War Story 120-B

Topic: Fraudulent PPP loans

Services: Tax return preparation

Russ Erickson, CPA, knew something was wrong when the IRS began rejecting tax returns he had prepared and submitted for some of his clients. When he contacted the IRS, they suspected that the clients’ Social Security Numbers (SSNs) had already been used for fraudulent tax returns, indicating that data had been breached at some point.

Erickson’s firm had experienced a ransomware attack a few months earlier, before the firm had secured cyber coverage. Fortunately, the firm had current offline backups of its data and so was able to use a recent backup to restore its data and avoid paying a ransom. However, there was the possibility that the hacker had copied SSNs from the data while it was encrypted.

Not long after the tax returns had been rejected, clients began to call Erickson to inform him that their SSNs had been used to apply for fraudulent PPP loans. The Small Business Administration (SBA), which administered the PPP loan program, had looked into the suspect loans and reported the fraudulent use of the SSNs to the Federal Bureau of Investigation (FBI), which began its own investigation.

Erickson had become a CAMICO policyholder with cyber coverage after the earlier ransomware attack and reported the SSN problems to CAMICO. CAMICO engaged its cyber breach response partner, CyberScout, and cooperated with the SBA and the FBI in their investigation. The FBI wanted to determine the source of the SSNs in question and who was responsible for stealing and misusing them.

CAMICO and CyberScout helped Erickson draft a notification letter to his affected clients to describe what had happened and what was being done to resolve the problem. Credit monitoring services were offered to the clients.

The FBI found that more than 100 fraudulent loans had been initiated with false SSNs. Once the FBI had determined that a malicious actor had stolen the SSNs, the Bureau requested that the SBA remove the fraudulent loans from the SBA’s legitimate loan records and website. The FBI also determined that the ransomware attack had been organized by a hacker after one of Erickson’s firm partners had sent an unencrypted email message via an unsecured public wi-fi network.

CAMICO and CyberScout helped the CPA draft a letter to his clients describing the results of the investigations. Some of the clients had been affected when their credit was frozen as a result of the fraudulent PPP loans. However, damages were relatively minimal, as the PPP loans were expedited without credit checks, resulting in little or no changes to the clients’ credit ratings.

After reading the following questions, select the one answer that is the best response.

  1. How will the firm’s insurance coverage respond to the losses?
    1. First-party cyber coverage should address the damages because the expenses were borne by the policyholder firm (e.g., expenses related to investigations, IT forensics, notification letters, credit monitoring services, media relations, and restoration of data activity expenses for the policyholder).
    2. Third-party cyber coverage should address the damages because the damages were caused by clients’ SSNs being stolen.
    3. a. and b.
  2. How could the firm have prevented the ransomware attack and theft of SSNs?
    1. The firm partner should not have used a public wi-fi network when working with SSNs and other personal identity information.
    2. The firm should have had cyber coverage in place to address the expense of sending notification letters to clients after the ransomware attack, notifying them that their SSNs may have been stolen during the attack.
    3. Both a. and b.
Answers
  • 1.a. Correct. First-party cyber coverage addresses losses and expenses borne by the policyholder firm.
  • 1.b. Incorrect. Third-party coverage would not address the damages unless there are damages alleged by the client or other third parties for which the policyholder firm may be liable.
  • 1.c. Incorrect. First-party cyber coverage addresses losses and expenses borne by the policyholder firm. However, third-party coverage would not address the damages unless there are damages alleged by the client or other third parties for which the policyholder firm may be liable.
  • 2.a. Correct. Avoid public wi-fi or hotspots when inputting or working with personal identity information. Cybercriminals can easily see individuals’ information on public wi-fi. Wait until you’re on a trusted network.
  • 2.b. Correct, but not the best answer. The firm should have had cyber coverage in place, but that by itself would not have prevented to ransomware attack and theft of the SSNs.
  • 2.c. Correct, but not the best answer. The firm should have had cyber coverage in place, but that by itself would not have prevented to ransomware attack and theft of the SSNs.


“War Stories” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed.

For more information on first-party and third-party cyber coverages, see the article, “Understanding First-Party and Third-Party Cyber” in this issue of IMPACT.

Share this post

Latest Articles

  • 10 Aug

    5 Warning Signs of a Claim

    Even when covered by insurance, claims can have a significant impact on your practice in terms of time, money, professional reputation, and peace of mind. By knowing the warning signs of a claim, and calling your risk advisor early on, you can help minimize the impact of lo... read more

  • 24 Jun

    Indemnification: Understanding Your Risks

    By Suzanne M. Holl, CPA

    CPA firms are experiencing an uptick in clients trying to embed indemnification and hold harmless clauses in various agreements. Many of the clauses are inappropriate for CPA services or overly broad – even to the point of shifting all ... read more