Listen to this article

The basics:

• Cyberattacks increasingly target small businesses and nonprofits with fraud and ransomware
• AI-powered scams and email impersonation are making cyberattacks more sophisticated
• Weak internal controls and lack of verification can lead to major financial losses
• Experts say multifactor authentication and employee training are essential defenses

It seemed like a routine transaction. A New Jersey commercial real estate company wired $500,000 in property tax payments to what it believed was Creskill Borough. It wasn’t. A hacker had sent a convincing email impersonating the town, claiming the municipality had changed its bank account and providing new wire instructions. Nobody picked up the phone to confirm. By the time the delinquency notices arrived, the money was gone.

Stories like this are becoming alarmingly common, according to Rahul Mahna, an EisnerAmper partner who leads the firm’s Outsourced IT Services team. “Every year feels like there’s a new perspective, a new approach that the bad actors use,” he said. “The risk factor just keeps increasing.”

Mahna noted that cybercriminals once largely focused on financial services and health care — industries where sensitive data and deep pockets made for attractive targets. But that calculus has changed. “Over the last couple of years, I’ve seen a pretty significant rise in nonprofits being targeted,” he said.

The reason comes down to publicly available information. Most nonprofits are required to post their financial disclosures – 990 reports – online. Savvy criminals can quickly mine that data to identify organizations sitting on substantial assets.

New approaches

The attack methods themselves have also evolved — from early ransomware schemes that held data hostage to today’s “man in the middle” attacks, where criminals insert themselves into email threads or impersonate vendors and government agencies to redirect payments.

Mahna described one local nonprofit that lost a significant sum after a bad actor hacked the CFO’s email and used it to redirect a wire transfer. The fraud was executed on a Friday. “Wire transfers can generally be pulled back within 48 to 72 hours,” he noted, “but if you do it on a Friday, you lose Saturday and Sunday.” By Monday, the window had closed.

When EisnerAmper stepped in to help, Mahna said the first recommendation had nothing to do with technology. His team conducted a cash disbursement audit, tracing how money moved through the organization and identifying gaps in internal controls. They found that multiple people had the ability to call the bank, with no checks and safeguards in place. Something as simple as a verification phone call – when a vendor changes payment information – could have stopped the fraud cold.

Technology solutions followed. Mahna’s firm now deploys close to 20 distinct layers of protection, up from five when they started. Multifactor authentication, he stressed, is not enough on its own. The industry is moving toward Extended Detection and Response, or XDR — a holistic approach that monitors not just individual devices, but an organization’s entire digital footprint, including cloud services, email and network activity. “You can’t just look at an individual on their computer,” he said. “You have to look at all facets of an individual and the stack in which they operate.”

AI changes everything

Artificial intelligence is reshaping the threat landscape in ways that are outpacing many organizations’ defenses, according to David Scott, managing director of forensic & integrity services at Ernst & Young.

Cybercriminals are no longer relying solely on traditional phishing emails and opportunistic scams. They’re using AI to plan and execute sophisticated attacks, convincingly impersonating trusted individuals and exploiting vulnerabilities at scale.

“A single bad actor or small group can initiate dozens or hundreds of tailored attacks simultaneously,” Scott warned. “Traditional cybersecurity controls were not designed for this environment. Security leaders must rethink their approach with an ‘AI first’ mentality.”

The EY Cybersecurity Roadmap Study of 500 senior corporate security leaders found that 96% believe AI-enabled cyberattacks now pose a significant threat to their organization. Nearly half estimate that a sizeable portion of the cybersecurity incidents they experienced in the past year were enabled by AI. Yet fewer than half say they are strongly confident in their organization’s ability to defend against AI-driven breaches.”

Proactive organizations are investing in stronger governance, regularly assessing vulnerabilities and conducting tabletop exercises that walk executive leaders through worst-case scenarios, added Scott. “These exercises not only improve technical readiness, but help leaders make faster, more confident decisions during moments of crisis.”

