News & Tips

How CPAs can protect their practice from cyber crime.

CPAs and other professionals are at risk as cyber crime skyrockets. Here some tips on how to protect your practice.

Shazia Sharp, CPA, CA (name changed to protect privacy) had just settled into her office for the day and fired up the computer. Tax season was underway and Shazia’s independent firm was busier than expected. At the top of her inbox was an email Shazia had been waiting for from a client with some important invoices. She immediately clicked on one of the attachments.


Shazia’s whole world went black. At least, her computer screen did. It locked up and an ominous and intimidating message popped up in front of her.

All files on your computer have been encrypted. You must pay a $60,000 ransom within 72 hours to regain access to your data”


This is the fear of every accountant. Their clients’ sensitive personal and financial data in the hands of a cyber criminal. Shazia had been hit with a “ransomware” attack. 


“It was an absolute nightmare,” said Shazia. “I couldn’t work, and my reputation was on the line. If there’s anything my clients trust me with—if there’s anything I value the most—it’s their financial records.”


And therein lies the problem. Your clients’ sensitive data is not only of great value to you, but it’s of eminent value to hackers as well. 

Why are CPAs are a prime target for cyber criminals?


Personally identifiable information (also known as PII), and sensitive financial details are a magnet for cyber crooks. In fact, data breaches at CPA firms in the U.S. have risen by more than 80% in recent years.


When you are in possession of your clients’ PII and financial records, and providing a service for them, that data is generating income for you. It stands to reason, then, that the same PII and financial documents can generate money for hackers. Only via much more numerous, and nefarious methods. 


There are several means by which a cyber criminal can profit off your clients’ data, for example:

  • Ransom demand, offering decryption keys to the encrypted files on the CPA’s computer

  • Blackmail demand, threatening to publish sensitive and confidential data

  • Selling PII and forged documents on the dark web
  • Conducting fraudulent transactions themselves via identity theft

  • Siphoning money from bank accounts listed among the stolen financial records

According to reports, cyber criminals posted over 22 billion new pieces of PII and financial data on the dark web in 2020 alone. Stolen identity data, such as full name, birth date, social insurance number or passports can sell for hundreds, or even thousands of dollars on the dark web.  

‘But I’m just a small business. Hackers want the big CPA firms, don’t they?’


You might think you’re not on the cyber crooks’ radar if you’re a small- to medium-sized (SMB) accounting firm. But according to the Journal of Accountancy, that couldn’t be further from the truth. 


The fact is, nearly half of all cyber attacks are directed at SMBs. And there are countless reasons why. Not the least of which is that hackers are aware that smaller businesses are an easy mark.


“I really didn’t think I needed a big cyber security set-up,” said Shazia. “I thought that was for the big corporations.” This, however, is definitely not the case. 


“The cyber security industry is mostly geared towards large enterprise companies, not at SMBs”, says Ron Neve-Bar, founder and CEO of CyberGood Security. “Because of that, the proper messaging and awareness doesn’t reach the small to mid-sized businesses. This leads them to believe that they’re safe from hackers; this is a big mistake.” 

And this is especially true of CPA firms. They can often act as gateways to larger, more prominent enterprises. 

‘But I have antivirus software installed. Isn’t that enough protection?’

Another ‘false sense of security’ for smaller to medium-sized CPA firms is that an antivirus software installed on their computers is enough to ward off the threat actors. 


However, antivirus alone is nowhere near enough cyber security for your business. Among the reasons why:

  • Antivirus software only protects one cyber entry point to your business.

  • The antivirus program on your desktop computer isn’t protecting your smartphone, iPad, or other access points to your business. In the new pandemic era, so much of our work is being done, or at least being accessed, via mobile devices. Cyber attacks against smartphones and other mobile entry points have soared in recent years.

  •  There are now many technical means for hackers to avoid detection by antivirus software.

  • Targeted phishing attacks encourage users to install or click on malicious software that is designed to bypass antivirus detection.

  • USB keys with ransomware are left outside organizations, with the hopes that someone will plug it into a vulnerable computer.

Being protected against “known viruses” only is an easy hack for cyber crooks. They are always attempting to stay one step ahead of the game, and new virus codes and methods are constantly being developed.

And that brings us to the methods they are using. 

What are the most common cyber attacks my CPA business faces?


The main threats that CPAs face in Canada are ransomware and phishing.




At the outset, we illustrated the ransomware attack that David suffered. This type of cyber crime has been growing at an alarming rate. It’s estimated that businesses fell victim to ransomware every 11 seconds in 2021. Once your computer or network is infected, files and data are encrypted or blocked, and the digital kidnapper demands a hefty ransom for its return, and/or a threat to release the sensitive data online if the fee is not paid. 


