Securing Your Security

There may be errors in spelling, grammar, and accuracy in this machine-generated transcript.

Alicia Katz Pollock: In this episode of the unofficial QuickBooks accountants podcast, we are going to revisit a topic that we talked about, you know, about six weeks ish or so. Um, and let's talk about security again in this fast moving tech environment that we are in. Things change quickly. And so we have some new information and new solutions for you. So I've got with [00:00:30] me Dan DeLong of School of Bookkeeping and the QB Power Hour. And um. Hey, Dan, how you doing?

Dan DeLong: Very good. Alicia. Good to see you again.

Alicia Katz Pollock: Absolutely. Thank you so much for coming back. And, uh, updating the information. So for those of you who might not have listened, we had an episode called Insecurity About Security, also with guest Jamie Pollock, my husband and business partner. Uh, a few weeks ago. And so we were talking about security vulnerabilities, [00:01:00] not just with QuickBooks, but on your computer in general and email scams and things like that. But there's been a lot of talk on the socials about people whose QuickBooks online for accountants are getting hacked or clients are getting hacked, and bad actors are coming in and sending invoices and paying invoices and moving money before we notice. And unfortunately, it's us who get locked out. So, um, tell [00:01:30] us about the resources you've been putting together and the information you've been hearing.

Dan DeLong: Yeah, this has been an ongoing saga. You know, kind of like the Muppets veterinary hospital. Hospital, right? It's an ongoing story. Um, but the general idea is that, um, accountants are are very unique in, uh, in the QuickBooks online space in that they are the tip of the spear [00:02:00] when it comes to access for multiple QuickBooks online subscriptions. Right. So you as an accountant, you may have ten 2000s of QuickBooks online clients in your in your client list, depending on the size of your firm and all that. And QuickBooks and Intuit has been making it, you know, they've been doing some great work, uh, making cash flow and real money movement really quick. [00:02:30] Right. Being able to do that. And so those two things have kind of come to a head when it comes to the the bad actors out there, uh, of seeing, hey, if we could access an accountants login that has access to multiple QuickBooks online subscriptions, that have access to multiple, you know, ways to to move money around very quickly. Well, [00:03:00] that sounds like a pretty good, uh, pretty good thing for. Yeah, an opportunity for a bad actor, right? We're not talking about, like, Vin Diesel being a bad actor here. We're talking about, you know, hackers, right? And people doing unscrupulous, unscrupulous things with with that. Right? Right. And we've all had horror stories of I mean, I'm sure, you know, identity theft or login compromising. [00:03:30] I mean, you stand around a water cooler, you could probably commiserate. Oh, yeah. I was compromised one way or the other. Right. And, uh, the biggest challenge, I think, in this particular situation is because Intuit and QuickBooks and, you know, those services, um, there's a lot of, you know, personally identifiable information, uh, Highly secure, you know, social security numbers, bank [00:04:00] account information, but adding, I mean, really, what they're at right after right now is your money, right? I mean, that's that's really because that's the vulnerability that, uh, these bad actors are, um, are exposing right.

Alicia Katz Pollock: Now. Can I jump in there for a second?

Dan DeLong: Yeah.

Alicia Katz Pollock: The one of the things that I did notice as far as the numbers go is that the Ein numbers are no longer exposed in files that if you click on an Ein [00:04:30] file, it actually asks to send you a text message to verify you. So they're not just they're ready to be taken. So I'm glad that there is a layer of protection on that particular field.

Dan DeLong: Yes. What these bad actors are doing is they are exploiting a vulnerability in the password reset process. Right. So with very limited information, which is pretty readily available. And one of these, you know, kind of taking a step back. I remember the end of last [00:05:00] year, there was this rash of ProAdvisor, um, prospective client requests that were clearly a scam. Right. So, you know, you get some, uh, on your ProAdvisor profile, you know, when you have it public, anybody can search and find you and send you a request for information. And, uh, typically, you know, you want to reply to those as, as a ProAdvisor. And turns out, you [00:05:30] know, it was always these very, uh, elaborate things of like, hey, I'm a casting director at so and so, and I need training for my.

