Cybercrime is as ubiquitous as the Internet itself, and CPA firms and their clients are as vulnerable as anyone else to being hacked, scammed, or otherwise victimized. The author provides general information about cyberattacks, lists examples of currently popular scams, and recommends cyber insurance strategies tailored for CPA firms.
Billions of fraudulent email messages are sent every day, and only a small fraction of them need to succeed to fund a growing underworld industry. One measure of such growth is the number of U.S. data breaches tracked each year; such breaches hit an all-time high of 1,093 in 2016, according to a January 2017 report released by the Identity Theft Resource Center (“Data Breaches Increase 40 Percent in 2016, Finds New Report from Identity Theft Resource Center and CyberScout,” Jan. 19, 2017, http://bit.ly/2ljn3bz). This represents a 40% increase over the 780 breaches reported in 2015. Another measure comes from the Internet Crime Complaint Center of the Federal Bureau of Investigation (FBI), which saw the number of complaints rise from 262,813 in 2013 to 288,012 in 2015. The combined losses in 2015 were reported at nearly $275 million.
CPA professional liability claims experience also supports these trends. In the area of fraudulent wire transfers, claims have carried substantial third-party (i.e., client) exposures, ranging from $250,000 to $900,000. Rather than suffer such an attack (and subsequent liability) needlessly, CPA firms should inform themselves about the dangers posed by hackers and scammers and take steps to protect themselves and their clients. This article provides a starting point for such measures.
The following case study, based on a recent claim, illustrates how fraudsters manage to make good money from bad actions (all names have been changed):
Greg Roberts, CPA, a partner in the public accounting firm of Smith Jones LLP, provided business management and investment advisory services to several clients, including John Urich, a successful shipping magnate. Urich had established a trust to care for his disabled wife in the event of his death, and the trust department of Commercial Fiduciary Bank provided trustee services.
At one point, Roberts received an email message from Urich requesting a transfer of approximately $300,000 to a foreign account. Roberts called Urich to verify the request and left a message in Urich’s voicemail. Minutes after leaving the message, Roberts received a message from Urich’s email account confirming the request. Roberts then advised Urich to send an investment direction letter to the trustee at Commercial Fiduciary and forwarded instructions to the trustee regarding the transfer of funds. When the trustee received an investment direction letter with Urich’s signature on it, he followed the instructions provided by Roberts and transferred the $300,000 into the foreign account.
Shortly after that, Roberts received a call from Urich stating that he had not authorized the transfer of funds. Urich was understandably upset. Urich’s voice-mail and email accounts had been hacked and commandeered by a scammer. Roberts did not realize that Urich’s voicemail messages were being delivered to his email account, enabling the scammer to receive and confirm messages. The scammer had also copied an older investment direction letter from Urich’s email account, updated it with a current message, and forged Urich’s signature on the letter to perpetrate the hoax. Urich expected Roberts to replace the funds that had been stolen by the scammer.
Authority over Client Funds
Unfortunately, this case is not unusual. Claims related to fraudulent wire transfers generally involve CPA firms with authority over client funds in order to provide business management or bill-paying services, including wire transfers for high-net-worth clients.
A fraudulent email request for a wire transfer may resemble prior legitimate requests for transfers. The transfers are often made to a bank in a foreign country or through a U.S. bank to a foreign bank. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.
Wire transfer requests made via email should be verbally confirmed. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. It never hurts to call senders to verify email links or attachments before opening them. Another way to verify transfers is to confirm information that only the client would know and a hacker would not. CPAs should consider using both methods to confirm the authenticity of a request.
Impersonating Users and Faking Messages
Phishing or spoofing email that appears to come from a legitimate sender is often the result of a cybercriminal having hacked into the sender’s email account and taken it over, controlling messages coming from the account and enabling the hacker to convince the recipient that the email is friendly or trustworthy.
As cybercriminals continue to develop new ways of impersonating legitimate organizations and email senders, computer users need to become even more vigilant and circumspect in their daily practices.
A hacker will sometimes insert a link or an extra step into an email message, asking for a password to be entered or changed, thereby enabling the hacker to take control over the email account. This is called a “man in the middle” attack. Once the hacker controls both the CPA’s and the client’s email accounts, it can be difficult to ascertain that communications are being manipulated.
Sophisticated social engineering attacks may employ corporate logos, high-grade counterfeit documents, and bogus websites to mimic organizations and companies such as tax software vendors. Counterfeit documents may include letters, insurance policies, checks, credit card notices, travel itineraries, or any item that will make the sender appear to be a part of the recipient’s network of associates and vendors. Some fraud schemes even provide phone numbers—answered by fraudsters, of course—to “verify” illegitimate checks, thereby fooling bank employees, attorneys, CPAs, and many others.
As cybercriminals continue to develop new ways of impersonating legitimate organizations and email senders, computer users need to become even more vigilant and circumspect in their daily practices. A fake email address can be disguised as a legitimate email address by being off by one character (e.g., “businesware.com” vs. “businessware.com”). By hovering a mouse cursor over a link without clicking it, a user can check the website address. Third-party and misspelled addresses are both red flags.
