Disappearing Client Funds

If your firm is responsible for controlling client funds, then your internal controls should be robust enough to prevent the misuse of funds. The types of engagements providing this service range from basic bookkeeping and bill-paying on behalf of clients to business management engagements in which the firm controls the client’s day-to-day financial affairs. Other high-risk engagements prone to misappropriation include executor and trustee engagements.

Establish a combination of internal financial and security controls; utilize screening processes and background checks for employees and partners with signatory authority over client funds. An engagement letter describing the services being provided and their limitations should be signed by the client.

Firms with authority over client funds to provide business management or bill-paying services, including wire transfers for high net worth clients, can be susceptible to fraudulent wire transfer schemes.

These may occur when email requests for wire transfers are fraudulently initiated to resemble prior legitimate transfer requests. Often, the email accounts of a CPA firm and their clients are commandeered by hackers who alter the communications between the two parties (known as a "man-in-the-middle attack"). The firm and the client believe they are communicating with each other but are being tricked into initiating the fraudulent transfer. The transfers are often made to banks in foreign countries or through a U.S. bank to a foreign bank. Funds are usually not recoverable once the transfers are made.

Alternatively, hackers may trick email recipients into clicking a link or opening a document with enabled macros ("phishing"), allowing malware to be installed and giving the hacker the ability to access and control the recipient's email or enter their network.

Loss Prevention Tips
Use your professional skepticism to avoid becoming lulled into a sense of comfort regarding email and other communications from clients and third parties. Any requests for money to be transferred to a bank account unfamiliar to you is often a red flag, especially if the new account is in another country.

If the firm's protocol is to permit requests for wire transfers to be made via email, then have a procedure in place to confirm requests other than email and proceed with the wire only after confirming with the client that the request is legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. To verify the authenticity of the request, confirm information only known to the client (ask questions to which hackers would not know the answers).

Educate all employees about good cyber-hygiene and how to avoid phishing attempts that target them with social engineering techniques designed to install malware or to deceive and elicit confidential information.

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 26 May

    Advise and Warn Clients of Embezzlement Risks

    By Ron Klein, J.D.

    The classic small-business embezzlement scenario has occurred so many times over the years that CAMICO Loss Prevention specialists have it memorized:

    The client is a small business owner who is too busy running the business to supervise ... read more

  • 20 May

    Cyber-Security for Working Remotely

    CAMICO's recent cyber claims experience shows that the cyber-security of employees working remotely has not been as effective generally as cyber-security in an onsite office location. The lower security is being exploited by hackers, many of whom are increasing their ransomware demands. <... read more

  • 18 May

    PPP Update / Returning to the Office —The 'New Normal'

    CAMICO continues to monitor the information and guidance on COVID-19 relief measures being put into place by regulatory and legislative bodies to combat the detrimental impacts of this pandemic on people, as well as on the economy.

    Paycheck Protection Program ("PPP") —... read more