Alicia Katz Pollock: Uh, my lead actor to know.

Dan DeLong: Lead actor.

Alicia Katz Pollock: For his role.

Dan DeLong: And we'll pay you this exorbitant amount of money. And then, you know, of course, you you start, you reach back out to them. And the the way that that happens. It actually provides your email address to, you know, to these [00:06:00] to these people. So it's kind of like a, you know, an elaborate sting operation, right? Where that step one, you know, get someone's email address. And this was the way that that it was able to be done so by you.

Alicia Katz Pollock: Because your ProAdvisor profile that you're replying from is tied to your QBO login.

Dan DeLong: Exactly.

Alicia Katz Pollock: Got it. Okay.

Dan DeLong: So now they've got your email address. So the only thing that they need to do at that point when [00:06:30] you, you know, search for how do I get into my account when I'm locked out is, you know, you have to submit a form online. And when you say, all I need to do is update my email address, all I need at that point is an email address, a user ID, which if you're using the same same one and the same now they've got both pieces of information and the email address that they want to update it to. The next part of this process is uploading [00:07:00] a government ID, driver's license, passport, state ID, or some kind of notarized document. You know, it's been, you know, since happy days, fake IDs have been a thing, right? So if they're willing to do you know that first part, chances are they've probably got some pretty good access, uh, to be able to forge documents. Right? I don't know, right. I was never privy to, you know, the process that they take after those [00:07:30] those IDs are uploaded as far as the validation process and ensuring the main thing that I heard of was if these documents were not clear, like, you know, bad pictures, they would ask for another one, right? So but, um, other than, you know, confirming that it's, uh, it's an ID that's about it, right? Like, you know. And then the process is, once they've confirmed the ID matches whatever it is that they, they [00:08:00] needed to do, then they would send a password request to the new email address. Right. So you might have gotten a confirmation that they updated the email address to the old one. Who knows. You know, I don't know what that what that process actually is. But now they've sent a password request to the new email address. Now all the MFA codes, all the anything else is now compromised, right?

Alicia Katz Pollock: Definitely [00:08:30] want to keep an eye out to see if you got one of those confirmation emails. And then if you're like me and you have a heavy filter putting all of your Intuit notifications in a folder, it's possible you might never see it.

Dan DeLong: Yeah. Yeah. Or the you know, on top of that, there's maybe maybe the robo spam. You, you know, at the same time that they're updating the email address, and now you don't see it because it's now all hidden. Right. Um, so that's that's [00:09:00] quite a possibility as, as well. Okay. Um, so now they've updated the contact information to their email address or some other email address that they have access to that you don't as, as the login. And so free rein. Right. I can now add you know a change my change the phone number I can change the, you know all those other things. And now all that communication is not going to you. It's going to the bad actor. [00:09:30] Right. So with just that, uh, they're able to bypass all of these other security measures of passkeys and authenticator apps and, you know, all the things that would essentially prove you are logging in to your QuickBooks online is now in someone else's hands.

Alicia Katz Pollock: Right?

Dan DeLong: And.

Alicia Katz Pollock: Yeah. And so this has been happening frequently enough that multiple people that I know personally have [00:10:00] had it happen to where they get locked out of their accounts.

Dan DeLong: Right. And the, uh, unfortunately, the the response from Intuit when those things have happened has been, well, did you have MFA on did you have this or you know, it's almost like they were victim blaming that, you know, these people weren't doing the proper things. But in reality, it was it was a vulnerability that was being exploited.

Alicia Katz Pollock: So it wasn't it [00:10:30] wasn't even necessarily that the bad actor had already had their email login, which is what I hear a lot, that they say, oh, well, it was the vulnerability was actually on your end that they must have your password in order to do this. From what you're saying, that's not even necessary.

