The email looks legitimate and trustworthy, and it appears to be from someone you know, such as a long-term client of the firm. The client requests a change in bank accounts and routing numbers to send a tax refund to the new account. Or the client requests a wire transfer of client funds to a new bank account.
What the recipient can’t tell is that the request is from a hacker who has commandeered both the client’s and the CPA’s email accounts. Messages going out and coming in are being controlled and manipulated on both ends – also known as a “man in the middle” attack.
Services that convert voicemail messages into email messages can also be used to help facilitate such attacks. A hacker might even take control of a tax software program, complete and file client tax returns, and redirect refunds to the hacker’s bank account.
Loss prevention tips
Avoid getting lulled into a sense of comfort with email and other communications. Be suspicious if asked to do anything out of the ordinary or routine. A fraudulent email request may resemble prior legitimate requests, but a new bank account receiving the funds is often a red flag, especially if the new account is in another country.
Phishing or social engineering schemes can be sophisticated and even employ high-grade counterfeit documents such as investment direction letters, checks, and insurance policies. Sometimes phone lines are set up to route calls to scammers posing as employees who vouch for the validity of counterfeit checks.
Verbally confirm with the client that they want to proceed in accordance with the directions in the email. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. Someone who knows the client’s voice can verify a request by calling the client.
Another way to verify requests is to confirm information that only the client would know and a hacker would not have access to. Consider confirming this information verbally with a phone call as well. Also, call senders to verify that unsolicited email attachments or links are legitimate before
you open or click them. Better safe than sorry!