Tuesday - July 14th, 2026
Apple News
×

What can we help you find?

Open Menu

Urgency, Emotion, Authority: How One Scammer Almost Got Inside a CPA Firm

Tax season keeps accountants busy, and it keeps scammers busy too. Early this summer, a CPA firm became the target of someone posing as a new client. The scammer spent weeks building trust before making a move. The good news is this story ends well. The better news is you get to learn from it without living through it.

The Setup

The contact arrived through the CPA firm’s website contact us page. The prospective client had a name, a personal backstory, and a reasonable set of questions about tax preparation. They were too ill to file taxes and could the CPA firm help them file late? Over several weeks, the emails kept coming to setup a meeting to discuss the tax situation.

Scams like this one lean on three specific levers, and naming them helps your team recognize the pattern faster than any technical detail could. Urgency, since the scam moves fast right when a decision needs to happen. Emotionality, since a sympathetic personal story lowers a person’s guard before a single suspicious link ever appears. Authority, since the request arrives wrapped in something familiar and trusted, in this case a meeting tool nearly every business uses every day.

The Switch

On meeting day, the scammer sent a message claiming the firm’s own video link was not working, and offered a replacement link instead. The link looked like a normal Microsoft Teams meeting invite, but it was not. Clicking it led to a fake enrollment page, which quietly registered the employee’s computer into a device management system controlled by the scammer. From there, hidden scripts ran with high level system permissions and attempted to install remote access software.

The Save

Here is the part worth celebrating. The firm’s antivirus software blocked both attempts to install remote access tools. A full review afterward found no evidence anyone stole data, and confirmed the firm’s email system stayed untouched. One computer saw the attack. The rest of the firm never did.

The Real Lesson

A few details make this worth sharing beyond one firm’s near miss. The scammer used a website which had existed for two years, so any tool looking for brand new suspicious domains would have missed it completely. The scammer also seemed to notice which remote access software the firm already trusted and tried to install a matching copy, hoping it would blend in. The lesson here is simple. Trust the specific tool your team set up, not every tool sharing its name.

Small Steps That Help

You do not need a large Security budget to lower your risk here. A handful of affordable moves help stop these attacks at several different points.

  • Deploy endpoint detection and response, known as EDR, on every workstation. In this incident, endpoint protection blocked both remote access installs even after the scam succeeded at every earlier step, making it the single control standing between a bad click and a full compromise.
  • Build your human firewall through regular security awareness training. Employees trained to recognize urgency, emotion, and authority working together spot scams no filter catches, and the pause one trained person takes costs nothing while saving weeks of cleanup.
  • Remove standing admin rights from everyday workstations. The scripts in this attack ran with high-level system permissions, and an account without those rights turns the same click into a much smaller problem.
  • Adopt a Know Your Customer step before scheduling meetings with any new prospect. Asking a new contact to verify their identity, through a callback to a listed number, a government ID check, or a brief screening call on your own meeting link, scares off scammers running fake personas before an attack ever reaches the calendar.
  • Ask your IT provider to block device management and remote access tools your firm does not use, not merely check for them. Windows policy settings prevent unauthorized device enrollment outright, and application control in most endpoint platforms stops unsanctioned tools at install time instead of finding them after an attacker plants one.
  • Inspect every link before clicking, and confirm unexpected ones by calling the sender at a number you already verified. A hover reveals when a link’s real destination does not match its display, and a callback on a known good number stops a scammer who controls the email thread.

Most of these steps cost time rather than Money, and even the paid ones, like EDR, fit an SMB budget. Pick one this week and start there.

Hoot Up This Week

You already do a hundred things right every day to keep your business running. Add one more this week. Take five minutes with your team to talk through what a real new client message sounds like versus a scam attempt. Small talks like this build confidence no software update replaces. Hoot up.. Progress beats perfection every time, and reading this already puts you a step ahead of where you were yesterday.


Sources:

  • Check our CyberHoot’s Threat Advisory – CH-TA-2026-0001 for additional information:

The post Urgency, Emotion, Authority: How One Scammer Almost Got Inside a CPA Firm appeared first on CyberHoot.

Craig Taylor CEO and Co-Founder

Craig Taylor is a Certified Information Systems Security Professional (CISSP) since 2001, and a 30-year veteran of Cybersecurity. In 2014 he co-founded a cybersecurity training company - CyberHoot - to help SMBs and MSPs learn cyber literacy. During his career, Craig has led cybersecurity organizations in Web Hosting (CSC), Finance (JP Morgan Chase), and manufacturing (Vistaprint). Additionally, Craig leads a cybersecurity consultancy that has delivered virtual Chief Information Security Officer (vCISO) services to more than 5o companies (all sizes and industries). Craig is a Toastmaster (public speaking), a Rotarian (Portsmouth, NH), and a fundraiser for Cancer research having raised 150k riding in the Pan Mass Challenge for 11 years.

Posted in:
Craig Taylor
Tagged with:
0 Comments
Oldest
Newest Most Voted
👉 Get the FREE BabyBoomer.org App!
Enjoy everything you love about BabyBoomer.org — now on your mobile device! Download the official mobile app FREE Today!
Ă—