Access to the internet is now second nature for those of us working online everyday. It has fast become a business imperative to connect to customers, transact business and network across geographies and industries. Likewise a concern for individuals and companies operating online is keeping sensitive data and information secure from cybercriminals and hackers. These cybercriminals are targeting businesses – big and small across many industries including the finance sector.
As Head of Security at Xero leading a team that works round the clock to monitor and detect suspicious activity, we’ve seen an increase in email and invoice fraud and account takeovers targeting small businesses and the accounting and bookkeeping industry over the past few years, as more and more businesses manage their operations and do business online.
The day to day impact of cybercrime has become a fact of life and a permanent reality for businesses. We continually remind our customers – small businesses, accountants and bookkeepers – to take precautions to keep their data safe from hackers. Like a hospital is charged with protecting patient security, businesses operating online need to take measures to ensure they and their client data are safe online, and they understand how they can become a target.
There are a number of ways small businesses businesses and their advisors may be targeted so it is important to be aware of how scammers look for a way in. It might be:
- Via hacked email accounts, which are then used to send out fraudulent invoices that look just like the real thing, but with a fraudulent payment bank account number
- With a phishing email, to gain access to information like usernames and passwords, credit card details, and bank account numbers
- Or through a bogus invoice email containing links and/or attachments that deliver malicious software to your PC, such as ransom-ware, password stealers, or remote access tools (RATs) to take control of your PC
Another scam to be aware of is that of account takeovers, where small businesses, and accounting and bookkeeping practices have sensitive client information stolen because their system is accessed following the theft of their login credentials (username and password). This information is sometimes obtained by hackers using phishing, malware or taking login credentials stolen from one website and testing them against other websites to see if they work there too. This is called credentials stuffing.
The Xero Security Team monitors around the clock and across every timezone for patterns of malicious activity using the latest account takeover detection technology. We investigate and respond to suspicious activity by notifying users with steps to take to protect their account. In some cases we disable the account as a precautionary measure and notify the user to change their password and scan for malware.
But it is critical for everyone to take measures to ensure they are safe online. So I want to remind people – whether they are an accountant, bookkeeper, practice partner, or small business – of some simple, easy-to-implement steps to better protect their information and that of their clients’ online.
- Always use strong, unique passwords for each site or service you login to, and never share passwords. Having a unique password helps prevent a compromise of one login becoming a compromise of many. Password-safe software can help you manage your multiple logins
- Use two-factor or multi-factor authentication (2FA/MFA) wherever this is available. This is particularly important for your email account, which is usually the means to resetting your passwords for other sites
- Update anti-malware (anti-virus, anti-spyware) software. It is one of the easiest and most effective things you can do to protect yourself
- Keep all of your software up to date with security patches
- Make sure your data is backed up regularly, and backup copies are kept separate to the source systems
Security is a priority at Xero and like any online business we are no stranger to the potential for phishing attacks and account takeovers. We all need to take responsibility to protect our data with strong security controls, investing the time and resources to strengthen online security every day.