I spent yesterday planning for the worst
I follow my CPA/accountant on Facebook. He was recommended years back by a friend I taught how to put together PCs in the 90’s and I won’t say we’re friends, but he does post some interesting things occasionally. He has several thousand followers between his accounting services and another endeavor I’m not mentioning.
TL;DR – my CPA got completely pwnt by hackers, it’s unresolved, and what it got me thinking about.
Last week he posted that he had completed a course in bitcoin investing and was now certified in something that sounded scamtastic. This included a photo of a certificate from some crypto academy and some words that sounded like what an accountant who moved into alternate currencies and was interested in advising his clients might say, but also read entirely like not legit.
I moved on, thinking perhaps he’d become a crypto bro, which you know, happens to some people. I myself love the whole blockchain back end of crypto and how that can be leveraged for more exotic concepts beyond mere hashtag currency, but whatever.
Yesterday I saw his second post on crypto and I knew it wasn’t him. I called him up to tell him he’d been hacked and he said they had compromised his Facebook account and had changed everything about it (second factor authentication method, email address, phone numbers, etc.) and that Facebook was being monumentally unhelpful.
I gave him instructions on how to get his friends to mark the account as hacked, something that is not self evident (go to profile, report profile, choose other reason, account hacked) and he told me he’d talked to my IT friend about the hack a week or so back and evidently had been given some advice, which I believe he ignored or didn’t think it was a huge deal.
The advice was to shut his Apple account down and get a different phone and start dealing with this. I did not know this until later when I talked to my friend.
I got a text from the accountant later in the day. He asked me if a text from Apple was legit. It included both a phone number that Google lists as a scam, and a block of gibberish that I believe was there to evade text scanners looking for that exact message. I called him and told him it was a scam and he told me they had taken everything. I asked him why he was in touch with Apple for a Facebook scam and he revealed it was because they had his phone and Apple account basically. That I had not been told. They didn’t just take over FB, they got it from I’m guessing a saved password in his Apple keychain, or email, or whatever his second factor was.
I told him the Apple text and call were a scam, they called him and claimed they were going to restore his money, I told him this was a secondary scam and he was grasping at straws here. He had to take the call though because it was Apple… maybe it was, I don’t know. It was his only hope and it seemed like someone was doing something. I highly advised against it but I’m not a friend, I’m a customer he had reached out to for help when I gave him some advice.
Scammers had been in his accounts, changing passwords, second factor authentication methods, etc. I presume they were in his account for weeks doing all the things that someone with complete control of an account can do.
I wish at this point I had a conclusion or knew he was going to be better or get the help he needs in dealing with this, but it’s too early on and I went into self-defense mode. What could a group of hackers do with complete and total access to my CPA’s computer, email, cloud storage and the like? A man who’s had ten plus years of filing my taxes.
Can I assume the email and cloud provider he used were not compromised as well? No. Someone out there has my tax returns, email address, name, phone number, SSN, direct deposit info (which is less scary as I have multiple accounts that are not linked, because I have been the victim of check counterfeiting before,) and the like. They probably have it for every single one of his clients. This timing is problematic as I have surgery coming up and may be dead and not wanting to leave my family with nothing, or wake up and have no money to pay the light bills when I get discharged from the hospital.
This got me thinking quite a bit about false security. I have been progressively getting lulled into believing that things are secure, but all it would take is someone sweet talking T-Mobile to get my phone transferred to their SIM to intercept a secondary authentication method. As much as I like to think I follow decent practices there’s no telling what is actually being logged, caught, or screenshot on any of my computers. A simple Windows exploit could cause a cascading series of problems for me the same as an Apple ID hack evidently caused for my accountant.
I put a free fraud alert and freeze where I could. Made some minor changes and signed up with a credit monitoring and stolen digital life recovery service that’s $200 something a year. I’ve had dealing with them before, mentioned what had happened to my accountant and they said they might be able to help – they wouldn’t insure his losses obviously, but the repair, recovery, making phone calls, might be handled… might.
I asked one of my local groups if anyone knew a service that could walk him through recovery of his digital life, people kept saying Lifelock, which evidently is not the case as he’s got a pre-existing issue. Maybe what I read is wrong, so don’t quote me on that. I highly suspect the credit company I was talking about will not help and that the sales person was a bit over enthusiastic about what they could do for a person… but who knows.
I started getting the “check out so and so on Instagram” posts from brand new accounts on FB that do nothing but promote scam Instagram accounts, but no real answer to the question of a company that helps you get your digital life back after the hack and without being a customer before.
Seems that would be a fairly advertised service, but it’s not… at least not in my circles.
When asking for help for him in a forum, the few people who did respond did not read the text of what had happened, or decided it would be helpful to give clues about which avenues I might research. I was given tomes of information on what steps someone should make after a hack (this was in/during). This man is drowning now and I was given a manual of how to grow and harvest a forest for the wood to create an 19th century barge, which once completed I would sail out and attempt a sea rescue. Good intentions, but useless. He needs a team making phone calls and helping with the police (and FBI) reports to follow.
Anyhow, imagine a hacker has your phone in their hand with your Authenticator codes, phone number, and access to your email. Think about what that could entail. I realized my banks, bless their hearts, don’t put my full routing and account information anywhere online as a security measure but they do include images of scanned checks. (Checks are those things you pay a contractor so he doesn’t have to pay 3% processing fees or deal with duplicate income reporting from Venmo.)
It’s not me (yet,) and maybe it won’t be. But it’ll be your parents or their friends soon enough. Plan before the hack. I really have no great ideas here. I don’t think my accountant necessarily is guilty of much past not recognizing a larger threat in time and possibly not keeping his work and personal data separated completely. I’m not even sure if things that were customer data were reachable, but I’d imagine if someone’s able to hack your personal life away they can probably be assumed competent enough to invade work space.
At this point I’m going to wrap up. I’m not a security expert. I don’t think the best practices I use are going to stop a determined or smarter than me hacker. I can only work at making it a little harder by making my life less online, and locking my credit and placing fraud alerts. Maybe it’ll help, maybe it won’t.
