than ever.
Common Threat 3: “You Have Voicemail,” “Urgent Invoice,” and “Thanks for Your Purchase” Emails
While voicemail and invoice phishing schemes aren’t new, hackers are increasingly using these tactics to create a sense of urgency. You might receive an unexpected email about a voicemail or invoice, often from a service you don’t use. In addition, we’ve seen emails alerting you to free prizes – you’ve won a free trip – with a link to click to claim your prize.
Lastly in this category, there is a new strategy in which phishers send “confirmation” emails suggesting that you’ve made a subscription purchase, going so far as to even include a pdf of a phony receipt.
How to dodge the threat: If something feels off, it probably is. Never download an attachment or follow a link without verifying the source through another channel. Call the service provider directly to check whether they sent the email, and always be wary of “business” emails that end in @gmail.com, @yahoo.com, etc.
Common Threat 4: The QR Code Swap
QR codes have become a ubiquitous tool, especially in restaurants and retail. However, phishers now use QR codes to disguise malicious URLs. They may overlay fake QR codes in public spaces or send phishing emails with QR codes that link to compromised websites or malware.
How to dodge the threat: Before scanning a QR code, double-check its placement and ensure it hasn’t been tampered with. After scanning, review the web address that appears and make sure it’s legitimate before clicking. If something feels suspicious, don’t scan the code.
Common Threat 5: Social Engineering on Social Media
Phishing attacks are increasingly moving to social platforms like LinkedIn and Facebook. Hackers may pose as recruiters, customers, or industry professionals to extract personal information or trick you into downloading malicious files.
How to dodge the threat: Be wary of unsolicited messages from strangers on social media, especially those requesting personal details or sharing links. Always verify the identity of anyone asking for sensitive information and avoid clicking on unknown links shared via direct messages.
Best Practices: Staying Secure in the Age of Evolving Phishing Tactics
While phishing techniques continue to evolve, the core defenses remain the same: vigilance, awareness, and caution. Here are some key best practices to follow:
- Set up multi-factor authentication (MFA): Use MFA wherever possible. This could involve receiving a code via text, email, or through an authenticator app like Google Authenticator. MFA adds an extra barrier for hackers, making it far less likely they’ll succeed even if they gain access to your credentials.
Use strong, unique passwords: Password management apps like LastPass or 1Password can generate complex passwords and securely store them. Avoid reusing passwords across different accounts. - Stay informed on new phishing tactics: Cybercriminals are constantly adapting. Subscribe to trusted cybersecurity news outlets like PCMag, Forbes, or TechCrunch to stay updated on the latest phishing techniques.
- Train your team: Cybersecurity isn’t just an IT responsibility—it’s an organization-wide effort. Conduct regular phishing simulations and training sessions to ensure that your employees recognize suspicious activity and respond appropriately.
- Don’t open doors for strangers: Whether in person or online, never allow someone to access your computer or accounts unless you have verified their identity through an established and trusted channel. If in doubt, don’t engage.
- Verify email senders: Always check email addresses carefully. A small typo or strange domain could indicate a phishing attempt. Cross-check with trusted sources if something feels off.
- Use secure file-sharing methods: When sending or receiving sensitive information, avoid doing so via email. Use encrypted file-sharing services like SmartVault or similar tools.
- Trust your instincts: If something feels off, don’t proceed. Whether it’s a weirdly worded email or a strange request, your gut is often a good first line of defense against phishing attempts.
It’s more important than ever to remain cautious and aware of evolving cybersecurity threats. Phishing is becoming more sophisticated, but by staying alert and following these best practices, you can protect your business and personal data from harm.
If you’re unsure about an email or solicitation, especially related to your accounting software, reach out to us. We’re always here to help!
Running a business can feel like a whirlwind of responsibilities! Time is a precious resource for entrepreneurs, and taking shortcuts can be tempting. However, there’s one shortcut we really recommend against: sharing sensitive documents like bank statements, financial reports, tax forms, and more over email.
When safeguarding your valuable information (and that of your customers!), prioritizing security is essential. With cyber threats constantly evolving, email is an increasingly vulnerable method for transmitting confidential data. How should you be sharing your sensitive documents instead? By embracing secure document-sharing portals.
Document-sharing portals like SmartVault employ state-of-the-art encryption techniques to prevent bad actors from accessing your information. They can streamline your workflows, save time, and reduce errors. Most have user-friendly, intuitive interfaces, too, making it easy for you and your team to implement the new tech successfully.
Portals don’t just benefit you and your business, however! They can benefit your customer relationships, too. Adopting a portal can demonstrate a commitment to protecting your customers’ data, safeguard your reputation, and help you comply with data protection regulations.
While attaching a file to an email may feel more convenient in the moment, the tradeoff could be catastrophic. Instead, by taking an extra step to secure your documents, you’re investing in the long-term success of your business. We, as accountants, cannot overstate the importance of robust data security, and we encourage you to embrace the convenience and peace of mind that secure document-sharing portals provide!
