By Lee Pender on June 4, 2021 minute read

Why Spear-Phishing Is No Match for Cloud Security


Learn more about cloud security and the advanced threat protection Right Networks Cloud Premier provides.

The Classic “New Client” Spear-Phishing Scenario

It’s the cautionary tale as old as email itself:

  1. A customer sends you an email asking for a referral to a CPA firm
  2. You cheerfully forward their email to your CPA, who (because they’re a great CPA) contacts the new, prospective client immediately
  3. Your contact sends their tax information via email file attachment
  4. The CPA clicks on the file—and that’s when the trouble starts

It was never your contact! A malicious actor posing as your customer has now gained access to your CPA’s systems using the tried-and-true “new client” spear-phishing attack method.

And now, malware is running stealthily behind the scenes—combing through the apps, software and technology your CPA relies on…

Only, nobody at the firm has any idea an attack is underway.

Because rather than encrypting the firm’s data for extortion, the actor-posing-as-a-new-client secretly starts stealing personally identifiable information (PII) and tax filing numbers.

After the fake client behind the attack gets what they need, they file the fraudulent tax returns with the IRS using the CPA clients’ information.

And a few weeks later, multiple refunds from fraudulent tax returns are deposited into the hacker’s bank account.

The criminal: Skates away with hundreds of thousands of stolen dollars, maybe more.

The CPA: Contends with infuriated clients, hours of IRS paperwork, expensive fines, penalties and a wrecked reputation.

What could the CPA have done differently? Could the attack have been avoided altogether, or at the very least: Known about, before any PII was stolen?

How Two CPA Firms Avoided Potentially Disastrous Data Theft

In Spring 2020, two CPAs (at two different firms) became spear-phishing attack victims.

Each received an email they were expecting, and they clicked. That’s it.

Skull-and-crossbones didn’t take over their screens—nothing happened at all. Sometimes attachments don’t open. Sometimes links don’t work.

And had it not been for what happened next, both CPAs (presumably) would’ve moved on with their days…

However, cloud security containing advanced threat detection noticed unusual system behavior.

Unusual system behavior? For example, if a user clicks on a Microsoft Word document in an email and the user’s computer begins to download a massive amount of data from a known bad or dangerous server, the security system will recognize that behavior as unusual and send an alert that the server involved should be disabled.

In this case, anti-malware and security protocols sprang into action by isolating impacted systems and ultimately stopping the hack in its tracks.

Rather than cause immense disruption for the entire firm, the cloud security team was able to disable only what was impacted (the victims’ servers) knocking only a few users offline momentarily while everyone else continued to work, unaware of any issue.

Within minutes, the CPAs who had (unknowingly) initiated the malware were back up and running.

Meanwhile, cloud security engineers continued to run diagnostics on the attack to determine 1) how it happened 2) why it happened and 3) how to avoid it from happening ever again.

Why Standard Antivirus Software Wouldn’t Have Helped

The malware used in the attack was a type most security experts had never seen and standard antivirus software would likely have missed–a zero-day exploit.

The term “zero-day” refers to a newly discovered software vulnerability. Because the developer has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released. So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers.”¹

Had cloud security not thwarted the attack, the hacker could have funneled data out of the firm for months. All because one software vulnerability, exposed through spear-phishing, made it possible for malware to install.

And before we go down the “well, what was vulnerable?” road, let’s be clear: That part doesn’t matter so much. (And, I don’t know.) Vulnerabilities are exposed and patches are released every single day. The victims here were in the right place at the right time, just trying to do their jobs.

Gain Cyber Threat Protection with 24/7/365 Cloud Security and…

There are a few ways users can protect against phishing attempts, zero-day attacks, and keep their businesses safe from cyber threats:

  • Keep software, applications and systems up-to-date with the latest patches, bug fixes and enhancements
  • Be aware of the latest advancements in cyber threats (you are the first line of defense)
  • Never click or open any file attachment from an unknown sender (and if an email is from someone you know, but unexpected and out of place, check to make sure your contact actually sent you the email—their systems could be compromised, and they don’t know yet)
  • Use a cloud provider to gain 24/7/365 bank-level protection

Running applications in the cloud with a trusted cloud provider is the safest way to ensure business continuity. Learn more about the built-in bank-level security cloud hosting technology provides, and the advanced threat protection offered by Right Networks Cloud Premier, in our resource center.


Originally published March 19, 2020, updated June 04, 2021.


Have questions? We are here to help.

Give us a call at 888-210-0237.

Want to hear from us?

Join our mailing list and get all of the latest news delivered straight to your inbox.