Imagine you’re at work on a typical Monday morning. Suddenly, an email from the CEO hits your inbox. It’s marked ‘urgent,’ so you open it right away. She needs you to wire $15,000 to one of your regular vendors ASAP. You make the wire transfer, and head to the break room to refill your coffee. There’s just one problem – that email wasn’t really from your CEO. And that bank account where you sent the funds? That’s not your vendor’s account. You just sent thousands of dollars to a cyber criminal. Uh oh.
It’s a scheme called executive impersonation, a type of business email compromise (BEC) scheme mentioned in an SEC alert issued last month. Unlike a typical scam email, which may have poor grammar or overly suspicious requests, BEC scams are convincing because the criminals spend time figuring out the corporate culture and common phrases and terms used by employees. CPAs should take note, because scammers could try to perpetrate a similar fraud against their small business clients.
The AICPA’s Forensic and Litigation Services Fraud Task Force has been sounding the alarm on executive impersonation for some time. And its latest Eye on Fraud report highlighted new schemes to help CPAs raise awareness with clients, so they can stay one step ahead of the scammers. Below are 5 tips for you to share with your clients:
Awareness and discussion of the risks, the characteristics of these schemes, and the potential consequences are necessary for all departments that may be involved in the payment of funds, including IT, treasury, and purchasing. Be sure that practitioners keep themselves apprised of the varying types of impersonation schemes and ensure that clients have adequate training of personnel in addition to appropriate internal control measures.
Training should begin with the on-boarding process of new hires for the accounting and finance functions. Some or all of these people will be in positions to authorize, initiate, or record wire transfers. Teach employees about both internal and external cyber threats (e.g. phishing, fake vendor emails and executive impersonation schemes) and test them to see if they would fall victim to scams. Require two employees to approve wire transfers and train them with a focus on BEC schemes. Enforce a policy of verifying all wire requests that arrive via email with phone calls to company-registered phones.
Encryption should be implemented before backing up important data. Even safeguards like two-factor authentication (2FA) are not foolproof. Sending an SMS text as part of 2FA seems secure, but if the carrier account is compromised, the authentication can still be hijacked. If hacked, a small business can still protect its data by using strong encryption. Always make sure data is encrypted – and can only be unlocked by keying in a password – before saving to external devices or backing up to the cloud.
Security controls must be implemented and maintained. It is estimated that about 90% of cyber breaches could be prevented if the proper security controls are in place. Stay aware of the latest trends in firewalls and anti-virus protection and install software updates and patches as soon as they are available. Frequently remind employees to use complex passwords and change them often.
Repetition. Obviously, a one-time training session will soon fade from memory. Periodic updates for accounting and finance staff regarding recent frauds perpetrated against companies within the client’s industry will serve as reminders that the need for vigilance is constant.
With the costs of cybercrime estimated to climb to six trillion dollars by 2021, it doesn’t look like cyber scams are going to disappear anytime soon. And while fraudsters often target small and medium-sized companies because they may have fewer security controls in place, CPAs can play a critical role in helping their clients keep their defenses strong.
The bottom line is that cyberattacks preying on human fallibility can be mitigated. AICPA’s quarterly ‘Eye on Fraud’ reports are a great resource for all CPAs to help them protect their clients or their organizations from latest scams. The current edition is always available in the FVS News and Publications section of AICPA.org. Also check out our Cybersecurity Resource Center, which has cybersecurity resources for CPAs providing advisory services.