We’ve heard more than a few horror stories in the past few months of business owners falling for phishing scams that compromise their company, cost them thousands of dollars, and put their customers and contacts at risk. Hackers are getting more sophisticated by the day, and it’s becoming harder to tell a malicious threat from an ordinary email.
We share this insight to empower, not scare. The good news is that most threats are avoidable with a vigilant eye. In 2021, think of a phisher as more of a vampire than a heister: you have to invite them in before they can cause any harm. Below, we’ve pinpointed a few common threats for 2021 and 2022, along with best ways to avoid them. These suggestions should help keep your sensitive data secure from current phishing trends.
Common Threat 1: QuickBooksⓇ Impersonation
One common trend we’re seeing involves solicitations from QuickBooksⓇ impersonators falsely notifying you that your QuickBooksⓇ file is corrupt, your automatic payment is about to expire, or your version of QuickBooksⓇ needs to be updated. These phishers will try to get you to pay for a phony upgrade over the phone or grant them access to your desktop to “fix” your accounting software. Here’s the thing: if you work with an accounting company like New Business Directions, we’ll probably be the first ones to know if something is wrong with your QuickBooksⓇ file. And if you’re a New Business Directions customer, QuickBooksⓇ knows you’re working with a QuickBooksⓇ Solution Provider and will often notify us of any issues your account may be experiencing, too.
How to dodge the threat: If an email appears to come from QuickBooksⓇ, check the email addresses for the correct website. If it doesn’t end in “@Intuit.com” or “@QuickBooks.com” the sender is fraudulent (even if the name before the @ symbol looks convincing). Always contact your accountant before engaging with a solicitation like this and never provide payment information or authorize remote access to your computer or QuickBooksⓇ file to anyone besides your accountant or IT solutions provider.
Common Threat 2: Download this Attachment
Another major threat to watch out for involves an email from an address you recognize (say, a customer, vendor, or team member), but asks you to enter your Microsoft credentials to view the attachment. This scam comes from a person you know, and their email address matches the one you have on file. The MicrosoftⓇ log-in screen looks legit, but the web address is not. Do not enter your Microsoft credentials. As soon as you do, the hackers have access to your email and all sensitive information you have ever sent or received via email. The phishers will then send the exact same email that you fell for to every contact in your address book.
How to dodge the threat: never enter your log-in credentials to view an attachment. If an email includes a hyperlink, hover over the link with your mouse (don’t click) and watch for a link preview to appear in the corner of your screen. In Outlook, this will be the bottom left corner. You’ll be able to see a preview of the web address the hyperlink is trying to send you to, and if it’s different from the one typed out in the email. In this case, if the domain isn’t “office.com” the email is fraudulent. This is a fast and simple step you should always take before clicking a hyperlink in an email. And when it comes to sharing sensitive information like bank statements and government IDs, you should always use a secure, encrypted file sharing application like SmartVault instead of sending the document as an email attachment.
Common Threat 3: “You Have a Voicemail” emails
Are you surprised to be receiving an email notifying you about a new voicemail? Does it have an attachment? Is the sender posing as RingCentral or another VOIP phone system provider you use? Remember: if it seems suspicious, it probably is.
How to dodge the threat: don’t download the voicemail. If you want to be sure you’re caught up on your voice messages, navigate to your voice mailbox the way you usually do and avoid interacting with the email in question.
Common Threat #4: The QR Code Swap
QR codes have become so mainstream that we interact with them weekly, if not daily. From restaurant menus to sign up forms, they make accessing the information you need quick and simple. But there are emerging trends in which bad actors will replace a QR code with their own – by overlaying a sticker. They may also come in the form of seemingly-legit emails. But as soon as you scan these phony codes, you could be putting your sensitive data at risk or downloading malware.
How to dodge the threat: Review the preview of the web address when you scan the code, and before you click on the link that appears. Make sure it’s spelled correctly, and seems like it’s coming from the correct person or business. When dealing with QR codes that exist in a public space, take a second glance to make sure the QR code hasn’t been tampered with, such as replaced by a sticker. When in doubt: don’t scan that code!
Best Practices
There are so many ways to avoid phishing scams, but the most important thing to do is stay observant. If something seems off about an email, it probably is. Below, we’ve outlined a few specific best practices that should help you avoid scams:
- Set-up two factor authentication. Do this for all websites/applications you have log-in credentials for. It might seem inconvenient to go through one more step to access your online accounts, but this practice is still more convenient than dealing with a successful cyber security attack. Apps like LastPass Authenticator or Google Authenticator are an option. These apps provide a six-digit code for you to enter once you’ve logged in to your desired online account. Many other web-based companies offer the option to have an authentication code sent to your personal cell phone or the email associated with the account. How does two factor authentication help? Even if a phisher gets your credentials, they still need access to your email, text messages, or authenticator app to get the authentication code and hack your account, making it significantly less likely they’ll be successful in their attempted breach.
- Keep up with phishing scam trends. Check for updates from Forbes.com, PCMag.com, or your favorite trusted business news source for updates on phishing trends and recent cyber security threats.
