Tag: E-mail security for CPAs

Phishing on the Rise: Don’t Fall for it.

I’ve noted a significant rise in the number of phishing and malware attacks I’ve received in the last few weeks. With open source phishing tools like GoPhish available to anyone for free, it’s more important than ever to train your employees and be more diligent about where you go online.

I’ve included two of the most recent messages I’ve received to remind you to be very diligent when you are going through your e-mail.

  1. The fake fax/purchase order – This attack sends an unexpected message that has an interesting title, like “Incoming fax message” or “purchase order” from an unexpected sender.  An example of one of these appears below.

Annotation 2018-11-30 101416

Note that this message is from a service I’ve never heard from, and the fax number of the sender (+1 659-802-3681) is from an area code that doesn’t exist, and the CSID (fax header) is from Massachusetts.  Also note that the attachment is an HTML file – and it probably has some bad stuff in it.

Lesson: If the message looks odd, verify its validity with the sender.  If you can’t determine the sender, don’t open it.

2. The portal login – This attack sends a message which purports to be from a portal, but the real objective here is to get you to visit a site you shouldn’t visit and make it look like a legitimate website you use.  In the screen capture below, I’m allegedly being sent a PDF file from a CPA firm in Washington State which is a “proposal”.  Since I don’t do business with the firm, I have to assume that it’s bogus, and I should ignore it.  It’s probably a bogus e-mail, linking to a bogus website, with a malware-laden file awaiting me.

Annotation 2018-11-30 100008

This kind of attack is easily perpetrated with free, open source software – because I’ve personally set up the software needed for this in Linux.  The application, GoPhish, is designed for security professionals to use when testing their employees, but can also easily be used by fraudsters trying to get access to your e-mail accounts.GophishDashboard.png

While I didn’t click on the link to the OneDrive site, I fully expect that it would have had malware on it or would have tried to trick me entering my legitimate username and password into a fake website.  There are a number of free tools which will help you set up fake websites in GoPhish, and it is trivial to use this tool to retrieve the credentials entered by victims.

The bottom line here is that the bad guys are getting better, and it’s becoming easier than ever for criminals, teenagers, and “script kiddies” to use open source software to gain access to your confidential data.

If you’re interested in training your employees and testing your vulnerability against phishing and other e-mail attacks, the following services offer employee training programs for a reasonable price:

You can also see reviews at the Gartner Group’s website online.


FAQ on Decrypting Tax Documents with AES Crypt

This week’s episode of the excellent Security Now! podcast (#599, starting at 53:10) discusses the use of AES Crypt by clients to encrypt tax data when sending it to practitioners. (I assume that those documents are destined to a professional preparer, like you, the gentle reader of this blog). While I won’t restate the original blog post (which is at http://cantus.us/encrypt-your-tax-documents-before-you-send-them/), the method described is a relatively simple way for an end user to encrypt and send a group of encrypted files over an insecure medium like Dropbox or other consumer-grade file sharing tools.  While the method described in the post can be implemented poorly (weak passwords, sending the wrong file, using e-mail, etc.), the basic methodology appears sound – but you need to evaluate the methods you approve for clients to use transmitting data.

Continue reading “FAQ on Decrypting Tax Documents with AES Crypt”