As technology and digitization has increasingly become part of our everyday personal and professional lives, the importance of safeguarding data has only increased. For CPAs, very frequently tasked with handling personally identifiable information (PII) and other confidential/financial information, institution of solid internal controls for firm and client use is of paramount importance. One of the most commonly utilized methods for increasing the security over data is two-factor authentication (2FA). While the specifics will vary depending on the protocol implemented, 2FA is an identity and access management security method that requires users to have access to two forms of ID. This can take the form of a text code, biometric (such as with Bloomberg), facial ID (like with the iPhone) or a retinal scan. In the post-COVID economic landscape, the potential opportunity for bad actors to leverage weak controls and implementation of 2FA has continued to grow.

Two methods have been identified by the Federal Communications Commission (FCC) that have been used by fraudsters to wreak havoc leveraging the very tools individuals trust to keep data safe. Additionally, I myself fell victim to one of these methods in March 2024, so these events can happen to anyone at any time.

SIM Swapping

SIM swapping occurs when a cybercriminal obtains enough personal information — either through phishing scams or via dark web auctions — to trick the victim’s cell service provider into believing the victim has changed carriers. By completing this part, the cybercriminals have transferred the cell number to a new device and gained virtually complete control over the cell phone and all associated data. As all calls and texts are routed to the new device, 2FA protocols now provide unlimited access to all social media, financial and other accounts connected to the phone number.

Port-Out Fraud

Similar to SIM swapping, a port-out fraud occurs when the cybercriminals open an account with a different cell phone carrier than the one the victim uses. Once completed, the cybercriminals will contact the new carrier — the one with the fraudulently set up account — and transfer the victim’s number to it. While slightly more complicated than the SIM swap, which only involves activating a new SIM card, the end result is the same. This is the 2FA fraud that impacted me, and it took me several weeks to unwind and rectify. For more on this please watch the webinar (passcode:  G+^9mj&H) where the entire episode was explained in detail.

Prevention Measures

2FA fraud can strike any individual or institution at any time, but there are steps that CPAs can take with colleagues and clients to help keep important data safe and secure from cybercriminals. These are in addition to the “standard” recommendations for utilizing up-to-date firewalls, establishing (and enforcing) a password change schedule and potentially implementing passkeys for sensitive data. Let’s take a look at a few of them:  

• Invest in identity monitoring. Especially for business owners or high-net-worth individuals, investing in and establishing an identity monitoring program is essential. There are different levels of scanning and protection available but having that real-time access to news about the business and whether websites that are linked to an online profile have been comprised can allow you and your clients to proactively monitor potential hacks and breaches.
• Utilize separate personal and business devices. The popularity of bring-your-own-device (BYOD) policies has been a boon from a convenience perspective but potentially a disaster from a data security point of view. By keeping the devices, numbers and 2FA distinct from each other, this allows a greater ability to minimize damage if a 2FA hack or breach occurs, and it also provides your client with a secondary device from which to maintain contact and operations if such an event occurs.  
• Minimize the use of public Wi-Fi, enable a VPN and obtain backup numbers. As convenient as public Wi-Fi is, public networks are never as secure as an enterprise network or a home network that have passwords that are updated and only have a small number of people that are aware of and/or use them. Especially with the importance of phone numbers, enabling a mobile VPN protocol (usually via an identity protection plan) is a solid first step. Additionally, consider advising clients or colleagues to obtain a non-phone number, such as a Google number, for additional security (or even 2FA) purposes.

2FA is a powerful tool that helps CPAs keep firm and client data secure, but if not carefully monitored and updated, it can be leveraged against its users. CPAs and other financial advisors should be well versed in how to effectively leverage 2FA, as well as how to prevent unethical actors from seizing control of these security measures.