Risk Alert – Social Engineering for CPAs

As with many fraud schemes perpetrated against accounting professionals, social engineering has obtained a greater level of sophistication. This development has arisen in response to increased awareness and vigilance of such schemes. Recent variations of the schemes have emerged to create a stronger appearance of legitimacy.

Some social engineering schemes attempt to achieve the goal of false legitimacy by first making ordinary or seemingly harmless requests of CPAs, followed by requests to obtain Personally Identifiable Information (PII) or access to client funds. Recent schemes targeted at CPAs in the AICPA Professional Liability Insurance Program have included requests to establish bill pay services with existing software providers, such as QuickBooks, and have included links within the body of the email to do so.

In addition to the strategies discussed below, CPA firms should consider the following:

  • Establish a predetermined method for verifying your client’s identity during the client engagement process. For example, obtain your client’s answer to security questions that require a subjective response. Security questions can be used to challenge questionable communications.
  • Take a cautious approach. As schemes become more sophisticated, it will become increasingly difficult to differentiate between legitimate and false inquiries. If you have even minor doubts relating to a client request, seek an alternative method of verification. A direct call to the client using a trusted and verified phone number is a preferred method to confirm authenticity of the inquiry.

Your staff accountant comes to the office on Monday morning to find an e-mail from one of the firm’s biggest and most important clients requesting that money be transferred into a new investment account. It’s urgent...again.

The accountant thinks “It seems like every Monday morning the same client makes another “urgent” request. Can’t I get a break?” She then accommodates the rush request and sends the money. Yes, it is a large amount of money, perhaps a bit more than usual, but the client has previously made similar requests.

Unfortunately, the accountant and CPA firm have just been scammed by a social engineering attack. A cyber-criminal was monitoring the client’s e-mail account and learned the following:

  • The client frequently requested money transfers on Monday mornings,
  • The transfer amount customarily requested by the client, and
  • The language and tone of the e-mails typically sent to the accountant by the client.

CPA firms across the country have been victimized by this social engineering scheme, sometimes called “spoofing”. A spoofing attack is a situation in which one party, the cyber-criminal, successfully masquerades as another by falsifying data, thereby deceiving the other party, such as the CPA firm.

Cyber-criminals have become adept at both e-mail spoofing, the creation of fictitious e-mails with a forged sender address, and caller ID spoofing. The latter causes the telephone network to display a false number of the caller in lieu of the actual telephone number.

The growing sophistication of cyber-criminals can make it challenging for CPA firms to ascertain a requestor’s true identity. Consequently, CPA firms should take precautionary measures to help prevent unauthorized transfers of client funds. Strategies include the following:

  • Protect client bank account information including account numbers, passwords, log-in procedures, and similar information. Only CPA firm employees with a business need should have access to this information.
  • Establish client-approved disbursement parameters, including transaction types, vendors, and bank accounts utilized for disbursement activity.
  • Establish approval thresholds for transactions. Transactions that exceed the specified threshold should require additional client approval.
  • When additional approvals are required or a request appears suspicious, utilize an alternative method to confirm the request. For example, if the original request was made by e-mail, the confirmation should be via a phone call by a CPA firm employee who can authenticate the client’s voice. Document all approvals received in the workpapers.
  • Request the client’s approval of new vendors at least three (3) business days in advance of any payments. If a payment must be made before the new vendor approval timeframe has elapsed, confirm the transaction with the client.
  • Establish procedures for unusual transactions, as noted by the CPA, to be examined and verified by the client. Ensure that the client understands that unusual transactions must be confirmed orally, even if urgent. Document the client’s oral approval in the workpapers.
  • Telephone numbers and e-mail addresses from the CPA firm’s database should be used to confirm transactions directly with the client. Do not utilize the e-mail reply function or caller ID number from the suspicious request. The same cyber-criminal who made the request may be monitoring the client’s voice-mail or e-mail.

By creating a false sense of urgency, cyber-criminals try to circumvent the internal controls of the CPA firm. Follow established procedures for transactions, especially if the request seems unusual or urgent. Ensure that everyone making payments on a client’s behalf understands and adheres to established protocols. While some clients may initially resist the inconvenience of additional security measures, most will respect the CPA firm’s awareness of cyber security risks and appreciate its due diligence in preventing theft by cyber-criminals.

* * * * *

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

“CNA” is a service mark registered by CNA Financial Corporation with the United States Patent and Trademark Office. Certain CNA Financial Corporation subsidiaries use the “CNA” service mark in connection with insurance underwriting and claims activities. Copyright © 2016 CNA. All rights reserved.