Dan DeLong: They were just bypassing the whole process. Right? And that process existed for, you know, for a reason. Like if the login was to an old email address and you needed to update [00:11:00] it, that was the process to be able to update that email address. Right. And um, and for a long time that worked. Right. But now this this is now the vulnerability. And they weren't really taking accountability for for that. Right. Because if you if you are on a bank, right. Like if you, if you lose your password or forget your password at, at a bank, typically they ask something else to confirm your identity, [00:11:30] uh, like your account number or something like that. Before, you know, you even get to that process. So simple data mining of finding someone's email address, uh, is not, you know, the, the whole idea, right? So, I mean, that's, that's that's not as, uh, of a of a security measure, uh, as uploading, you know, your, your, your, your government ID in an email address at that point.

Alicia Katz Pollock: So now, [00:12:00] because we know a lot of people who have been through this, uh, some people have actually put together some solutions and some workarounds, and it's not even I don't even want to use the word workaround because it's not a workaround. It's best practices for how you can arrange your communications with your QBO and your clients so that you can keep that an additional level of safety, security, and your own back door.

Dan DeLong: Yeah. Yeah. I mean, there's best practices [00:12:30] and then there's standard operating procedures. This should be the latter of the two. I mean, these are the things that you can do to, um, you know, put a buffer between you and the bad actors. Now, to be fair, Intuit has now instituted another security measure in place so that that vulnerability is not as exposed as it was before. And that is, um, a facial recognition selfie. [00:13:00] So it's not just, you know, they take a picture of themselves and they send a selfie. No, it's.

Alicia Katz Pollock: Oh, so like the one that they use in Id.me when you do your government ID where they, like, take a picture of your face from all angles.

Dan DeLong: Right.

Alicia Katz Pollock: That they have that kind of 3D image.

Dan DeLong: So now instead of just the, you know, the ID, uh, passport, you know, driver's license, submitting that they also do both. Right. Where you have that facial recognition, uh, [00:13:30] selfie ID and the government ID. So now there's some comparison between the photo that's in the photo ID. Okay, so who it is.

Alicia Katz Pollock: So you give them the photo ID and then you have to do a real life. Hey, this is me. I am matching this ID. It's not just my picture and I'm somebody else, but you're actually giving a verification, right? That's really nice. That's a great idea.

Dan DeLong: Right. So, you know, it sounds, you know, I'm not a bad actor, so I [00:14:00] don't know all the vulnerabilities that are out there. Um, and, you know, nothing is foolproof because fools are so ingenious, but the, um, with those two things in place, I feel confident that that is basically, you know, put the finger in the dike that that is going to stop the bleeding of this happening in the, in the future. But that still doesn't stop. Uh, it still doesn't mean that you should just not do anything [00:14:30] else. Um, and, and don't rely on these security measures to, you know, to help you out. We have identified, um, well, a lot of people like Rachel Barnett, who's been screaming this from the time that she's been compromised. Um, she's actually come up with a really great way, uh, to put, uh, to, to basically mask your email address, um, from those bad actors. Right. So again, if [00:15:00] you do that from, you know, replying to, to the, to the request, that email address is going to show. But if you change that to this masked email address, then of course they have access to an email address that you don't.

Alicia Katz Pollock: Okay.

Dan DeLong: It's really not it.

Alicia Katz Pollock: So I want to actually go through Rachel's excellent, excellent breakdown of how to create this middle level of blind security. I just want to reiterate that it sounds like Intuit [00:15:30] has plugged the leak on the how to update your ID so that you have to have facial recognition of a real human being in the process to match the ID, and so we shouldn't be seeing any of this particular scam happening anymore? Right. Okay. And so now the next level is an additional level of protection with this SOP for managing your QBO and your email [00:16:00] addresses and your users so that when the scammers come up with their next version, you've already got this level of protection in place. Is that do I have that right?

