Tech Support Scam Ensnares California CPA Firm

2019, Breaches, February

Who: Martin Hutchison & Hohman

# of Accounts Breached: None/Unknown

What was affected: Tax returns, personal data.

When it happened: February 15, 2019

How it happened: On Friday, February 15, 2019, while trying to resolve an email failure with our email host, Suddenlink, I was directed to a website that gave a phone number to call for immediate assistance. When I called this number, the technician stated he could certainly help. He requested access to my computer to understand the issue with the email. After I installed the software necessary to give him remote access to my computer, he pulled up some IP addresses on my computer screen and stated that this was the reason for the email failure. He then insisted that in order to fix the problem and prevent viruses from attacking, I would need to allow him to install a program on our office’s network server. I told him no and that our local computer technician would be contacted to deal with this. At that point, he stated that only a Microsoft Tech such as himself would be able to do this. This was a red flag as I thought I was dealing with a Suddenlink technician. At that point, I quickly disconnected my computer from the internet and from our office network. I then uninstalled the remote access software I had just allowed him to install and turned the computer off. This entire interaction lasted less than eight minutes. Our local computer technician was contacted immediately. They indicated that this was a known scam and that they try to copy information that exists on the computer they are given access to and, to their knowledge, are not able to move beyond that initial local hard drive quickly, if at all.

Outcome: The computer was immediately taken to our computer technician’s shop for a virus check and cleaning. I learned the next morning that the computer was infected with a sophisticated virus that could not be prevented by normal virus protection software. The hard drive was then replaced in order to prevent any risk of further infection. It is still unknown if any client information on our computer network was compromised. At this time, there is no indication of further infection involving our computer network. We are performing virus scans of all computers; upgrading virus software as needed. In addition, we are changing physical controls which include storing more, if not all, of our client data in an encrypted form. The majority of our client data has been maintained in encrypted form for some time. However, we are working to review all of our data storage to ensure that everything possible is stored this way. In addition, we will no longer allow an outside technician to remotely access any computer on our network. Lastly, and most importantly, we are sending out this notification as quickly as possible to all those potentially affected.