Subject: Business Management Services; Wire Transfer Fraud
John Duval, CPA, had been engaged for several years by a high-net-worth client, Ed Robertson, who developed commercial and residential real estate. Duval provided business management and bill-paying services, which included wire transfer authority to pay Robertson’s bills and transfer funds.
Robertson did not want to be interrupted to confirm the wire transfers, so the payments were confirmed by email. Robertson had an assistant copied on the email confirmations as a backup to Robertson, and the assistant received and reviewed monthly statements detailing all of Robertson’s financial transactions.
A hacker had penetrated and commandeered Robertson’s email account and emailed a request to Duval to wire funds to a new account — a classic “man in the middle” attack. The hacker had accessed the assistant’s email and had studied previous requests and messages sent between Robertson, Duval, and the assistant. This enabled him to craft a request that mimicked previous legitimate requests. Duval emailed Robertson and his assistant to confirm the request. The hacker intercepted Duval’s message and emailed him back, confirming that he had authorized the fraudulent $100,000 wire to the hacker’s overseas bank account.
A week later, Duval received another apparently legitimate request from Robertson’s email to transfer $150,000 to the same account, and the CPA emailed the assistant again for confirmation. A reply again from the hacker spoofed a confirmation of the payment. Two more payments, one of about $200,000 and another of about $250,000 were also requested, fraudulently confirmed, and then transferred.
The assistant finally received the monthly statement of financial transactions and uncovered the fraudulent wire transfers. By then, nearly $700,000 had been transferred into the hacker’s account. The bank involved was unable to recover the funds and denied responsibility for the transfer. Robertson was outraged that Duval was duped into making the fraudulent wire transfers and demanded to be made whole. He also complained to the state board of accountancy, which had recently opined that a CPA was the last line of defense in protecting the client’s funds against fraud.
After reading the following questions, select the one answer that is the best response.
1. What was the main weak point in the verification protocol used by the client and the CPA?
- The protocol and procedures relied on email messages instead of phone calls.
- The client and assistant did not receive a notification each time a transaction took place.
- The CPA did not have an agreement with the client that indemnified the CPA in the event of a fraudulent wire transfer.
2. What information should be confirmed when responding to a wire transfer request?
- The dollar amount of the transfer.
- The name of the financial institution.
- The actual bank account number.
- Personal information that only the client would know.
- All of the above.
3. How will the CPA’s insurance coverage respond to the damages caused by the wire transfer fraud?
- The CPA’s first-party cyber coverage should address the damages because the error was made by the CPA, not by the client.
- The firm’s third-party cyber coverage should address the damages because the damages were alleged by the client, and the CPA may be liable for the damages.
- Both a. and b.
Answers
1.a. Correct.
Transfers of funds should be confirmed verbally over the phone, or in person, ideally by speaking directly with the client — not by email, even if the email is in response to a voice message.
1.b. Incorrect.
A notification would reduce the lag time between the time when the payment is made and the time when the client receives a monthly statement, but it happens after the transaction is made. Also, if the notification is by email, the hacker could intercept it.
1.c. Incorrect.
Having an indemnification clause in the engagement letter may certainly help to limit the CPA’s ultimate damages, but it is not a “control mechanism” that would help to detect/prevent the fraudulent wire transfer.
2.a. Correct, but there is a better response.
2.b. Correct, but there is a better response.
2.c. Correct, but there is a better response.
2.d. Correct, but there is a better response.
2.e. Correct, and the best response.
The information should be confirmed by phone call or in person and not by email.
3.a. Incorrect.
First-party cyber coverage addresses losses and expenses borne by the policyholder firm. In this case, the breach and losses occurred on the client’s side. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability insurance policy, including transactions induced by fraud, social engineering, or phishing.
3.b. Correct.
Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability (APL) insurance policy, including transactions induced by fraud, social engineering, or phishing. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.
3.c. Incorrect.
First-party cyber coverage addresses losses and expenses borne by the policyholder firm. In this case, the breach and losses occurred on the client’s side. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability insurance policy, including transactions induced by fraud, social engineering, or phishing. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.
“War Stories” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed.
For more loss prevention tips, see the article, “Malpractice Risks Increase During Difficult Economic Times” in this issue of IMPACT.