War Story 119

Subject: Business Management Services; Wire Transfer Fraud

John Duval, CPA, had been engaged for several years by a high-net-worth client, Ed Robertson, who developed commercial and residential real estate. Duval provided business management and bill-paying services, which included wire transfer authority to pay Robertson's bills and transfer funds.

Robertson did not want to be interrupted to confirm the wire transfers, so the payments were confirmed by email. Robertson had an assistant copied on the email confirmations as a backup to Robertson, and the assistant received and reviewed monthly statements detailing all of Robertson's financial transactions.

A hacker had penetrated and commandeered Robertson's email account and emailed a request to Duval to wire funds to a new account — a classic "man in the middle" attack. The hacker had accessed the assistant's email and had studied previous requests and messages sent between Robertson, Duval, and the assistant. This enabled him to craft a request that mimicked previous legitimate requests. Duval emailed Robertson and his assistant to confirm the request. The hacker intercepted Duval’s message and emailed him back, confirming that he had authorized the fraudulent $100,000 wire to the hacker's overseas bank account.

A week later, Duval received another apparently legitimate request from Robertson's email to transfer $150,000 to the same account, and the CPA emailed the assistant again for confirmation. A reply again from the hacker spoofed a confirmation of the payment. Two more payments, one of about $200,000 and another of about $250,000 were also requested, fraudulently confirmed, and then transferred.

The assistant finally received the monthly statement of financial transactions and uncovered the fraudulent wire transfers. By then, nearly $700,000 had been transferred into the hacker's account. The bank involved was unable to recover the funds and denied responsibility for the transfer. Robertson was outraged that Duval was duped into making the fraudulent wire transfers and demanded to be made whole. He also complained to the state board of accountancy, which had recently opined that a CPA was the last line of defense in protecting the client's funds against fraud.

After reading the following questions, select the one answer that is the best response.

1. What was the main weak point in the verification protocol used by the client and the CPA?
  1. The protocol and procedures relied on email messages instead of phone calls.
  2. The client and assistant did not receive a notification each time a transaction took place.
  3. The CPA did not have an agreement with the client that indemnified the CPA in the event of a fraudulent wire transfer.


2. What information should be confirmed when responding to a wire transfer request?
  1. The dollar amount of the transfer.
  2. The name of the financial institution.
  3. The actual bank account number.
  4. Personal information that only the client would know.
  5. All of the above.


3. How will the CPA's insurance coverage respond to the damages caused by the wire transfer fraud?
  1. The CPA's first-party cyber coverage should address the damages because the error was made by the CPA, not by the client.
  2. The firm's third-party cyber coverage should address the damages because the damages were alleged by the client, and the CPA may be liable for the damages.
  3. Both a. and b.


Answers

1.a. Correct. Transfers of funds should be confirmed verbally over the phone, or in person, ideally by speaking directly with the client — not by email, even if the email is in response to a voice message.
1.b. Incorrect. A notification would reduce the lag time between the time when the payment is made and the time when the client receives a monthly statement, but it happens after the transaction is made. Also, if the notification is by email, the hacker could intercept it.
1.c. Incorrect. Having an indemnification clause in the engagement letter may certainly help to limit the CPA’s ultimate damages, but it is not a “control mechanism” that would help to detect/prevent the fraudulent wire transfer.


2.a. Correct, but there is a better response.
2.b. Correct, but there is a better response.
2.c. Correct, but there is a better response.
2.d. Correct, but there is a better response.
2.e. Correct, and the best response. The information should be confirmed by phone call or in person and not by email.


3.a. Incorrect. First-party cyber coverage addresses losses and expenses borne by the policyholder firm. In this case, the breach and losses occurred on the client's side. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability insurance policy, including transactions induced by fraud, social engineering, or phishing.
3.b. Correct. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability (APL) insurance policy, including transactions induced by fraud, social engineering, or phishing. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.
3.c. Incorrect. First-party cyber coverage addresses losses and expenses borne by the policyholder firm. In this case, the breach and losses occurred on the client's side. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability insurance policy, including transactions induced by fraud, social engineering, or phishing. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.

"War Stories" are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed.

For more loss prevention tips, see the article, "Malpractice Risks Increase During Difficult Economic Times" in this issue of IMPACT.




Share this post

Latest Articles

  • 12 Jul

    Malpractice Risks Increase During Difficult Economic Times

    In CAMICO's 35 years of experience, economic conditions have had a significant impact on CPA professional liability claims. In light of the current economic challenges, now more than ever, CPAs will need to be prepared and vigilant to minimize the potential of additional liability exposure... read more

  • 09 Jul

    Creditworthiness Verifications and PPP Loans

    CPA firms receiving requests from lenders for creditworthiness verifications for clients who had requested Paycheck Protection Program (PPP) loans were often unsure of how to respond. The advice CAMICO gave CPAs assisting their clients with PPP loan applications is valid for similar circum... read more

  • 07 Jul

    War Story 119

    Subject: Business Management Services; Wire Transfer Fraud

    John Duval, CPA, had been engaged for several years by a high-net-worth client, Ed Robertson, who developed commercial and residential real estate. Duval provided business management and bill-paying services, which inclu... read more

  • 07 Jul

    Recognizing the Signs of Elder Abuse

    By Randy R. Werner, J.D., LL.M./Tax, CPA

    The elderly population in the U.S. (those 65 and older) is projected to grow to 80 million by the year 2050, and the incidence of elder abuse, including the hard-to-detect financial and material exploitation perpetrated against ... read more