November Tip of the Month: Voicemail-Email Fraud, Investment Advisory Services

Wealthy shipping magnate John Urich had established a trust to care for his disabled wife in the event of his death. Urich’s CPA, Greg Roberts, provided tax and investment advisory services to Urich, while the trust department of Commercial Fiduciary Bank provided trustee services.

At one point Roberts received an email message from Urich requesting a transfer of approximately $200,000 to a foreign account. Roberts called Urich to verify the request and left a message in Urich’s voicemail. Minutes after leaving the message, Roberts received a message from Urich’s email account confirming to request. Roberts then advised Urich to send an investment direction letter to the trustee at Commercial Fiduciary Bank, while Roberts forwarded instructions to the trustee regarding the transfer of funds.

When the trustee received an investment direction letter with Urich’s signature on it, he followed the instructions provided by Roberts and transferred the $200,000 into the foreign account. Shortly after that, Roberts received a call from Urich stating that he had not authorized the transfer of funds, and that Urich was expecting Roberts to replace the $200,000 that Urich claimed had been stolen by a hacker via an elaborate phishing scheme.

Where did Roberts make a wrong turn?
  1. Roberts should have more carefully screened and investigated Urich’s background as a new client when he was first engaged by Urich to provide investment advisory services.
  2. Roberts should have used a better spam filter to catch fraudulent email messages being sent by hackers and scammers.
  3. Roberts should have spoken directly with Urich in detail about the transfer, making sure that he was speaking with Urich, by recognizing Urich’s voice and by asking Urich to confirm information that only Urich would know and that a hacker would not have access to.
  4. All of the above.


Feedback

A. Incorrect. While all significant engagements and clients should be screened thoroughly, including background investigation reports, the client was not the problem in this situation.

B. Incorrect. Spam filters might catch some fraudulent email messages using slightly misspelled addresses (e.g., “businesnews.net” instead of “businessnews.net”), but that was not a factor in this situation. The client’s voicemail and email accounts had been hacked and commandeered by a scammer who was sending fraudulent messages from the client’s legitimate email account. In this situation the CPA did not realize that the client’s voicemail messages were being delivered to the client’s email account, enabling the hacker to receive and confirm messages. It is also wise to check senders’ email addresses, and to check the web addresses of links by hovering over the links with the cursor without clicking on them. Also, treat any attachment you didn’t request as highly suspect. Do not open it.

C. Correct. Phishing or social engineering schemes can be highly sophisticated, employing high-grade counterfeit documents. In this situation, the scammer copied an older investment direction letter from the client’s email account, updated it with a current message, and forged the client’s signature on the letter. In other cases, high-grade counterfeits have been made of checks and insurance policies. Scammers will sometimes set up phone lines that route calls to scammers posing as employees who are vouching for validity of counterfeit checks. Transfers of funds should be verified by a phone call directly to the client by someone who knows his or her voice. A phone call can confirm information that only the client would know and that a hacker would not have access to. Consider cyber insurance to provide protection against losses stemming from data security being compromised. For information about CAMICO Cyber Coverage visit http://www.camico.com/cyber-coverage. For more information about CPA firm insurance issues, call CAMICO at 1.800.652.1772 or visit www.camico.com.

D. Incorrect, as explained in the preceding.

“War Stories” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed.



Interested in Complimentary SSARS No. 21 Compliant Sample Engagement Letters?

SSARS No. 21 is effective for financial statement engagements for periods ending after December 14, 2015, but early implementation is permitted. Download — SSARS No. 21 Compliant Sample Engagement Letters, plus Loss Prevention Tips on how to safely implement SSARS No. 21 and reduce your risk exposure. http://cpa.camico.com/CAMICO-Resources/SSARS21-Resources

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 12 Sep

    How to Handle Problem Clients

    Problematic or less-than-desirable clients may be keeping your firm from developing the clients it wants. An excellent way to identify those clients is to re-evaluate your client relationships on a regular basis, at least annually. Re-evaluate tax clients while there is still ample lead ti... read more

  • 08 Sep

    Policyholder Partner Wins ACE Administrator Award

    Jeanie Price, AAAPM, a partner of DeLeon & Stang Certified Public Accountants and Advisors, received the prestigious ACE Administrator Award from the CPA Firm Management Association (CPAFMA) at the association’s annual conference in Baltimore on June 29.

    ... read more

  • 08 Sep

    Hackers stealing tax refunds

    Be sure to verify that changes in bank account numbers are legitimate when e-filing tax returns. Hackers will send fraudulent email messages with bank account numbers different from the legitimate client account numbers in an attempt to divert tax refunds into their own accounts.
    read more