CPAs continue to be at high risk of social engineering attempts due to the type of information firms gather and store, and CAMICO has observed an uptick in the frequency of these attempts. “Phishing” is one of the more common social engineering scams.
CAMICO has also observed a rise in fraudulent email requests for wire transfers. Fraudulent wire transfers frequently cause large dollar losses. If the fraudster controls the client’s and the firm’s email, commonly referred to as a “man in the middle” attack, and the fraudulent request mimics previous legitimate requests, it is very difficult for the firm to identify the request as illegitimate. When the fraud is discovered after the transfer, the funds are usually not recoverable.
Use your professional skepticism to avoid being lulled into a false sense of security. Any requests for money to be transferred to a bank account unfamiliar to you should be a red flag, especially if the new account is in another country.
If the firm’s protocol with clients is to permit requests for wire transfers to be made via email, then establish and follow procedures to confirm requests using a mechanism other than email and proceed with the transfer only after confirming with the client (ideally by phone or in person) that the request is legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the bank account number. To validate the authenticity of the request, confirm information only known to the client (ask questions to which hackers would not know the answers).
Practical loss prevention tips to minimize fraudulent wire transfer exposure:
- Slow down to avoid becoming another “phishing scam” victim. Take the time necessary to validate suspicious or unexpected email. And do not click a link, pop-up, or attachment without first hovering your cursor over the link to display the URL to assess its legitimacy. If there is an urgent call to action, rather than clicking a link, consider a different way to validate the request, such as speaking with the sender to get verbal confirmation that the communication is legitimate, or visiting the purported sender’s URL.
- Establish written protocols. The firm should establish written protocols with clients for handling client funds, especially as it relates to handling wire transfer requests. Consider establishing dollar thresholds above which verbal consent would be required if clients do not want to be “bothered” to approve each request. In addition, document who the authorized client representative(s) would be for providing such consent if/when the client is not available.
- Proceed with caution. With the increased number of claims related to fraudulent wire transfers, best practice in the absence of any written protocols to the contrary would be to verbally confirm all wire transfer requests with these clients to minimize risk.
The following basic best practice measures should also be prioritized:
- Ensure all software has the latest security options/patches especially for “zero day vulnerabilities.” This will help protect against malware, viruses, and hacker attacks.
- Frequently back up all important data and information offline and verify your backups. Regular offline backups (“cold backups”) reduce the likelihood that critical data is lost in the event of a cyberattack. Protect the backups in a remote or external location, outside of your network, where they are safe from ransomware that seeks out backup copies to encrypt them as well as the rest of the firm’s network and files. Periodically verify that your data backup process is working properly to assure that your data will be recoverable if a crisis occurs.
- Change and strengthen passwords frequently and make sure employees use different passwords for different products. Systems are only as secure as the passwords used to access them.
- Use multi-factor authentication. This can add an extra level of security to help prevent an account hack, especially when employees work remotely.
- Maintain strong work-from-home cyber hygiene. Reinforce with employees the cyber protocols to be followed when working remotely (e.g., machine use restrictions, WiFi passwords, VPN, firewalls)
- Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.