The .CPA Domain: A Bright Line for Security and Trust in the Digital World
It’s easy to grasp the branding advantages the new Internet domain for the CPA profession, .cpa, can offer. Less obvious but just as important is the enhanced security it delivers.
.CPA is a high-value restricted internet domain with verifications and controls. A restricted domain means not everyone can apply for it: in this case, you must be a licensed CPA firm (starting in January 2021, licensed individual CPAs can also apply). Why is this important? Unrestricted domains are unmanaged and uncontrolled. Users are not verified and there is no implementation of security best practices. Essentially, any fraudster can sign up for an unrestricted domain such as .com and closely mimic a legitimate business site. Not so with .cpa.
It’s no surprise Internet crime is rising, even more so as people increasingly work from home. A recent Ponemon Institute survey found that 57 percent of small businesses reported instances of phishing or social engineering attacks in the past 12 months, many tied to fraudulent look-alike or spoofed domain addresses (also known as imitator domains). More than 114,000 individuals reported being a victim of a phishing scam in 2019, incurring collective losses of almost $60 million, the latest FBI statistics show.
Phishing involves bogus emails that appear to come from reputable companies, trusted co-workers or bosses, with the goal of gleaning usernames, passwords or credit card details. A common strategy is to use combinations of numbers (a zero where an “O” should be, for example), letters and foreign characters to mimic existing domains to deceive end users. The good news is most phishing attempts fail – but for CPA firms that deal with sensitive client data, a data breach or other information security lapse can be devastating.
Here’s how .cpa can help strengthen your firm’s defenses:
Unlike open domain extensions, only licensed firms and individual accountants can register and use a .cpa domain. License verification will take place at the time of purchase through CPA.com, and at other random periodic times. This will reduce a scammers ability to purchase lookalike domains on a large enough scale to make it worth their while.
The verification process should also effectively limit the proliferation of spam in the .cpa space. Spam is a preferred delivery tool for ransomware, malware, and phishing. CPA.com’s policy is to not post domain owners’ names and registration information on publicly listed registry records, so spammers will be unable to collect long lists of .cpa domain holder addresses to send out email blasts.
Of course, CPA firms will still responsible for the everyday, routine blocking and tackling of data security. The AICPA’s firm management section has excellent advice on how to improve vigilance and follow best practices in this area, including this checklist and recent explainer article. But the move to restricted domains is a step many progressive businesses and professions are taking to improve trust and curb fraud in their online operations.