Be wary of requests made by email cyber-attacks

Email cyber-attacks

The email looks legitimate and trustworthy, and it appears to be from someone you know, such as a long-term client of the firm. The client requests a change in bank accounts and routing numbers to send a tax refund to the new account. Or the client requests a wire transfer of client funds to a new bank account.

What the recipient can’t tell is that the request is from a hacker who has commandeered both the client’s and the CPA’s email accounts. Messages going out and coming in are being controlled and manipulated on both ends – also known as a "man in the middle" attack.

Services that convert voicemail messages into email messages can also be used to help facilitate such attacks. A hacker might even take control of a tax software program, complete and file client tax returns, and redirect refunds to the hacker’s bank account.

Loss prevention tips

Avoid getting lulled into a sense of comfort with email and other communications. Be suspicious if asked to do anything out of the ordinary or routine. A fraudulent email request may resemble prior legitimate requests, but a new bank account receiving the funds is often a red flag, especially if the new account is in another country.

Phishing or social engineering schemes can be sophisticated and even employ high-grade counterfeit documents such as investment direction letters, checks, and insurance policies. Sometimes phone lines are set up to route calls to scammers posing as employees who vouch for the validity of counterfeit checks.

Verbally confirm with the client that they want to proceed in accordance with the directions in the email. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. Someone who knows the client’s voice can verify a request by calling the client.

Another way to verify requests is to confirm information that only the client would know and a hacker would not have access to. Consider confirming this information verbally with a phone call as well. Also, call senders to verify that unsolicited email attachments or links are legitimate before you open or click them. Better safe than sorry!


Download Free CPA Engagement Letters

Interested in 10 Free Engagement Letters from CAMICO?

Letters are updated for the 2017/2018 tax season and include revised language addressing foreign reporting requirements and return due date changes. This Engagement Letters Pack includes sample letters on tax preparation, compilation, preparation services and conflict of interest. Download Today!

Share this post

Comments (1)

  • anon

    I find your emails useful & helpful. It helps me in discussing what I can do and not do with my clients, their responsibilities,
    and mine. I have decided to talk to you regarding insurance, which I have not previously had. Especially with scammers, hackers, and fraudulent everything, I think I need insurance and advice.

    Nov 09, 2017

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 15 Jun

    How to respond to subpoenas

    CPAs in receipt of a subpoena should consider the information in the client files, the recent communications with the client or any parties involved, and then contact their professional liability risk adviser or attorney before responding to the subpoena. CAMICO provides this consultation ... read more

  • 06 May

    Six Risk Management Mistakes CPA Firms Make

    Managing CPA liability risk exposures is a complex process, and it's easy to underestimate the potential for risk along the way. The following six mistakes can be avoided by being aware and taking the right steps.

    1. Not discussing questions about the insurance application... read more

  • 23 Apr

    Top 5 Ways a CPA Can Invite a Malpractice Lawsuit

    After more than 31 years of malpractice claims experience, CAMICO has developed a wealth of information about what causes disputes between CPAs and their clients, what leads to litigation, and how to avoid or minimize the damages from such conflicts. There are basic risk management steps t... read more

  • 15 Mar

    Tax Tip – Documenting Advice and Decisions

    All significant client meetings should be documented with a written description of the subjects discussed at the meeting. This will help ensure that both you and the client are proceeding with the same expectations and assumptions.

      ... read more