War Story #116

War Story #116: Business Management/Accounting Services, Wire Transfer Fraud


Tim Wahl, CPA, served an investment entity client for several years. Wahl assisted the entity's manager, Rob Green, with the preparation of the entity's tax returns, accounting for its investments, issuance of K1s, and coordinating Green’s requests for funds from investors when investments were offered.

Once investments were sold, Wahl worked with Green to allocate the proceeds and wire transfer the proceeds only after receiving Green’s verbal approval.

For one transaction, Green orally approved a wire transfer of about $500,000 to an investor, Jack Stratton. Wahl opened an email message that appeared to be from Green regarding the transfer and clicked an attachment, which prompted a request for another step and entry of a password. Wahl provided the password, which enabled a hacker to take control over his email account and to create spoof email messages. (Wahl hadn’t noticed that the fake email address for Green was off by one character from Green’s actual email address.)

When Wahl emailed Green regarding the wire transfer, the hacker replied with a spoof email from Green, again confirming the transfer. The hacker then sent a spoof email to Wahl from Stratton with wire instructions to a bank account in Tokyo and appeared to copy Green but instead emailed a spoof email address.

Shortly after calling Stratton to confirm the instructions, Wahl received an email ostensibly from Stratton confirming the instructions. What Wahl didn’t know was that the hacker had also hacked Stratton’s email account and had been able to read a transcript of the voicemail Wahl had left Stratton.

Wahl then sent the bank a wire request with the fraudulent wire instructions received from the hacker, copying Green and Stratton. Stratton then emailed a reply to Wahl, stating that the wire instructions were wrong. Sadly, the hacker was diverting the incoming messages from Stratton and Green into a “Notes” folder in the email account, so Wahl never saw the email indicating that the instructions were wrong.

Stratton contacted Green, who then tried to contact Wahl, but Wahl was unavailable. Wahl’s assistant took the call from Green and then called the bank to inform it of the wire transfer problem, but the assistant didn’t have authorized access for the bank account. The assistant emailed Wahl, but the hacker had also diverted her messages to the Notes folder, so Wahl didn’t get it.

Meanwhile, the bank executed the $500,000 wire transfer to the hacker’s account in Tokyo. Afterward, Wahl and the bank had to file police reports, contact the FBI, and begin the long and bureaucratic process of trying to recover the funds (if recoverable). The client was, of course, furious and demanded that the CPA cover all of the damages.

After reading the following questions, select the one answer that is the best response.

1. Which action taken by Wahl was a mistake?

A. Clicking an attachment without verifying that the sender was legitimate.
B. Providing his password in response to a request after clicking an attachment.
C. Not confirming the wire transfer instructions by speaking with Stratton.
D. All of the above.

2. How will the CPA’s insurance coverage respond to the damages caused by the wire transfer fraud?

A. The CPA’s first-party cyber coverage should address the damages because the error was made by the CPA, not by the client.
B. The firm’s third-party cyber coverage should address the damages because the damages were alleged by the client, and the CPA may be liable for the damages.
C. Both A and B.


Answers

1.A. Correct, but not the best answer. Attachments, links and pop-ups should never be clicked without first verifying that they are from a legitimate source. Clicking attachments, links and pop-ups can enable a hacker to download malware and gain access to a computer system. Email addresses and URLs should be examined closely to see whether they have been altered. Links can be examined by hovering the cursor over them without clicking them.

1.B. Correct, but not the best answer. Passwords and other authentication information should never be provided in response to pop-ups or other requests received via email. Hackers use this information to access and take control over email and other computer systems. Always guard your login/authentication credentials.

1.C. Correct, but not the best answer. Always confirm wire transfer instructions and changes to tax refund destinations by speaking with the client. Email replies in response to voice messages can come from hackers who have accessed a client’s voicemail that is forwarded as text or an audio file to an email.

1.D. Correct, and the best answer. Attachments, links and pop-ups should never be clicked without first verifying that they are from a legitimate source. Clicking attachments, links and pop-ups can enable a hacker to download malware and gain access to a computer system. Email addresses and URLs should be examined closely to see whether they have been altered in any way. Links can be examined by hovering the cursor over them without clicking them. Passwords and other authentication information should never be provided in response to pop-ups or other requests that come in via email. Hackers will use this information to access and take control over email and other computer systems. Always guard your login/authentication credentials. Always confirm wire transfer instructions and changes to tax refund destinations by speaking with the client. Ideally, the discussion should include asking questions that only the client would know the answers. Email replies in response to a voice messages can come from hackers who have accessed a client’s voicemail that has been diverted.

2.A. Incorrect. First-party cyber coverage addresses losses and expenses borne by the policyholder firm. In this case, the breach and losses occurred on the client’s side. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability insurance policy, including transactions induced by fraud, social engineering, or phishing.

2.B. Correct. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability (APL) insurance policy, including transactions induced by fraud, social engineering, or phishing. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.

2.C. Incorrect. First-party cyber coverage addresses losses and expenses borne by the policyholder firm. In this case, the breach and losses occurred on the client’s side. Damages alleged by clients or other third parties for which the policyholder firm may be liable are typically addressed by the Accountants Professional Liability insurance policy, including transactions induced by fraud, social engineering, or phishing. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.

“War Stories” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed.

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles