Call Us Now 888.512.8878

Your staff accountant comes to the office on Monday morning to find an e-mail from one of the firm’s biggest and most important clients requesting that money be transferred into a new investment account. It’s urgent...again.

The accountant thinks “It seems like every Monday morning the same client makes another “urgent” request. Can’t I get a break?” She then accommodates the rush request and sends the money. Yes, it is a large amount of money, perhaps a bit more than usual, but the client has previously made similar requests.

Unfortunately, the accountant and CPA firm have just been scammed by a social engineering attack. A cyber-criminal was monitoring the client’s e-mail account and learned the following:

  • The client frequently requested  money transfers on Monday mornings,
  • The transfer amount customarily requested by the client, and
  • The language and tone of the e-mails typically sent to the accountant by the client.
CPA firms across the country have been victimized by this social engineering scheme, sometimes called “spoofing”. A spoofing attack is a situation in which one party, the cyber-criminal, successfully masquerades as another by falsifying data, thereby deceiving the other party, such as the CPA firm.

Cyber-criminals have become adept at both e-mail spoofing, the creation of fictitious e-mails with a forged sender address, and caller ID spoofing. The latter causes the telephone network to display a false number of the caller in lieu of the actual telephone number.

The growing sophistication of cyber-criminals can make it challenging for CPA firms to ascertain a requestor’s true identity. Consequently, CPA firms should take precautionary measures to help prevent unauthorized transfers of client funds. Strategies include the following:

  • Protect client bank account information including account numbers, passwords, log-in procedures, and similar information. Only CPA firm employees with a business need should have access to this information.
  • Establish client-approved disbursement parameters, including transaction types, vendors, and bank accounts utilized for disbursement activity.
  • Establish approval thresholds for transactions. Transactions that exceed the specified threshold should require additional client approval.
  • When additional approvals are required or a request appears suspicious, utilize an alternative method to confirm the request. For example, if the original request was made by e-mail, the confirmation should be via a phone call by a CPA firm employee who can authenticate the client’s voice. Document all approvals received in the workpapers.
  • Request the client’s approval of new vendors at least three (3) business days in advance of any payments. If a payment must be made before the new vendor approval timeframe has elapsed, confirm the transaction with the client.
  • Establish procedures for unusual transactions, as noted by the CPA, to be examined and verified by the client. Ensure that the client understands that unusual transactions must be confirmed orally, even if urgent. Document the client’s oral approval in the workpapers.
  • Telephone numbers and e-mail addresses from the CPA firm’s database should be used to confirm transactions directly with the client. Do not utilize the e-mail reply function or caller ID number from the suspicious request. The same cyber-criminal who made the request may be monitoring the client’s voice-mail or e-mail.

By creating a false sense of urgency, cyber-criminals try to circumvent the internal controls of the CPA firm. Follow established procedures for transactions, especially if the request seems unusual or urgent. Ensure that everyone making payments on a client’s behalf understands and adheres to established protocols. While some clients may initially resist the inconvenience of additional security measures, most will respect the CPA firm’s awareness of cyber security risks and appreciate its due diligence in preventing theft by cyber-criminals.

For additional information about the risks of providing bill paying services and tips on how to mitigate those risks, see the article All in a Dishonest Day's Work. We are the exclusive agent for the AICPA Professional Liability Program in California. Contact me to learn more about our program and how we can save you more than just money.

CPA Insurance Quote

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

“CNA” is a service mark registered by CNA Financial Corporation with the United States Patent and Trademark Office. Certain CNA Financial Corporation subsidiaries use the “CNA” service mark in connection with insurance underwriting and claims activities. Copyright © 2016 CNA. All rights reserved.

Share |

No Comments

Post a Comment
Required (Not Displayed)

All comments are moderated and stripped of HTML.
Submission Validation
Change the CAPTCHA codeSpeak the CAPTCHA code
Enter the Validation Code from above.
NOTICE: This blog and website are made available by the publisher for educational and informational purposes only. It is not be used as a substitute for competent insurance, legal, or tax advice from a licensed professional in your state. By using this blog site you understand that there is no broker client relationship between you and the blog and website publisher.
Blog Archive
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013

View Mobile Version
CNA Logo
The Hartford Logo
Travelers Logo
Anthems Logo
Blue Shield of California Logo
Guardian Logo
Kaiser Permanente Logo
Golden Eagle Insurance Logo
Mercury Insurance Logo
Chartis Logo