It’s fitting that Halloween makes the end of Cybersecurity Awareness Month, because cybercriminals are playing some scary tricks on accounting firms.
To make accountants aware of the most prevalent cyberscams targeting CPA practices, the PCPS Small Firm Philosophy podcast treated listeners to a guest well suited to discuss the threats.
Sarah Ference, CPA, is a risk control director at CNA, the underwriter of the AICPA's professional liability insurance program. She also is a co-author for the Journal of Accountancy’s monthly Professional Liability Spotlight column. In her current role. Ference advises firms of all sizes on how they can manage their professional liability risk.
This article features an edited transcript of Ference’s conversation with Small Firm Philosophy podcast host Jeff Drew, a manager with PCPS. To listen to the full podcast, go to the Small Firm Philosophy page on Libysn after the podcast publishes on Thursday, Oct. 27.
Q: What are the most common scams you are seeing affecting CPA firms in the professional liability insurance program?
A: Two scenarios we're seeing a bit more frequently than we have in years past are ransomware and fraudulent wire transfer requests. Unfortunately, both of these types of attacks are not only gaining in frequency, but they can be really expensive for a firm.
Q: Can you give an example of each of these scams?
A: Most of us are familiar with ransomware, where a bad actor, a hacker, gains access to the firm's systems. This is accomplished usually through a successful social engineering attack where someone gets a fraudulent email and clicks on a malicious link or attachment. From there, malware is downloaded onto a firm system and the bad actor can perpetrate a ransomware attack.
We've seen attacks come on March 13, say right before filing deadline. We've seen attacks that have deleted some of the firm’s backed-up data, making it difficult for the firm to restore operations from their backups. More recently, we've seen the attacker place increased pressure on firms to pay the ransom. They threatened to actually release the data they're holding and publicly harm the firm's reputation in doing so.
The wire transfer fraud schemes are a little different. Here it's the client's systems that are being compromised.The bad actor gets into the client system -- usually via an email. They then watch and monitor email traffic for awhile, gaining understanding of the cadence and tone of messages. When they gain that familiarity, the bad actor poses as the client, sends an email to the firm, and requests a wire transfer or a bill payment. The firm, assuming that that email request from the client is real, executes what the hacker is requesting.
In one recent claim I read about, actually just this week, a hacker sent several emails to a firm requesting payments of several large invoices. The firm was providing bill pay services to the client. The firm didn't recognize the vendors that were going to be paid and responded back to those emails, asking the client to verify that these invoices should be paid. Of course, the hacker is posing as the client and has access to the client's email, so the hacker responded back and said yes, of course, pay these invoices. This resulted in a loss of several hundred thousand dollars.
Q: What makes social engineering attacks such as spoofing so dangerous for CPA firms?
A: I think they're dangerous because they're designed to trick you. This is Halloween and so another trick that they play is they take advantage of their recipient’s environment or situation or behavior characteristics. CPAs are client service oriented. When we receive messages or requests from our clients, our initital response is to want to help and respond to whatever the client is asking us to do.
Hackers also know that we're really busy during certain times of the year, busier than normal, and our attention may not be as complete as it is during other times of the year. That's why we see more attacks during January through April. They take advantage of those kinds of characteristics.
The other reason why it's so dangerous is that the bad actors are getting really good at this. It used to be really easy to spot a phishing email, but they're becoming more sophisticated, more personalized. It's becoming very difficult to detect a fake message from a real one. With wire transfer fraud schemes, it's even harder because it's often the client's email that's compromised, making it extremely difficult for the CPA to distinguish between a legitimate request from their actual client and a request from someone pretending to be the client. That's why it's getting more dangerous for our firms.
Q: I mentioned spoofing attacks in the previous question, and it occurs to me that our listeners may not know what spoofing is. Do you mind explaining that?
A: Spoofing is a kind of phishing attack. The bad actor who sends the message is posing as a trusted person known to the message recipient. That's the difference treated a more general phishing attack and a spoofing attack. But usually the sender's email address in a spoofing attack might be just slightly off from the real one. Maybe it contains an extra letter or a number, an exclamation point instead of an L. But at a quick glance, especially in busy times, it looks valid. Again, it's designed to trick and deceive the recipients into doing something.
Q: What are some of the other common characteristics or red flags that CPAs should look out for?
A: Here are some tried and true red flags.
Any request that asks the CPA to supply credentials or divulge sensitive information, even if it looks like it's coming from someone trusted. Most people will never ask for that information over email or shouldn't ask for that information over email. It's not a secure way to communicate that.
Anything that's time-sensitive or urgent. Yes, our clients all have time-sensitive or urgent needs, but when it's combined with a request for payment, that should raise a red flag.