Dan DeLong: Yeah. Yeah. I mean, this is very it was reminiscent to me of like, all of the things that we now have to do every day at when we go through TSA, right? I mean, we, you know, all of those things were reactionary, right? Taking off your shoes was not a thing until somebody found a vulnerability with [00:16:30] that.

Alicia Katz Pollock: Right. And now my.

Dan DeLong: Team, we don't have to take off our underwear.

Alicia Katz Pollock: Right. Although now my TSA PreCheck line is longer than the standard. The standard. Now I'm like, huh? Maybe I should spend the $300 to go get clear. Right. Okay. So. So let's go in and thank you Rachel, for breaking this down. And so Dan, you actually worked with Rachel and published an article on School of Bookkeeping that that includes all of this step by step [00:17:00] what to do. And so we will have a link to that in the show notes, so that you can have a visual to go along with what we're going to explain.

Dan DeLong: So the whole idea is one to create a backup never used user, which is always a really good best practice or you know, now it should be just an SOP is create a backup user that would allow you to get in should something happen with your login. Right? And I've [00:17:30] seen other things where people have legitimately been locked out of their account, uh, because they were traveling overseas and logging in, uh, into QuickBooks online. Right? So always have a secondary way to get into your account. So you create a backup user.

Alicia Katz Pollock: Can I let me let me chime in on that one. So so with that backup user, basically what you're doing is you're creating an email address that's not used for any other purpose that you add as [00:18:00] a user with complete company admin, not primary admin, because that's still you, but company admin levels. And then you not only have that ability to log in, but you should also take an extra step and assign all the clients to that user so that while you're getting all the rest of it sorted out with Intuit, you can still go in and get your work done right.

Dan DeLong: Okay, so so that's one thing. And if you're using [00:18:30] Google Workspace or Outlook, um, or you know, any other number of, of web mail, uh, you should be have the ability to create email aliases on the article. I have a walkthrough of creating email aliases inside of Google Workspace, so you can take an I, and I've created a link or put a link to both of those. If you have [00:19:00] an exchange server, just talk to your IT person about being able to do that. Um, but the whole idea is to create a super secret, um, a email alias and then update everything to that as far as Intuit is concerned. Right. So what will ultimately happen is any communication will go to that masked email address but then come to you.

Alicia Katz Pollock: So it goes to this other email address that's not exposed anywhere else except used for this [00:19:30] purpose, but it forwards all the emails and messages to your real email address. Okay.

Dan DeLong: Right. So that alias is basically a buffer For between you and the bad actors, right? So even if they do happen to get that email address, if they're not getting access or insight into your email address, everything else will be forwarded, um, to you.

Alicia Katz Pollock: So that's protecting your workspace. And like the rest of everything, it's not specific to your QuickBooks because [00:20:00] that's the original alias email address, but it's a level of protection so that now you haven't given them keys to the kingdom if they can break your password.

Dan DeLong: Exactly. Okay. Got it. So you're going to do that for the backup admin? Uh, so the company admin, that is in case of emergency break glass, right? You you go into that that backup admin. Then you also do that for your primary admin. You know, you as the as the firm owner. That's the one that you do [00:20:30] that you use for all of your work is is doing that. But these two aliases are separate um, and different. Right? So that you, you know, you know, who's who in the zoo. Um, and then one of the last options that Rachel was talking about, um, which may or may not be something that you ultimately use, is creating a limited access user called quotes at your domain.com. Right. And the whole idea there is that [00:21:00] when you get invited, you get invited, uh, by a prospective client or somebody else that you're, you're working with, you would get invited to that quotes user, uh, so that, um, you would accept the invitation and then immediately go in, remove client access from that quotes user, and change that over to your main primary admin and your and your backup. So that way if that login happens to be compromised, they don't have access [00:21:30] to anything, right. So they wouldn't have access to your books. They wouldn't have access to your clients.

