Use these tips to not become a phishing scam victim

Andrew Lassise explains common phishing scam techniques in this podcast episode and how you and your accounting firm’s employees can make sure not to fall victim.

You can read the article, listen to the podcast below or anywhere you listen to podcasts. A YouTube video of the podcast recording is also available here and below. Need help with your tech support? Call us at (888) 965-0171 or contact us here.

What is a phishing scam email?

Phishing scams are broken down into two types.

Deceptive phishing

Deceptive phishing scams happen when scammers send you an email and try to get you to click on a link and unknowingly provide personal information to them.

Phishing scammers will write up a real-sounding email that looks like it’s coming from a reputable source. They want you to click something in the email. That could look like a password reset link or a link where you need to enter personal information like:

  • Social Security Number
  • Date of Birth
  • Other personal information

Deceptive phishing can happen to any size company.

Spear phishing

This phishing scam attack is more targeted than the deceptive phishing variety. Large accounting firms are specifically targeted here because scammers know they have a lot of resources.

Download now: Get the free written information security plan template now here!

“When you are a Big 4 the spear phishing is very important to be aware of because you have a target on your back,” said Andrew.

How do phishing scams work?

Basically, as explained above: Scammers send out a realistic-looking email and once people click and reveal information to the scammers those scammers can access accounts. An example that Andrew shared on the podcast involves scammers getting access to an admin account that wasn’t even actively being used.

“They got in and the data breach happened that way,” Andrew said.

Read next: Data breach awareness: How do I know if my customer data was breached

The emails are completely fake but have some of the qualities to look real enough.

For example, the email subject line might say: Reset Office 360 password now after problem detected.

The email then is branded Microsoft Office 360, has a logo on it and looks like it came from Microsoft. The landing page also looks like it’s a Microsoft page and asks you to type in your password or other private information. (We are using Microsoft brand as a generic example here.)

Those emails aren’t actually from Microsoft, but can come from a Gmail, Outlook or Yahoo account – for example.

“It’s coming from an impostor domain; so it may look like Microsoft but it’s not,” said Andrew.

The domain might look like:

  • M1crosoft
  • Micr0s0ft (zeros instead of the letter O)
  • Microzoft

“It something that if you just glance at it it looks like it says Microsoft,” Andrew said. “But if you look at it under the lens it doesn’t actually say Microsoft.”

Once you type in your current password, they now have your current password and can use it in the programs where you use it. Once scammers are in they can also reach out to your contacts and try to infect them.

Read next: 31 orgs victims of ransomware – are you prepared?

Is my company big enough to have to worry about a phishing scam?

Andrew hears this often from accountants with smaller practices – usually under 5 employees and even solo practices.

“They say I don’t really need to worry about email protection,” Andrew said. “Or do I need security awareness training? I’m so small. Nobody is going to target me. I don’t have enough money to be attractive for somebody to want to phish.”

That’s actually a common misconception about phishing scams. But don’t think of a phishing scam as company specific. Think of it as volume-based. A phishing scam sent to 5,000 small 5-person companies is 25,000 people. Think of it more as marketing versus sales.

In marketing, if you put a commercial on TV you want a lot of people to see it. That’s a similar analogy to how a phishing scam works. They want to get their phishing email in front of as many people as possible.

Don’t think of it as one-on-one sales.

“They are trying to reach as many people as possible,” Andrew explained. “They may fit a certain demographic. So they may buy an email list of every accountant in the world from companies that have one employee to thousands of employees.”

To these scammers there’s very little cost difference whether they send it to 100 people or 100,000 people and chances are higher that somebody will click and become a phishing scam victim if it’s send to 100,000 people.

How to prevent a phishing scam?

Certainly, some emails can be blocked, filtered to spam and it’s also important for staff to know what to look for. Remember the definition of phishing scam emails outlined in this article and don’t click links from external senders when you don’t know who they are.

A little common sense and situational awareness also go a long way. For example, if you get an email that asks you to reset your Office 360 Suite password but your company doesn’t use that product, it certainly cannot be real. You don’t even have an account.

Another indicator is when you receive an email that you weren’t expecting. If the email says  that there was a problem with your email problem and you, your company or your managed service provider aren’t aware of any issues the email might be a phishing scam.

Read next: What accountants must know about managed services

Getting emails or notifications also can create a certain rush (i.e. releases Dopamine). Thinking something bad had happened and that our action is required can push us to click that link and become the victim of a phishing scam.

If there’s a button in the email you can also hover over that button and in the bottom left corner it tells you where that link goes. If it’s not going to the website you think it should be going to, that’s another red flag.

Over 90 percent of data breaches happen through just one employee. So having the right processes in place and having good employee training is key.

Sometimes employees don’t even realize they clicked something, Andrew explained. “We go in and do the forensics and see who did what and see that a specific employee clicked a link. They didn’t even remember it.”

If they do remember the response can be “I had to reset my password. That just affects me. No big deal,” Andrew said. “The truth is it affects the entire organization.”

Keep in mind that not doing anything is also an option. If you get an email that seems suspicious, don’t do anything. Do consider changing your email password.


This episode was largely built on questions emailed in by listeners. If you have questions, please fill out the form below and we’ll consider answering them on a future episode of the podcast: