COVID-19 has forced nearly every business in the UK to shut its doors or to start working remotely. For those of us whose businesses are built around remote-working tools and cloud-based methods of accounting, the impact has been minimal. For those who are unfamiliar with cloud solutions, it can feel a little like being thrown into the deep end of a pool.
The learning curve is steep. And, unfortunately, part of that learning curve must include how to guard yourself and your clients against cyberattacks and online fraud.
Modern hacking is not like the movies
We all love to see the Hollywood film with the young hacker pounding away at a keyboard and suddenly cracking through the Department of Defense’s firewall through sheer ingenious skill. But for those of us who know even only a little about cybersecurity, this kind of scene in the movies is laughable.
Factually, almost all successful “hacking” these days is done through “social engineering” or password-theft as a result of poor security practices.
Social engineering — beware of email and online communication!
If you ever get an email from “someone you know” and that person is requesting delicate information such as passwords or other confidential information, politely refuse to send the information via email and then phone the person up personally to ensure the email was actually sent by them.
This is an extremely common method of obtaining sensitive information and was, in fact, the method used behind the notorious (and highly embarrassing) hack of the federal security firm HBGary.
If, upon calling the purported sender of the email, you discover the email was not sent by them, then inform them that their email account has likely been hacked. The first step they should take is to immediately and without delay change their email password to a strong password consisting of 12 or more characters, lower and upper case letters, numbers, and at least one special symbol.
Never send passwords by email — do this instead
Never ever ever send a password by email. When sent by email, the password sits in the email account…forever. It’s the easiest way for hackers to find passwords for sensitive accounts.
Google has recently implemented the option to send “confidential emails” in Gmail. But if you are not using Gmail as the email backend for your business, this option is not open to you.
One tool we like to use is OneTimeSecret which allows you to send sensitive information in an encrypted manner. The information sent is then destroyed after it is viewed.
If you choose to add a passphrase to the encrypted message in OneTimeSecret, then send the passphrase to your client via SMS, or phone them.
Never save passwords in a text file on your computer
Best security practice dictates that you should use a different password for everything. That’s a lot of passwords to remember and is quite impossible to do.
You do need to save your passwords somewhere, but these should only ever be saved in tools that are designed specifically for the saving of passwords — definitely not in a text file or Word Document or Excel spreadsheet.
“Password Managers”, as they are called, encrypt the passwords stored in them so that they cannot be viewed by anyone else. The only password you need to remember, then, is the one to access the Password Manager itself.
Make sure that password is an extremely strong one. Write it down and put it in a safe or in a safe deposit box.
Some Passwords Managers are:
Your Google Account
Using the Google Chrome Browser your passwords are automatically saved in Google and can be accessed at the link https://passwords.google.com/. Just make sure your Google Account’s password is really strong.
The benefit of this password saver is that you can access it from anywhere.
This is a free tool where you have to type in the details manually for every password you save. You can also configure it online so you can access it through a website, but that starts getting a little advanced.
There are very many other tools you can use as well.
Phishing — another typical hack
Phishing is when someone sends an email and makes it look like it comes from someone else. Con artists often try and get banking details from people by sending an email that looks like it comes from an official bank.
They could do this to your clients as well.
Phishing is a well-known scam which is unfortunately difficult to combat because it targets the client.
Fighting against phishing can only be done by properly informing your clients on a regular basis that you will never ask them for things such as passwords, account details, etc. in an email. You can then also put a notice on your website to inform clients not to fall for this practice.
The only way to fight a phishing scam is to be proactive. Send an email to your clients informing them that you would never ask for account details or payments via email. Not only does such an email help reduce phishing scams but it also makes you look professional in your accountancy practice. And that inspires confidence, which is always good for business.