It is best to verify the authenticity of a request and any information in it with a trusted source before complying with any requests or taking any actions that may harm the firm’s computer system and cause operations to grind to a halt. Instead of clicking a link, users should go directly to the trustworthy website to access information and updates.
Firms of all sizes continue to be plagued by ransomware, which enters computer systems via a clicked link, attachment, or typed password. Ransomware encrypts all of a user’s files and demands payment to decrypt them. Of course, paying the ransom is no guarantee that the cybercriminal will actually decrypt the files, further compounding the potential damage.
Ransom demands range from a few hundred dollars to several thousand, depending upon the perceived ability of the victim to pay. Some attacks rely on software that has known fixes, so a solution might be found online. Other ransomware programs are technically advanced and have no known fixes, other than the victim retrieving and relying on the latest available backup files.
Ransomware encrypts all of a user’s files and demands payment to decrypt them. Of course, paying the ransom is no guarantee that the cybercriminal will actually decrypt the files.
Ransomware may enter a computer system via innocuous-looking MS Word, Excel, or PDF documents attached to unsolicited or unexpected email. Instructions to “enable macros” or “enable content” should not be followed. Unusual requests for passwords are also suspect.
CPA firms should institute a policy to frequently (daily, at a minimum) backup files that they cannot afford to lose. Some ransomware even seeks out backup copies of files, so creating multiple backups in different locations is a good practice. Cloud services and external or USB hard drives are other options to consider for multiple backups. Encryption should be used to protect any sensitive information about the firm and its clients. Backups are also an extremely valuable resource after extreme events such as fires, floods, and other disasters.
Other Recent Scams
The following are examples in which scammers have disguised themselves well enough to dupe unsuspecting computer users:
- Scammers act as clients or potential clients soliciting tax professional services. If the professional responds, the scammer then sends a second email with an embedded web address that collects email addresses and passwords when clicked. The IRS has issued a warning about this kind of scheme at http://bit.ly/2knAL9J.
- Scammers impersonate clients and request that the tax professional change their bank account numbers. This enables fraudsters to divert tax refunds into their own accounts.
- Scammers impersonate clients requesting wire transfers of funds into a new or foreign bank account, which is actually the fraudsters’ account. The amounts stolen this way can reach up to several hundred thousand dollars.
- Scammers pose as tax software companies, recommending that tax preparers update their software by clicking a link. The link loads malware onto the computer, enabling the scammers to file tax returns and redirect refunds to their own accounts.
- Even the IRS can be impersonated. Scammers ask tax preparers to update their e-services information via email, and the links in the email capture user-names and passwords when clicked. The IRS does not initiate contact with tax preparers or taxpayers by email, text messages, or social media channels to request personal or financial information. An IRS warning about this scam can be found at http://bit.ly/2kXz72l. Scammers also send taxpayers emails with a Notice CP 2000 attached, claiming that there are discrepancies between income reporting on their tax return and the employer’s reporting. These notices also sometimes refer to the Affordable Care Act, further confusing potential victims. The IRS warns of this scam at http://bit.ly/2lzpJ2b.
- Scammers can take over a user’s computer security system by displaying a pop-up “Security” screen or similar message and requiring a password before allowing the user to continue using the computer. The password then enables the hacker to access the user’s email account and send out phishing messages to the user and others.
More information about phishing and online scams can be found on the IRS website. A listing of IRS news releases containing alerts and warnings about email scams can be found at http://bit.ly/2lxl3ZM, while information about what to do about suspicious IRS-related communication is located at http://bit.ly/2kdzC3H.
Many professionals—CPAs included—make the mistake of believing that they are too small to attract the attention of hackers.
Providing regular staff training to enhance awareness of potential threats can make all the difference in a business’s protection against fraudulent schemes. Some experts recommend scheduling data security training at least once per year. Security awareness can also be tested by “inoculation,” in which all users are sent benign phishing e-mail; those who fall for it then receive education about phishing scams and how to avoid them.
Many professionals—CPAs included—make the mistake of believing that they are too small to attract the attention of hackers. This attitude results in a lack of preparation and vulnerability to unnecessarily prolonged setbacks and expense if and when a cyber incident occurs. Fortunately, expertise and resources are available to help CPA firms avoid or mitigate the damages and aftermath of an attack or breach, including ways to minimize and repair damage to assets such as data, work products, reputation, and brand value. Cyber insurance programs should include education on how to safeguard information, increase awareness of cyber risks, and assist the firm in responding to potential data incidents. Cyber coverage should provide risk and legal advisory services to guide investigations, ensure compliance with applicable laws, and protect confidential communications and information.
In the event of a potential incident, a CPA firm should consult with its cyber insurance carrier or attorney before hiring a forensics investigator. If an investigation is conducted outside of the firm’s relationship with an insurance carrier or attorney, the communications produced by the investigation may not be protected by attorney-client privilege.
Firms should have a cybersecurity expert evaluate, test, and secure their computer systems before an incident occurs. The expert will then be familiar with the firm’s systems and can work with insurance and breach response service providers in reducing any damages from a breach, reducing the costs to eradicate problems, and enabling the firm to get back on track sooner rather than later.