In the past few months there has been a significant increase in the frequency of attacks against accounting firms.
More than a dozen CPA firms have been targeted and funds have been stolen.
The fact pattern is simple. A CPA receives instructions from a client to wire funds, often to a new or overseas vendor. The request is usually communicated via email because the client is busy or is travelling or is some other way not able to talk directly to the firm. The email appears to be legitimate and follows the usual tone and style of the client. After making the transfer in accordance with the emailed instructions, the accountant discovers that either the client’s email was hacked or that the email that requested the transfer was spoofed (that is, the email address is slightly different than the client’s email – usually by just one letter).
Sometimes, the criminals even have the ability to produce a letter of authorization for this unauthorized wire request.
While every attempted fraud is not exactly the same there are certain common traits. Be on the lookout for:
“Rush” requests—often, fraudulent requests insist that the funds transfer must happen as quickly as possible, due to some sort of emergency or purchase.
Not available by phone—the “client” states they cannot be reached by phone to confirm the request, but can do so at a later date.
Bad wording—the request includes unusual phrases, grammatical errors, and incorrect punctuation, spacing and/or capitalization.
The nature or amount of the expense is out of the ordinary, e.g., not one of the usual monthly expenses or it’s a new vendor or a higher than normal disbursement.
A $440,000 robbery.
The magnitude of these frauds is getting larger. One theft from an escrow account netted $440,000 and in a subsequent lawsuit against the bank, the client lost. See : http://www.computerworld.com/article/2495894/cybercrime-hacking/victim-of–440k-wire-fraud-can-t-blame-bank-for-loss–judge-rules.html
A new twist is that the criminals are sending fraudulent emails that look like they are from company executives and request that large wire transfers be “coded to” a department within a company.
Messages are addressed to the company’s controller, treasurer or accounting officer and contain an attachment with detailed instructions, says FBI spokesman Dave S. Joly.
The sender’s email address is usually similar to the company’s domain name or handle, with a single extra letter or number inserted. For example, the email address “firstname.lastname@example.org” may be replaced by “email@example.com.”
What can you do to combat these frauds?
Good risk management practice to combat mail based wire fraud is as follows:
Ensure your firm has up-to-date policies regarding email-based wire requests, and that every firm member is aware of these policies.
Require verbal confirmation of every single email-based money movement request through a phone call to the client.
When speaking with your client, make sure the voice and behavior are in line with the voice and behavior of your client.
Require that more than one person in your office review all wire requests before they are sent for processing.
Notify your manager or partner if you suspect any fraud or fraud attempts.
There are some useful resources available to educate yourself about the perils of fraudulent wire transfer requests:
If you believe your firm or client was a victim of a scam, file a complaint at www.ic3.gov that includes: how, when and why you were contacted, actual amounts of potential losses, header information from emails and any identifying information of the perpetrators.