Alicia Katz Pollock: Okay. I do want to point out though, that if you're inviting somebody to your file, if you're inviting a client to invite you as an accountant user, they do now have an option that you don't have to do it over email at all anymore. You can now just provide the company ID number. And I've started using that. And that's been working really good for me. So instead of giving them my email address, I'm copying my company ID [00:22:00] and I'm throwing it in the Zoom or the email and giving them my ID, and now they don't have any email associated with it.

Dan DeLong: I mean, I've seen that process work and it and it is pretty phenomenal, right? Because it avoids all of the problems that you have with email invitations, cache and cookies and clearing and all that stuff. Um, you know, and especially, you know, clients who potentially, you know, could put in the wrong email address or they type it wrong [00:22:30] or something like that. So it's immediate. As soon as you put in the firm ID and it shows up in your firm and you can just accept it, right? So those are, those are, um, good, good best practices there. So there's so those um, the primary admin is updated. The um, backup admin is, is now invited as a, as a secondary person, you're going to create the the user for that based off of [00:23:00] that secondary backup email address. And then your quotes user would be, would be uh added. Um, and then in the in the article I have um options for if you're a larger firm and you and you want to do this as, as part of a practice for a team, right where it's not just you, uh, doing it. Uh, then at that point, you've, you've put the, the buffer between, uh, the [00:23:30] email address and your email address, right.

Dan DeLong: Giving yourself access to, uh, to your firm. Should you get locked out of your your regular login. And then there's other, uh, checklists in here to, for best practices, you know, like strong passwords, changing them, changing your passwords when the time changes. Right. Or something like, you know, putting something in place to update your passwords, you know, have use a password vault and [00:24:00] don't reuse passwords. You know, those types of things, the MFA and the Passkeys and the and the authenticator apps. But then we talk about, um, things that we might you might want to alter in, in your clients to again put friction between the convenience of fast money movement. Right. And that one of those things is the QuickBooks Business Network, which has a promise of really [00:24:30] cool things, but it could potentially cause cause bigger problems if if the logins are compromised. So opting out of the QuickBooks Business Network. This is just a conversation that you want to have with your clients, whether they want to be in it or not. And this doesn't stop a bad actor from turning it back on. Right?

Alicia Katz Pollock: Right, right. Well, so and what Dan is saying about the QuickBooks Business Network, this is still a new concept, [00:25:00] and we have yet to do a full episode about it, but it's a potentially really cool concept that basically they're interconnecting all of the QuickBooks users so that, you know, if you want to pay a bill, you they can put in their ACH information securely in their own QuickBooks file, and then that makes it available to you completely masked, so that you can pay a bill or an invoice. And so it's a way of connecting and automating AR and AP [00:25:30] through already vetted QuickBooks accounts, and conceptually it's fantastic. Um, you it even masks their contact information until it's been approved on both sides. So it's it seems like it's secure, but because it's brand new, we don't know what gaps they're going to exploit.

Dan DeLong: Yeah. I mean that the promise or the theory of, of what the QuickBooks Business Network can, can do is really cool. [00:26:00] Right. Because I send you an invoice, you're here and you have a bill, right? So this is this is one of the things that, uh, and even Brad Smith were talking about when I was there that, you know, we want, you know, we're intuit I can't say we anymore. Um, Intuit wants, you know, an action to create transactions, right. So it's not like you're just going about your [00:26:30] day doing your things and those things are doing the, the, the billing and the bookkeeping for you on your behalf. Right. So you do one thing and and it does. And that creates other automatic transactions. So it's very convenient. But it doesn't mean that I mean and this convenience is just being exploited. Right.