‘Bad guys don’t have ethics’

Robert Owen, a SAX Technology Advisors partner and CTO, has seen the shift firsthand. A New Jersey warehouse and manufacturing company was hit with a ransomware attack that froze its systems and rendered its data inaccessible. “The company’s IT person had no incident response plan and no usable backups,” he recalled. “Leadership faced an agonizing choice: attempt a costly rebuild from scratch or pay the criminals and hope for the decryption keys. They paid.”

Of course, “when you pay ransom, the question is, how do you actually know that they’re not still there?” Owen added. “You’re dealing with bad guys. Bad guys don’t tell the truth; bad guys don’t have ethics.”

Where attackers once focused on high-profile targets – major banks, large insurers, Fortune 500 companies – the game has fundamentally changed. “They’re casting a giant net over entire industries,” Owen explained. “They’re looking for holes in a company’s armor.”

Rather than spending a year trying to breach a heavily fortified corporation, cybercriminals now simultaneously target thousands of smaller organizations, “trading whale hunting for fishing with a net.”

Getting ahead of threats

And a cyber insurance policy alone won’t stop bad actors. “The insurance policy doesn’t stop anything,” Owen said. “It just helps you once something bad has happened.”

Worse, a breach can trigger more than just recovery costs, he cautioned. Entire law firms now monitor for reported breaches specifically to file class action suits, while state attorneys general – including New York’s – maintain dedicated divisions pursuing companies deemed negligent in protecting personal data.

To get ahead of these threats, Owen suggests “clear and immediate” priorities.

“Use multifactor authentication on every system, where two or more distinct credentials are required to verify a user’s identity to log into a system,” he explained. “It goes beyond just a password, and combines independent categories – something you know, like a personal identification number; something you have, like a phone or token; or something you are, like biometrics – to prevent unauthorized access. So even if one factor is stolen, other layers will help to block unauthorized access. This is the single most valuable investment a company can make. Close behind it is user education — building a ‘zero trust culture,’ where employees instinctively verify before they act on any email, text, or payment request.”

[Using multifactor authentication] is the single most valuable investment a company can make. Close behind it is user education …
– Robert Owen, SAX Technology Advisors, partner and CTO

No industry is immune

When a New Jersey-based multilocation medical practice was struck by a ransomware attack, it had to shut down operations for two weeks while rebuilding its digital records, according to Edward Keck Jr., a Withum partner and practice leader for Cyber/Information Security.

“The bad actors got in through a ‘business email compromise,’” he detailed. “This is where attackers compromise or spoof legitimate business email accounts to trick employees, customers, or partners into installing malware, transferring funds or stealing sensitive data. It often involves social engineering, such as urgent, high-level requests to bypass security protocols, causing significant financial losses and data breaches.”

Once inside, the cybercriminals encrypted the practice’s records and demanded an exorbitant ransom. Instead of paying, the practice called Withum, which ran a forensic investigation, rebuilt the systems, upgraded defenses, and provided ongoing employee training.

Keck noted that cybercrime has evolved into a sophisticated, organized industry. Ransomware-as-a-service platforms on the dark web allow criminals with little technical expertise to launch attacks for as little as $20 or $30. Stolen personal data is bought and sold like any other commodity. “Wherever they can make money, this has become an organized business,” he said.

No company is too small to be a target. In fact, the opposite may be true. “Small businesses are often targeted because they’re believed to be the weaker targets.”

That vulnerability gap is where CPA firms step in. Beyond traditional audit and tax services, firms with dedicated cybersecurity practices now offer clients everything from vulnerability assessments and penetration testing to around-the-clock monitoring and digital forensics. Withum operates a dedicated cyber lab at its Whippany facility.

Keck suggests a practical framework – “good cyber hygiene” – which includes keeping software patched and up to date, enabling multifactor authentication, using a password manager, training employees to recognize suspicious emails, deploying device encryption and email filtering, maintaining secure backups, and having a written incident response plan. Cyber insurance rounds out the picture.

“There’s really nothing there that’s optional anymore,” he said.

The cost of inaction is steep. Recovery from a cyberattack, Keck noted, typically runs four to eight times more than proactive security investment. It’s a number, he added, that any good accountant can help put in perspective.