PQ magazine is for part qualified accountants.
Read the latest web issue here – if you like what you see sign up today
Don’t fall prey to the identity thieves
Corporate identity theft is on the increase so it falls on us all to be vigilant. The case study here outlines a fictional scenario involving identity theft and offers some talking points and courses of action
Accounting firm employee K has recently completed her training contract and is now being contacted by recruitment consultants. One of these calls outlines a job that sounds too good to be true. The discussion quickly turns to K’s client portfolio and the structure of her firm. The headhunter seems to know (and be on good terms with) a number of K’s colleagues. He promises to call back soon with more details of this fantastic opportunity.
In the pub that evening a member of the finance department (who received a recruitment call similar to K’s) can be heard bragging to colleagues about a great new career opportunity that is coming his way – that is when he’s not complaining noisily about the firm’s ‘woefully inadequate’ IT systems.
Not long after, some of the firm’s clients start to receive correspondence from someone purporting to be K telling them that certain transactions on which K’s firm has been advising now need to go ahead quickly and that they must make the necessary bank transfers urgently. Some clients have already made their transfers and are now contacting the firm to check on progress.
It soon emerges that the firm’s systems, including its customer ledger information, have been hacked over the weekend. The transfers made by clients were in fact diverted into a fake client money account set up by the criminals. The money has now disappeared.
1. In what ways, if any, was this crime ‘enabled’ either by the firm or individual employees? K and her colleague in finance are not only victims. Having been convinced by a fraudster to reveal sensitive information, they have become unwitting enablers. Without the information they provided the criminal plan may well have failed.
Any firm could find itself in a situation like this purely because of simple lapses in IT or information security and a failure to monitor client activity. Many cyber-attacks are launched at the weekend in the knowledge that there will be no one around to notice the untoward activity. By Monday morning it is often too late.
2. Which fundamental ethical principle is K likely to have breached? Confidentiality.
3. How would you stop this happening again? Many cybercrimes include an element of old-fashioned, one-to-one deception (now called ‘social engineering’). Professional accountants have skills which are often in high demand and they can receive many, sometimes flattering, calls from recruitment consultants. Of course employers and clients alike are owed a duty of confidentiality. But the sharing of detailed information about the firm and the affairs of its clients, as happened here, can easily become much more than a breach of confidentiality by actively enabling a fraud or cyber-crime that might otherwise have fallen at the first hurdle.
All employees should receive regular training on the ethical requirements of their role, the nature of the fraud risks that threaten the firm and its clients, and what they can do to help prevent these kinds of crime. They should also be actively encouraged to think carefully about what information – especially work information – they share on social media, and to question the professionalism of their motives for doing so.
Meanwhile, the firm should:
• Ensure that documents carrying sensitive information are destroyed securely.
• Monitor online references to itself – this can help identify imposters.
• Carry out a systems health-check – which could include tasking a consultant to attempt unauthorised entry to critical systems – and get professional advice on data security.
• Educate staff on IT security and how to spot cybercrime red flags.
• Follow the latest expert guidance (from GCHQ) on secure passwords – at least eight characters long, no dictionary words, change them only after a suspected or actual security breach.
• Ensure that firewall and anti-virus software is up-to-date.
• Use data encryption software in correspondence.
• Make special efforts to protect access to applications like searchable databases – these can give criminals a way in.
• Remember: weak controls make crime possible.
Thanks to the CCAB for this article
[«all Career Advice]
Subscribe to RSS