Be wary of requests made by email cyber-attacks

Email cyber-attacks

The email looks legitimate and trustworthy, and it appears to be from someone you know, such as a long-term client of the firm. The client requests a change in bank accounts and routing numbers to send a tax refund to the new account. Or the client requests a wire transfer of client funds to a new bank account.

What the recipient can’t tell is that the request is from a hacker who has commandeered both the client’s and the CPA’s email accounts. Messages going out and coming in are being controlled and manipulated on both ends – also known as a "man in the middle" attack.

Services that convert voicemail messages into email messages can also be used to help facilitate such attacks. A hacker might even take control of a tax software program, complete and file client tax returns, and redirect refunds to the hacker’s bank account.

Loss prevention tips

Avoid getting lulled into a sense of comfort with email and other communications. Be suspicious if asked to do anything out of the ordinary or routine. A fraudulent email request may resemble prior legitimate requests, but a new bank account receiving the funds is often a red flag, especially if the new account is in another country.

Phishing or social engineering schemes can be sophisticated and even employ high-grade counterfeit documents such as investment direction letters, checks, and insurance policies. Sometimes phone lines are set up to route calls to scammers posing as employees who vouch for the validity of counterfeit checks.

Verbally confirm with the client that they want to proceed in accordance with the directions in the email. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. Someone who knows the client’s voice can verify a request by calling the client.

Another way to verify requests is to confirm information that only the client would know and a hacker would not have access to. Consider confirming this information verbally with a phone call as well. Also, call senders to verify that unsolicited email attachments or links are legitimate before you open or click them. Better safe than sorry!

Share this post

Comments (1)

  • anon

    I find your emails useful & helpful. It helps me in discussing what I can do and not do with my clients, their responsibilities,
    and mine. I have decided to talk to you regarding insurance, which I have not previously had. Especially with scammers, hackers, and fraudulent everything, I think I need insurance and advice.

    Nov 09, 2017

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 05 Feb

    Five reasons why CPAs believe they will never be sued

    CPAs generally take every precaution feasible to ensure error-free work, but that may not be enough to ensure a firm's security. In our litigious society, it's wise to be prepared for that unexpected bump in the road. To help put this in perspective, here are five common reasons why CPAs d... read more

  • 11 Jan

    January Tip - Documentation Tips for Tax Season

    Jurors (who are members of the public) generally consider CPAs to be experts in documentation, and falling short of that expectation when faced with a liability lawsuit may be viewed by the public as negligent and below the standard of care for the services rendered.

    The fol... read more

  • 17 Dec

    War Story 113

    #113: Difficult Client; Tax Planning and Return Preparation Services — A client with high turnover and disorganization in its accounting and financial staff is not only frustrating, but also a liability exposure if documentation is not thorough.

    read more