Wire transfer fraud is a risk to any business. Here are 10 actions to take to help prevent your firm from falling victim to a wire fraud scam.
By Sarah Beckett Ference, CPA
Wire transfer fraud, typically perpetrated via business email compromise, is a known risk to all types of businesses, including CPA firms. When a CPA firm handles client money, additional risk ensues.
In a typical wire transfer fraud scheme, the fraudster impersonates a trusted individual and sends a phony email to someone at the firm. The email may refer to a legitimate debt or invoice but provide a slightly different account or routing number, or the criminal may create a false invoice to be paid. The email recipient does not notice what can be subtle clues in the email and believes the fraudster to be the trusted individual they are imitating. The money is sent to the fraudster’s account and is immediately withdrawn or transferred before the fraud is detected. Poof! The money is gone.
How can CPA firms protect themselves? Here are 10 actions to take before, during, and after payment processing to help prevent your firm from falling victim to a wire fraud scheme.
Prepare thoroughly
Lay the proper groundwork to help prevent a wire transfer fraud attack before it starts.
1. Implement a data security policy and update it often
Sound data security protocols include layers of protection for a CPA firm’s network. Common data security protocols include, but are not limited to, using virtual private networks to facilitate remote access to the firm’s systems, keeping software up to date with the most current versions and installing security patches as soon as they are released, and requiring employees to use lengthy and complex passwords that must be changed regularly. Creating and regularly testing an incident response plan to help guide the firm’s response to a data security incident is also highly recommended.
2. Educate all firm personnel about data security risk and their role in managing it
As the cyber risk landscape is constantly shifting, the responsibility of every individual to help protect the firm and its data should be continually reinforced. Hold regular, firmwide training that focuses on data security risk and ever-evolving social engineering schemes. Training should include common warning signs of a fictitious email, stress the importance of not clicking on unfamiliar links and attachments from unknown senders, and communicate what should be done if a malicious email is suspected or acted upon.
3. Test your personnel’s ability to identify potential cybercrimes
Consider employing a third party to launch simulated social engineering attacks on your partners and employees to assess the firm’s readiness to identify and repel actual cybercrimes. The results of simulated attacks can help identify where additional training or data security protocols are needed.
4. Use secure methods to communicate with clients
Use secure web-based portals to share information, such as tax or financial reporting data, and conduct certain types of business, such as payment requests. Portals provide greater protection than customary email. If a client does not wish to communicate with the firm using a portal or any other secure means of communication, consider whether the client poses an unnecessary risk to the firm.
Execute carefully
Approach any request for funds with care and caution.
5. Agree on payment protocols in advance
At the onset of any engagement that includes access to client funds, agree on payment request and approval protocols with the client. How will payment requests be submitted to the firm? Who is authorized by the client to request payments? How will the client approve and authenticate payments to be made? What is the process to be followed for the rare emergency or if the authorized client contact cannot be reached? Once established, payment process protocols should be memorialized in writing, whether in the engagement letter or another form of documentation. The client should also acknowledge that they understand and accept the risk that, even if the firm follows the protocols established with the client, a fraudulent transfer may still occur.
6. Require clients to implement their own security measures
In some wire transfer fraud scenarios, the client’s email is compromised, and a fictitious payment request is sent from the fraudster using the client’s hacked email account. As such, include an engagement letter provision that obligates the client to protect the security of their
own email account or other method used to communicate with and transmit information to the firm’s engagement team. While this provision may not completely absolve the CPA firm of liability should a fictitious payment be made, it helps put the client on notice that they, too, have a responsibility to protect the security of their assets.
7. Mandate dual authentication for all payments
Before wiring any funds, CPAs should confirm that the request to transfer funds is from the
actual client. Dual authentication is a paramount step, but it is too often skipped. The process to authenticate requests, including who should be contacted and the phone number(s) to use, should be included in the payment protocols previously agreed to. Do not authenticate a payment request using a phone number included in the payment request email.
Some sophisticated schemes may employ deepfake voice technology, especially if the client is a high-profile individual such as an athlete or celebrity. To combat the potential for deepfakes, insist upon a live discussion, staying alert for unusual word choices, tones of voice, and inflections. Also consider using passwords or codewords in addition to the live phone call authentication.
8. Involve more than one person
Segregation of cash-handling duties isn’t just good advice for a client but for the CPA firm, too. Where possible, involve more than one person in wire transfer and bill payment transactions. For example, separate responsibilities at the firm whereby the individual who receives payment requests is not the same person that authorizes and processes the request. This divide-and-conquer approach adds additional layers of security to help prevent errors, detect fictitious payments, and mitigate the risk of theft by a CPA firm employee.
9. Slow down. When in doubt, stop
With rare exceptions, nothing is so important that it cannot wait. CPA firms should be ever-vigilant to the potential for fraud, especially in the event of sudden or emergency changes to previously arranged written wire transfer instructions or a request indicating a need to receive funds immediately or right before a weekend or holiday. The purported client’s alleged crisis should not distract the firm from following sound risk management procedures. Your client should and will understand that those procedures are in place to help protect their money.
Follow up immediately
If a CPA firm falls for a wire transfer scam, acting with haste may help recover the stolen funds.
10. Inform relevant parties
Contact the sending bank and attempt to freeze the transfer. File a complaint with the
FBI’s Internet Crime Complaint Center, and
contact the local FBI field office. Report the incident to your professional liability and cyber insurance carriers. Contact information for these parties should be incorporated into the firm’s incident response plan. Contact the firm’s IT security team, but be mindful to preserve all records of the incident. Because most wire fraud attacks stem from compromised email, the fraudster may have gained access to the firm’s systems, and a forensic investigation may be necessary to determine if other sensitive data was compromised.
Rogue emails
$2.9 billion: The amount of reported losses from business email compromise reported to the FBI’s Internet Crime Complaint Center in 2023, up 7% over 2022.
Source: Federal Bureau of Investigation: Internet Crime Report 2023.
This article originally appeared in the Journal of Accountancy.