Malicious Malware and Methods to Mitigate the Risk

The greatest strength of the internet is also its greatest weakness. Sitting at a keyboard, you can quickly access vast and valuable resources which are available at your fingertips. However, unless you are very careful, malware may tag along for the ride. Consider this scenario:

You are at work perusing email and receive a message from a former colleague. The subject line indicates the email is in response to a previous message. Strange, because you do not remember sending a message to that person. Why are they sending a reply? Your curiosity gets the better of you and, despite a brief moment of concern, you open an attachment to the email. Within seconds your computer screen turns blue and unresponsive. The sinking feeling in your stomach intensifies when you receive a phone call from your firm’s IT department. Then it strikes you, you are the victim of malware.

This article examines various types of malware, identifies some of the warning signs that indicate your computer may be infected, and teaches strategies to avoid this risk.

What is Malware?

The term “malware” is short for “malicious software.” At best, malware displays unwanted advertising in your internet browser. At worst, it can disrupt an organization’s operations, and provide access to the organization’s computer systems, including sensitive information. CPA firms that have been the victim of malware have suffered severe consequences, including embezzlement of client funds, ransom demands and exposure of confidential client data.

There are four ways malware typically infects a system: viruses, worms, spyware and Trojans.

A computer virus inserts itself into a software program on your computer and uses that program's resources to reproduce itself and spread to other programs. Often, the virus will destroy data or perform other malicious actions.

Worms are aptly named for their ability to "crawl" through networks. Worms replicate themselves but do not embed themselves in other programs as a virus tends to do. Worms move along a network connection seeking vulnerable machines to infect. For example, in 1988, the “Morris Worm” became so widespread that it managed to slow the entire internet.

Like the Trojan horse of Greek mythology, a Trojan is a form of malware that, on the outside, appears to be a useful program or data file. Inside a Trojan, however, are digital soldiers ready to attack. One example of a Trojan is ransomware. Ransomware encrypts the victim’s files or an entire hard drive, preventing users from accessing files. After the ransom is paid, the victim’s files are generally decrypted and the user once again has full access to their files.

Trojans are often spread in a social engineering environment, where a bad actor purporting to be a friend or colleague sends the targeted victim an email with an infected attachment or link containing the malware.

Spyware’s main function is to monitor what you are doing on your computer, on or off the internet, and send that information to a third party without your knowledge. In some cases, this data harvesting is used solely for marketing purposes. In other cases, the intent is more sinister. A theft might occur when an imposter, posing as a client, directs a CPA to send a payment to an illegitimate recipient.

How do I Know if my System is Infected with Malware?

The short answer is: it’s difficult.

Sometimes, you can intuit the presence of malware because your computer starts running very slowly. Unfortunately, your computer could be running slowly for any number of reasons so this, alone, may not definitively alert you to the presence of malware.

Regrettably, malware may only manifest itself when damage has already been done. At a date predetermined by a virus, you may see a message on your screen telling you that your computer has been infected. That may be the best-case scenario. If the person who wrote the malware is more sinister, you may discover that all electronic workpapers are missing and your tax files have been destroyed.

When detection is unlikely, the best course of action is prevention.

How do I Avoid Malware?

Preventing a malware infection involves a combination of software solutions, vigilance and education. Consider the following:

  • Check the email addresses of senders and do not open suspicious emails. If you do open one, do not reply to it, even if the email instructs you to do so in order to opt out of future emails or unsubscribe.
  • If a suspect email is opened, do not click on any links or attachments.
  • Confirm the authenticity of suspicious emails by checking with the sender via an alternative means of communication. For instance, telephone the person instead of replying to the email.
  • If you cannot authenticate an email, it is best to delete it. Better safe than sorry.
  • Regularly train staff on common types of malware and how to avoid them, including how to respond to suspicious emails.
  • Use spam filters and an anti-virus program to detect and filter bad emails. Keep these programs running at all times. Enable automatic updates.
  • Install and enable an endpoint security product or endpoint protection suite, allowing automatic updates. Be careful and do the necessary research to ensure you are purchasing a reputable product. Some products advertised in web banners and pop-ups are, themselves, spyware.
  • When security patches become available for operating systems and office programs, such as Windows and Microsoft Office, install them immediately. Again, enable automatic updates.
  • Microsoft Office users should disable macros by default since malware may be disguised as macros. Before enabling an Office macro, check with the source and search online to ensure the macro is not malware.
  • If third party programs such as Adobe Flash and Java are not required for your work, uninstall them. If these programs are necessary, ensure that vendor-provided security patches are installed on a timely basis.
  • Discontinue use of Windows XP now! Microsoft ceased support of this operating system in 2014. As a result, the system is extremely vulnerable to attack and at risk for infection. Visit Microsoft for more information.
  • Adjust the security settings in your web browser to the highest protection available that still permits you to use your browser as needed.
  • Back up data on a regular basis and keep archived copies offsite and offline, so the backup itself cannot be infected.
  • Even with the best risk management measures, an attacker may be successful. Like any other potentially damaging event, understand how the firm’s various insurance policies will respond to the event and close any gaps in coverage.
  • If all else fails and you have a malware incident, create and implement a plan to guide the firm’s response. Have frequent practice sessions on how the plan will be followed in the event of a data security incident and make adjustments as necessary.

A proactive approach to preventing malware attacks will help a CPA firm maintain its computer systems securely and demonstrate its commitment to protecting its confidential client information.

While there are no foolproof measures to completely avoid malware, taking the preventive measures outlined here will make it more difficult for anyone to infect your computer system.


This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

“CNA” is a service mark registered by CNA Financial Corporation with the United States Patent and Trademark Office. Certain CNA Financial Corporation subsidiaries use the “CNA” service mark in connection with insurance underwriting and claims activities. Copyright © 2016 CNA. All rights reserved.

Last updated: 21 October 2019