Alicia Katz Pollock: So right. And and that actually, you know, with all of these things that they're putting in for the convenience like this, [00:27:00] like instant deposits, like the new email addresses where you can email like if you're used to emailing AP at a company name and you're sending your invoice in there, they now have email addresses inside the business feed that do that, both for AP and for AR, which is really, really slick. However, that does mean that if anybody gets Ahold of those email addresses who's not authorized, they can send transactions in. So what that points to is this change in convenience, [00:27:30] which is on the surface fantastic, does mean that we have to shift our energy to due diligence, that we actually have to make our buff up, or make more robust our approval processes, that we have to actually make sure somebody is looking at invoices before paying them or before sending them and bills before paying them to make sure that they are legit and actually part of company process. Which does mean that while [00:28:00] we're saving time from not having to make the bill or the invoice in the first place, now we have to add a level of due diligence. So we're just replacing one problem with another kind of.

Dan DeLong: Exactly. Yeah. And another, another thing to, you know, to have a conversation about is instant deposits on QuickBooks payments. Right. So that was just allowing bad actors to have access to your funds instantaneously. Right. [00:28:30]

Alicia Katz Pollock: So I.

Dan DeLong: Don't.

Alicia Katz Pollock: Want I don't want to turn off my instant deposits. I mean, I have it set up, I have a QuickBooks checking account. That and one of the benefits of QuickBooks checking account is that your instant deposits are free. So it literally means that when I get an invoice paid, I get the money within hours. And I love that I don't have cash flow issues because of that. And it's a slick workflow and I don't want to turn off my instant deposit. [00:29:00]

Dan DeLong: Yeah. And that's and that's just part of the conversation, right? It's like, hey, I really need that. Okay. Well that's that's okay. You can have you can still have it on. But here is the potential downside to that. And then it's a it's now a conversation of like weighing the options. Right. And you know unfortunately a lot of times it's you know not something that comes to surface until it, it, you know, the worst has happened. It's like okay, all right. Now I hear what you're saying about [00:29:30] the about the instant deposits. Um, and it is super convenient. Like, I get access to the funds before the email shows up, right? Like. Like this is. This is truly instant. Like 30s at most. Mhm. Uh, to to actually have access to that. So if you know, it's a business that has, you know, cash flow issues and they can't wait that one day because they still come the next day, uh, even when you know, [00:30:00] it's not instant but it's, it's still the next day funding then that's that's worthwhile. Right.

Alicia Katz Pollock: Right. I mean, that's also a reason why you might want to turn to a third party app. So in order to enroll for forwardly, I had to prove my business identity. And so it's definitely it puts you in the, the FinCEN network, like you're actually using the government rails for sending money. And so, you know, I know that that's going to be more secure than anything that Intuit could ever come up with.

Dan DeLong: Exactly. [00:30:30]

Alicia Katz Pollock: But I don't want to have to use a third party app. I want to be able to use the tools that are in front of me and not have to go log in on another website.

Dan DeLong: But you know that that is that is a discussion point, right? Like what's is are the conveniences worth the potential downsides? Right. You know, I love QuickBooks payments. You know, the the benefits that you get for for using QuickBooks payments as far as the time savings is phenomenal, right. [00:31:00] And so I don't want to like you. I don't want to talk to all my clients and myself, you know, to to find another alternative for moving that money movement out of QuickBooks. Um, maybe you want, you know, the functions of QBO payroll inside QuickBooks, right? You know, you you know, you're going to have some Integration conveniences that you're not going to have [00:31:30] with outside third parties. Right. I mean, ADP is as as lovely as they are. They're not going to get that layer of granularity inside of inside of QuickBooks, uh for reporting.

Alicia Katz Pollock: Yeah. So into it, I'm going to just implore you to make sure that you're thinking about every single ramification and every single back door that is out there on the internet, so that you can keep us secure so that we can use these tools with confidence.

