Topic: Fraudulent Wire Transfers, Social Engineering Scheme
Services: Bookkeeping and Bill Pay
Worthingham Financial, an established accounting firm, has been providing bookkeeping and bill pay services to consumer finance business Smart Money Express. The process is consistent — Smart Money receives its invoices from its Chief Operating Officer Larry Tollefson. If the invoices are for more than $25K, Smart Money founder Dustin Rogers approves them and then forwards them to Worthingham to process. Worthingham employee Lisa Hightower then pays the invoices from Smart Money’s bank accounts. The company has a general checking account and a money market account. Worthingham is allowed to transfer up to $25K from the money market account to the checking account without any verbal confirmation.
On Feb. 6, Lisa Hightower requested an e-mail for the payment recipient at Sun Valley Trust from Larry Tollefson. The investment documents were described as invoices and the address provided was a personal email: firstname.lastname@example.org. The initial invoice request was for $95K and six other payments followed: $550K, $500K, $200K, $500K, $500K and $720K. They were for “investment purposes,” which fall out of the scope of Worthingham’s typical payment services. But Worthingham believed the invoices were from Smart Money because the e-mails appeared to be from the correct Smart Money personnel and included language that “was like that used by Smart Money staff.” Payment information showed “US bank” as the recipient account (“Bank” not being capitalized on the payment detail format sheet).
By early May, $1,345,000 had been paid to the account. Smart Money’s payroll company, ADP, e-mailed Lisa Hightower at Worthingham and Dustin Rogers at Smart Money stating that there were insufficient funds in Smart Money’s account to make payroll and stated that $700K needed to be transferred to the general checking account from the money market account. Lisa Hightower spoke with Dustin Rogers about the situation and was directed to make multiple $25K transfers to the checking account, however, Rogers would later deny having that conversation or making the request. It wasn’t until May 30 that Dustin Rogers logged into Smart Money’s bank account and saw the writing on the wall. Smart Money had been hacked, and Worthingham was receiving and paying fraudulent invoices from their account, transferring in total $3,065,000 to a fraudster.
Select the answer that is the best response.
1. What was the key mistake Worthingham Financial made in its verification protocol for payments?
a. The protocol and procedures relied on email messages instead of phone calls.
b. The client and Worthingham did not receive a notification each time a transaction took place.
c. Worthingham did not have an agreement with the client that indemnified the CPA in the event of a fraudulent wire transfer.
d. Worthingham didn’t contact the client’s bank for each transfer.
2. What were other missed red flags regarding the fraudulent invoice requests?
a. The payment recipient email was a personal address, not a professional email or linked to the bank.
b. The invoices were labeled as “investment purposes,” which is outside of the scope of payments provided by Worthingham Financial.
c. The payment details showed “US bank” (misspelled) not “US Bank” as the recipient account.
d. All the above.
Transfers of funds should be confirmed verbally over the phone, or in person, ideally by speaking directly with the client — not by email, even if the email is in response to a voice message. Validate the authenticity of the request by confirming information only known to the client (ask questions to which hackers would not know the answers). In addition, document who the authorized client representative(s) would be for providing such consent if the client is not available.
a, b and c are all suspicious indicators of fraudulent activity that Worthingham Financial ignored and proceeded with the wire transfers. When fraud is discovered after the transfer, the funds are usually not recoverable, so use your professional skepticism to avoid being lulled into a scam request, transaction.
The “Claim Chronicles” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names were changed.