According to studies, the average ransomware payment in 2021 was $570,000 USD.


But the bad news of a ransomware attack doesn’t end there. 


According to a Global Threat Report, even after the ransom is paid, there are many cases in which the rightful owner is often still not able to regain access to their files. And payment doesn’t guarantee that the hackers won’t still sell the data on the dark web. 

“But I back up my data regularly. I can always restore it if I get hacked.”


Many believe they can cover themselves from a ransomware encryption by simply backing up their data using a network-attached storage (NAS) device. Unfortunately, a new and burgeoning form of ransomware called “DeadBolt” has emerged, which targets NAS manufacturers and those who use their devices. When users log in, they are unable to access their data, and instead will receive a message that looks like this.

Social Engineering / Phishing 


How does ransomware make it into your network in the first place?


Hackers often use social engineering techniques—using seemingly human interactions to entrap the victim into divulging sensitive information such as passwords or financial account data, or to click on a malicious link or attachment. The latter can result in ransomware or other malware being downloaded onto your device. 


These unsuspecting attacks can come in the form of an email, a text, a phone call or even on social media. In each case, the message seems like it’s coming from a familiar and trusted source. Until it’s not. 


In fact, compromised credentials—obtained through social engineering—accounted for the largest percentage of data breaches in 2021. 


How can I protect my CPA firm from a cyber attack?

There are a number of precautions every chartered professional accounting firm should have in place to protect themselves from cyber criminals. 

1.   Education and Awareness

  • Email/Text Awareness: Always inspect emails and texts to ensure they are coming from an authentic or trusted sender: Check the reply email address—does it match the sender’s name?; Does the context of the message make sense?; Look at the spelling, the grammar, even the logos: Ensure they are all correct.

  • Attachments & Links: Never blindly click on an attachment or link without first performing all the checks above. 

Contact an IT security professional or company such as Tapin2it to train yourself and your staff.

2.   Change passwords often

Always use strong passwords.

  • Passwords should have a minimum of 12+ characters and include uppercase and lowercase characters as well as digits and special characters

  • Consider using a password management application to help generate and securely store passwords

  • Don’t reuse the same password across multiple sites

  • If you use the same password on multiple systems, a security breach at one system could lead to your account being compromised at other systems

  • Change passwords often (experts recommend every three months) 

3.   Use multifactor authentication (MFA)

  • MFA requires the user to not only input a password, but then enter a second set of information. This could be a number sent via text to your mobile phone, a code from an app on your mobile phone or use of your fingerprint. This greatly improves password protection.

4.   Encrypt sensitive data

  • This ensures that even if hackers get their hands on your data, it won’t be of any use to them. Consult a security professional to assist you with the right solution for this.

5.   Ensure operating systems & antivirus software are up to date

  • The latest OS often contains security updates; and while it’s important to keep antivirus software updated, it’s nowhere near enough protection. Contact your IT or Security professional for this. You may even want to ask about a patch management solution.

6.   Create a budget for security and implement solutions

  • A Managed Detection & Response (MDR Solution) is your best protection. These services combine technology along with human expertise to provide a proactive strategy to protect your business around the clock—searching for threats, detecting them and managing a response before they do damage. Contact a security professional to help you find a solution that’s right for you.


The incalculable costs of a cyber attack


In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect in 2019. It requires that any private business that collects personal information for commercial purposes (i.e. CPA firms) must ensure the individuals whose data you possess or use must:

  • Give their consent for its use
  • Be able to access the information
  • Be able to correct the information
  • Be assured that their information is being sufficiently safeguarded

PIPEDA also calls for mandatory reporting of data breaches. Failure to comply on any of the above counts—including establishing security safeguards—opens up a firm to stiff fines and penalties. 


In 2021, the average cost of a data breach, globally, was estimated at $3.86 million USD


Truly, the costs of a cyber attack to your firm are incalculable. On top of a possible ransom you are forced to pay, there can be added costs to recover and repair your systems, PIPEDA fines and of course the completely intangible cost of loss to reputation and loss of clients. 


“So many of my clients have taken their business elsewhere,” Shazia lamented. “I’m not sure how I’ll be able to recover.”


The urgency to protect your chartered professional accountancy business from cyber attack cannot be understated. Protect yourself and your livelihood. Take action now. Don’t end up like Shazia Sharp. 




Ron Bar is the Founder and IT/Cyber Security Expert at Tapin2it. Tapin2it protects small to medium-sized businesses with enterprise-level cybersecurity solutions at an affordable price. With over 20 years’ experience in technology and security, Tapin2it keeps your business cyber aware, safe and protected.

© 2022 Tapin2it


Tapin2it | Managed IT Support for Businesses in Toronto and the GTA

Client Portal | Internal Tools | Web App Builder | Free Website Builder Made with Softr