Maybe anything you weren't expecting to come. But also be careful because as I said, the client's email might be compromised so they might be a bad actor sending something to the firm from the client's email. Just again, be on the lookout for something like that.
Maybe anything that goes outside of the established communication protocols. Say you use a portal to gather information from your client. That's the established communication protocol, and the client sends you something instead via email, maybe an attachment of something you're looking for. But it doesn't follow those methodologies that have previously been agreed to. That should raise a red flag.
Really anything with a different tone or different word choice than what you typically receive from a client. I spoke with one firm whose staff member had received an email from what looked like the managing partner. She knew something wasn't quite right because he signed the email “Fondly” or “Warmly” or something like that. She joked that wasn't his typical way of signing a message. Just be wary of those kinds of things.
Q: In what ways are these attacks becoming more sophisticated?
A: They're really becoming harder to detect. It just takes more time to identify that there could be something wrong and probably requires an extra step to confirm the authenticity of the sender. Time is something that CPAs just don't have much of. We've never had much time and now we have even less of it. Unfortunately, it takes time to properly scrutinize some of these messages to identify something that's fictitious. That's why they're just becoming more sophisticated and therefore harder to detect.
Q: On the wire transfer fraud, when a bad actor has compromised a client and is in the email, the email address will appear to be coming from the client. But if you replied to it, the reply would go to the client's email address or is that where you would spot like an extra letter or a number in the address?
A: Since the client's email would be compromised, that reply would actually go back to the client's email, which has been taken over by the bad actor. The client would actually have no idea.
Q: When you're looking for the little tells in the addresses, you should be looking at where you're sending the money?
A: Yes. It's where you're sending the money because it could be a new vendor or a change in account number or routing number. But it's really any request that's coming in to transfer money, even if it looks like it's coming from the client's email address. We recommend that it be verified in a different way other than email prior to actually executing the transfer.
Q: What types of precautionary measures can CPA firms take in response to these attacks?
A: There are a lot of different things that firms can do. Unfortunately, due to the evolving nature of the risk and the schemes, it's not a one-and-done thing. There are things that the firm's IT provider can do, such as installing firewalls and anti-phishing tools and installing [software] patches as soon as they're released. A lot of companies conduct phishing simulations to test the ability of their employees and partners to identify a phishing attack or a phishing email.
The firm itself can provide training to its staff about how to spot a phishing attack and just to be on the alert for it during critical times of year. They could provide a method for reporting suspected phishing emails. A lot of email programs have that now.
Really, everyone, regardless of who you are at a firm, should make sure you're aware and alert. Adopt that mindset of being skeptical at the beginning and confirm authenticity of a sender.
Don't click on links unless you are sure [they are safe]. A lot of times you can just open your browser and go to the website directly rather than clicking on the link in the email.
With wire transfer requests, I've mentioned that anytime the firm handles client money, whether it's executing investment transactions or paying bills, you're going to have a risk of this attack. A couple of things the firm can do is to establish the communication protocols with the client at the beginning of the engagement. Tell the client that you're going to call them and confirm their request prior to making payment. If the client balks at that, maybe that's not the best client because you can't care more about the security of their money than they do.
Make sure that you say to the client, "Here's our process, here's what we're all going to follow to make sure that we're mitigating this risk as much as possible." Then when you get a request from a client, call them at a phone number that you know. Do not email them back because you're should not assume that the person responding to the email is actually the client. Call them over the phone so if you know their voice, you can confirm that they made that request. We understand this is challenging and time-consuming, but it really is the only way to prevent this sort of attack.
There is another thing I've been suggesting firms do. While this does not eliminate risk, it puts some of the responsibility on the client. Tell the client that it's their responsibility to protect the security of their email account or whatever method they are using to communicate with the firm. We're actually putting that in our sample engagement letters that we provide to our policyholders this year as part of one of the client responsibilities.
Q: There anything else that I should have asked but didn't?
A: I think at the end of the day, even with all of these risk management protocols that a firm puts in place in training and awareness, you can never totally eliminate any risk. I'm not just saying this because I worked for an insurance company, but that's where insurance comes in. Cyber insurance is just now one of these essential coverages that all businesses should have. It's just part of doing business. A lot of professional liability policies, including our own in the AICPA member insurance program, provides cyber coverage as an endorsement to the professional liability policy.
I would strongly encourage anyone who doesn't have it to make sure they get that as part of their suite of insurance coverages. Other thing I would say is just that if I could put a plug-in for the member Insurance Program website, which is www.cpai.com. All of our risk management content and articles and information about the program is on that website, and there’s some great information that`s ungated that anyone can use.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, intended to constitute a contract, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.