Like most CPAs, we have been watching the news unfold around the recent Wolters Kluwer (CCH) outage that began on Monday, May 6. According to their public statements, when the company discovered some “anomalies” in certain software platforms and applications, they proactively shut down their software platforms and applications and notified law enforcement.
Although the company has acknowledged that these anomalies appear to be the result of a malware attack, there is some “good news.” In their public updates as of the date of this writing, the company continues to report that they have NOT seen any evidence that customer data was taken or that there was a breach of confidentiality of that data. They have indicated that their investigation continues, and further updates will be provided on their website at: https://wolterskluwer.com/company/newsroom/news/2019/05/media-statement—network-and-service-interruptions.html
On the home front, CAMICO has seen an uptick in calls from policyholders reporting social engineeringSocial engineering
is considered the act of gathering and using information, often posted on social media sites or public websites, to deceive and manipulate people into performing actions or divulging confidential information. Below is an example of a new trend in social engineering scams that has targeted accounting firms, as well as other companies:
The firm’s Human Resources Manager received an email purporting to be from one of the firm partners, although the email address was not an internal email address. The email stated that he wanted to update HR on his personal direct deposit information so that effective immediately, his payroll checks could be deposited into a different bank. The Human Resources Manager responded to the email and copied in the payroll clerk who handles the payroll processing and direct deposit information for the company. The Human Resources Manager instructed the partner to fill out the attached direct deposit form and send it directly to the payroll clerk. The change was made, and bank deposits began to go into this new bank account beginning with the next payroll cycle. However, it turns out that the person who sent the email requesting the change was NOT, in fact, the actual partner whose information was changed. Once the partner became aware that his payroll earnings were not deposited into his account, he spoke directly with the firm’s payroll clerk and the scheme was uncovered. The firm has filed a police report in an attempt to recover the diverted funds.
This type of social engineering scam is incredibly simple and could happen to many CPA firms and companies alike and is similar to the CEO scams requesting W-2 information that began occurring a couple of years ago. A crook pretends to be an employee with what appears to be a relatively straight-forward request. Once funds have been wired to an unknown bank account, they are almost impossible to recover. Scammers can open pop-up bank accounts in other countries and then close them before the victims realize what has happened.
Loss Prevention Tips
Anytime there is a request to change bank accounts or transfer money in today’s world, whether from an employee, client or anyone else, you should certainly at a minimum follow these basic loss prevention tips:
- Avoid getting lulled into a sense of comfort with email and other communications. Be suspicious if asked to do anything out of the ordinary or routine. For example, in the scenario described above, using a different email instead of the internal firm/company email was unusual. BE SKEPTICAL!
- Check, double-check, and triple-check the email address, as a fake email address can easily be disguised as a legitimate email address by being off by one character (e.g., “businesware.com” vs. “businessware.com”).
- Make it a standard protocol to get a verbal/oral confirmation from the sender about the authenticity of the request from someone who knows his or her voice. Without verbal confirmation, reasonable skepticism suggests it may be a fraudulent request; this especially applies to unusual requests such as banking changes, payments to “out of the ordinary” vendors/third parties, and unusual/substantial amounts.
Few effective technical security controls exist that can defend against clever social engineering attacks, so it is extremely important to also provide regular periodic training to firm staff on computer security and best practices.
If you have any questions, please contact CAMICO at 1.800.652.1772 or email the Loss Prevention Department at firstname.lastname@example.org
For additional CAMICO guidance, policyholders are encouraged to access the Identity Theft and Data Security Resource Center(www.camico.com)
on the CAMICO Members-Only Site