-
- Don’t open the door for strangers. Never grant access to your computer to someone you don’t personally know, even if they look like a QuickBooksⓇ rep. Your accountant and your IT Support vendor/employee are the only people you should ever allow access to.
- Watch for inconsistencies and typos. Are there misspellings in a marketing email? Does the subject line have five exclamation points? Is your name or the name of your company spelled wrong? When it comes to emails, if it smells like a phish and looks like a phish…well, you know the rest.
- Double-check the sender. Always check the sender’s email address. If the name associated with the email address says “Rhonda Rosand” but the email address differs from the one you have on file for Rhonda Rosand, the sender is a fraud. In cases like this, you should check with the individual through another previously established method of communication, be it a phone call to a number or email you already have on file to confirm your contact actually sent the email you’re looking at. Don’t reply to the questionable email with, “Rhonda, is this really you?” If you were a hacker, how would you respond to that email? Red flags include a professional email that includes an @gmail.com (or similar) domain, a slightly misspelled name, or a domain that differs from that of their company’s website.
- Train your Team. If you received a sketchy email, chances are your team received it, too. Send out an all-company message about the threat and tell employees to notify you or your IT professional immediately if they interacted with the threat. Share trends in cyber security threats, and host frequent training on cyber security best practices.
- Trust your gut. Even if the sender looks familiar, if they’re asking for weird information or are trying to send you an attachment in an unusual way and it seems suspicious, trust your gut. Look for other clues that they might be an imposter: is a hyperlinked web address different from what it should be? Is their email address different from the one they typically use? Is their tone or communication style different than usual?
- Keep your passwords strong and secure. LastPass is a great solution for dual factor authentication, generating complex passwords, and storing sensitive information securely. You can read more about this helpful cyber security solution in a recent blog post of ours here.
- Don’t send sensitive information via email. Avoid sending credit card information, banking information, W-2s and 1099s, pictures of vital documents like drivers licenses, social security cards, etc. via email altogether. Instead, use a secure document management system both parties are already aware of.
When in doubt, don’t click that sh!t
When it comes to Cyber Security, It’s always better to be safe than sorry. Be suspicious of communication that seems a little off. Avoid unusual emails and contact your IT security provider (or accountant, if it’s related to accounting) to ask for their insight right away, especially if you’ve already accidentally interacted with the phishing attempt. New Business Directions is well versed in phishing scams, and we have a keen eye for malicious emails. If you’re a current customer and feel unsure about an email or solicitation you recently received involving your accounting software, reach out to us.
If you keep any kind of digital information in your business, you have a chance of becoming a victim of a cybercrime. The odds have increased exponentially during the pandemic, with more cyberthreats and scams floating around than ever before. Here are some ways to reduce your chances of getting attacked.
Social Engineering
Social engineering is when thieves try to get your employees to provide confidential information via a phone call or email. You can reduce your risk here by developing procedures and training any employees that take customer phone calls for the business. Require them to ask for identifying information such as a pin or code, or simply prevent them from giving out any information over the phone.
Passwords
Passwords are terribly inconvenient but incredibly necessary. Almost everyone is guilty of using passwords that are simply too easy to guess. Here are some password tips:
- Avoid using dictionary words, even if the syllables are broken up in the password.
- Always use a combination of upper and lower case, and don’t just make the first letter uppercase which is too predictable.
- Include special characters, and don’t just use the exclamation point.
- Use separate passwords for everything, especially for banking apps, accounting apps, and social media apps which are frequently hacked.
- Make your passwords at least 12 characters. Better yet, utilize a password vault app to generate secure passwords.
Receiving and Delivering Information
If you deliver or receive information, it should be done safely and securely. One way to do this is to use a customer portal such ShareFile or SmartVault, where the information is securely stored in the cloud. Another tool to safeguard information delivery is encrypted email.
Anti-Virus
All computer users should have anti-virus software implemented and active on their devices, including tablets and cell phones as well. Company procedures should dictate the settings as well as the brand to use.
Spam Protection for Email
Anti-spam software is also necessary to protect the device from bad links in emails. Users should be trained to detect and avoid phishing emails.
Malware Protection
Malware can be installed on your computer without your knowledge and if you are not careful. To protect against these threats, avoid file-sharing when possible, be careful when visiting unknown websites, don’t download software that you don’t recognize, and be careful with links in emails.
You may also need to protect your website from malware attacks by installing a firewall or other preventative solutions.
Software Releases
Stay current with all of your software updates and upgrades. Updates and upgrades can patch vulnerabilities, so you are safer with each new installation.
Data in the Cloud
Make sure any data that you have in the cloud is behind an acceptably secure technology solution. Today, this generally means files are stored with AES 256-bit encryption. You can also look for SOC1 and SOC2 certifications.
Need to Know
There are many policies that need to be developed for employees with regard to data handling. One example is providing data access to employees on a need-to-know basis. For example, an operations manager does not need the password to the payroll system, but the payroll manager does.
Reducing Business Risk
These items above are the tip of the iceberg when it comes to having good data security practices in your business. Develop an excellent set of policies, train and monitor employees, and set a great example yourself when it comes to this growing threat to your business.
