The Email Breach at an Accounting Firm

A California-based accounting firm with a strong reputation prided itself on being a reliable one-stop shop for small to mid-size tech firms. With a vast client base of 1,500+ tech companies and over 300 employees, its invoicing team, led by the experienced senior accountant Caroline (name changed for anonymity), used QuickBooks to handle billing. However, security controls around finance operations were limited.

antivirus

The Vulnerable Target:

On the 25th of the month, Caroline noticed that 50 out of 200 major invoices remained unpaid, a rarity in the firm's history. Alarmed, the company's finance department contacted customers, only to discover that the payments had been made to the wrong bank accounts. The customers' finance team sent proof showing the email from Caroline saying that the company's banking details had been updated.

no-protection

Security Findings:

To investigate the issue, the firm engaged SafeAeon, a referral from a trusted source. SafeAeon began the investigation and identified that Caroline's email account had been compromised. Her account showed logins from multiple countries. The account was being accessed from multiple devices using the same password since its creation.

story-phishing

Expanded Compromise:

Further investigation revealed malware indicators on several devices linked to Caroline’s account, allowing cybercriminals to gain unauthorized access to her mailbox. It was further discovered that multiple systems and several accounts showed signs of compromise.

data-icn

The Breach Unleashed:

The threat actors impersonated Caroline and emailed multiple customers, falsely claiming their bank details had been updated. They requested the customers to pay the invoices based on the updated information and disregard the earlier invoice details.

math-icn

The Aftermath:

Executives initiated incident response immediately, as the company incurred significant financial losses due to the breach. With some invoices still pending, the firm feared even greater losses in the coming days.

insomnia-icn

Security Gaps Exposed:

The incident highlighted the need for stronger security controls in fortifying the company’s defenses against future attacks.

handshake

Remediation Actions:

SafeAeon took charge of the firm's IT infrastructure and implemented various measures to enhance security, including:

  • • Resetting all email account passwords and enabling multifactor authentication
  • • Implemented conditional access based on geography and device trust
  • • Implementing a company-wide password management policy
  • • Onboarding the infrastructure for 24x7 monitoring to detect malicious activity
  • • Leveraging a managed endpoint protection / EDR solution for continuous protection
book-icn

The Lesson:

The breach served as a stark reminder of the critical importance of cybersecurity. The accounting firm's CEO recognized the value of SafeAeon's 24x7 WatchGuard through MEDR service, bolstering their confidence in safeguarding their IT environment.

Call to Action:

Join SafeAeon on its mission to protect your IT environment with MEDR service. Get onboarded to MEDR now to improve visibility and response speed. Protect your business and clients from the ever-evolving cyber threats in the digital landscape.