Dan DeLong: Yeah. I mean, uh, [00:32:00] one of Hector's, uh, posts that he was talking to the CTO of, of Intuit on our, on our Facebook group is like he he never has the need to send money on behalf of his clients. Right. So the bill payment is is never a thing, right? So for him, if there was a process to just turn it off. Right. Or a preference. Right. Because I'm sure some other ProAdvisor that is in their scope [00:32:30] of service. Right? You know, to have those preferences, to turn them on or off. And if there are needing to be turned on, there is there is some friction. Right. That that's not so just easy as. Okay. I'm logged in. Right.

Alicia Katz Pollock: Oh, so you mean like have have the controls where there's certain features where you can turn them on and off for all of your clients in bulk and then go turn them on and the ones who specifically need those features.

Dan DeLong: Exactly. And then when you [00:33:00] do, then there is, you know, some other process in place to, to ensure it's not just a code. Right? It's there's something else in place because there is real money movement involved here. I think that's ultimately things that we're going to be seeing is, you know, inconvenience to set it up. But a Convenience factor of being peace of mind and having more security in place.

Alicia Katz Pollock: Yeah. And that's the part [00:33:30] that's really getting me is the level of inconvenience in order to have the security, because, you know, things may never happen, but I do have to take some time to go out of my way to put all of these security measures in place. And I think this is one of the things that Jamie said in the Security About Insecurity episode that we well, which is worse, the having the inconvenience of having to go put in a two factor authentication code every time you log in, which is inconvenient, or [00:34:00] being hacked and having your whole system shut down and then having to spend hours and hours and days and loss of income in order to get it fixed. So it's your it's time insurance.

Dan DeLong: Yeah. Yeah. I mean, uh, the latest thing uh, that was on our, our, our Facebook group, uh, is that, you know, they, they spent the better part of a day submitting their information 11 times and the the the service the SLA for for [00:34:30] that to be resolved was seven days. So you know that that process is not convenient at all, but it's a heck of a lot more inconvenient than putting in a six digit code right now.

Alicia Katz Pollock: Does that you know, if I have my my two factor authentication, it can either send me an email or it can send me a text message. Do I need to also have one of those throwaway phone numbers as well, like a separate phone line, [00:35:00] like a grasshopper line or a line two number to use?

Dan DeLong: Well, I mean, I'm sure that I'm sure that could be the case, right? You know, because if you've, you know, especially if your mobile phone number is your mobile phone number, um, you know, having access to that is, you know, not probably not something that you want to readily give out as well. So having another buffer is basically having a phone number alias that [00:35:30] you would have access to.

Alicia Katz Pollock: Okay.

Dan DeLong: But yeah, we could talk about, you know, the the horror stories and the, you know, the, the steps that you could take, um, probably for hours. But, uh, these are, uh, these are just kind of like the best practices, standard operating procedures that that should be part of your, you know, your general onboarding and security of your account so that it doesn't it doesn't [00:36:00] happen to you.

Alicia Katz Pollock: Yeah. So I think this was was an excellent breakdown with some very good actionable steps. So I want everybody to go to the show notes. I want to thank Rachel Barnett for putting together this SOP, um, and Dan for publishing it on School of Bookkeeping so that we have those links available to you. And this is kind of a call to action for everybody who's listening to this, to go grab that document and go ahead and do the process to make new [00:36:30] levels of emails and kind of restructure your QBO to make sure that you are secure now and in the future.

Dan DeLong: Indeed.

Alicia Katz Pollock: Yeah. All right. Well, Dan, what's going on in your world?

Dan DeLong: Well, uh, bopping around the country, uh, for one thing. Where are you now? I'm actually in Seattle. I'm. I'm right. I'm on your side of the.

Alicia Katz Pollock: Are you are you you're going to come visit, right?

Dan DeLong: I'd love to, but we're here for my oldest birthday, and, you know, [00:37:00] we're only here for a couple weeks, so, um, as much as we would love to be able to see everybody that we want to see, you know, you are in war torn, uh, Portland, so.

Alicia Katz Pollock: Oh, yeah. No. Stay away. We've got fall happening here.

Dan DeLong: The leaves.

Alicia Katz Pollock: The leaves are falling all over.

Dan DeLong: But professionally, um, we are working on a a new cohort, uh, for, for November. Um, [00:37:30] for, um, it's called passive aggressive income. How, how accounting pros can be aggressive about passive income. Uh, if that's something that's, uh, in your scope of, uh, of, of availability, right. Like, if you're a CPA, obviously you might want to remain fiduciary neutral and those types of things. But if this is something you want to have some financial connection, even if after your engagement is over, this is a cohort that we're, um, [00:38:00] that we're talking about the, the different options that are, that are out there.

Alicia Katz Pollock: As far as passive aggressive income goes. Um, that passive income is something that I build into royal wise. And that's one of the reasons why I really love being a ProAdvisor is because, like working with Complete Business Group to resell QuickBooks and QuickBooks payments and my relationships and partner programs and the videos that I have out on other platforms, being able to leverage the work that I'm [00:38:30] doing to make additional revenue streams in lots of different ways is actually probably 10 to 25% of Royal Wise's revenue at this point is just this passive income. And so I am very much looking forward to your course coming up so that other people can also build this in. It's kind of like leaving money on the table if you're not leveraging your work in as many ways as possible to create multiple revenue streams. So this is going to be an excellent opportunity [00:39:00] that will absolutely pay for itself.

Dan DeLong: How about you? What's what's going on with you?

Alicia Katz Pollock: Yeah, I'm about to enter into my, uh, my trifecta of conferences. I just taught my, uh, QBO banking class. So a brand new class with all of the bells and whistles about the new banking feeds. And I hear a lot of people complaining about the banking feeds, but honestly, I think they are an improvement. You just have to know what to click on and where to look. So definitely take [00:39:30] a look in the show notes for my class on QBO banking. And then a class on the reconciling, where I actually built in the brand new reconciling tools that are there actually still in beta. They're not out universally, but I do show them off so that you can see where Intuit is going to speed up your reconciliations. So I just had a really good time teaching those two classes. And the links will be in the show notes. And then it's not too late to sign up for Women Who Count, which is in Mesa, Arizona. [00:40:00] It's a 3 or 4 day conference for women in accounting, and they have totally, totally redone the conference and improved the speakers and the the vendors. And I'm really looking forward to seeing how they have grown the conference, and then I'm literally flying from Mesa to Las Vegas for Intuit Connect. And so, you know, I can't wait to get on the floor and find out all the new innovations that are coming so that I can redo all my classes again. [00:40:30] Um, and then I come home for Halloween. I'm literally in the house for 48 hours, and then I fly down to Miami for Reframe Hector Garcia's, uh, conference. The theme this year is, uh, Pricing with Confidence, where you are going to take a look at your how, your pricing and making sure you're comfortable with your pricing and your best fitting your pricing and communicating that well to your clients. So it's both confidence and pricing.

Dan DeLong: So [00:41:00] that sounds like a busy, busy, busy time.

Alicia Katz Pollock: It's going to be a busy, busy time. And then I'm actually staying in Florida because my cousin's getting married a week after that. So instead of flying back to Portland and back to Florida again, I'm actually going to give myself a working vacation down on Florida, and I just found out that I'm actually going to be staying, like within spitting distance of Mar a Lago. So I had no idea that I was going to be in that part of the world. So, um, uh, yeah. So I'm [00:41:30] going to go on a working vacation.

Dan DeLong: So if, uh, somebody spits on Mar a Lago, we know it was you, then, uh.

Alicia Katz Pollock: We'll go with that. Okay. So thank you, Dan, for, um, this update on what's happening in the industry on security and what we can do to make our lives as secure for ourselves and our clients as possible.

Dan DeLong: Yes, it's very good. I mean, very important information for for [00:42:00] people to be aware of.

Alicia Katz Pollock: All right. So thank you, everybody for being a loyal listener. And we will see you in the next one next time.