close
close

10 tips to avoid wire transfer fraud

10 tips to avoid wire transfer fraud

Wire fraud, typically committed by compromising business emails, is a known risk for all types of businesses, including accounting firms. When a CPA firm handles client funds, additional risk arises.

In a typical wire transfer scam, the fraudster poses as a trustworthy person and sends a fake email to someone at the company. The email may refer to a legitimate debt or invoice but contain a slightly different account or routing number, or the criminal may create a false invoice to be paid. The email recipient does not notice the potentially subtle clues in the email and believes that the scammer is the trustworthy person they are imitating. The money is transferred to the fraudster’s account and is immediately withdrawn or transferred before the fraud is discovered. Phew! The money is gone.

How can CPA firms protect themselves? Here are 10 steps you should take before, during, and after payment processing to prevent your business from falling victim to a wire fraud scheme.

Prepare thoroughly

Lay the right foundations to prevent a wire fraud attack before it begins.

1. Implement a data security policy and update it frequently

Reliable data security protocols include layers of protection for a CPA firm’s network. Common data security protocols include, but are not limited to, using virtual private networks to facilitate remote access to the company’s systems, updating software to the most current versions, installing security patches as they are released, and requiring employees to use them for a long time and complex passwords that need to be changed regularly. It is also highly recommended to create and regularly test an incident response plan to guide the organization’s response to a data security incident.

2. Educate all company personnel about data security risks and their role in addressing them

As the cyber risk landscape continues to change, each individual’s responsibility to help protect the organization and its data should be continually strengthened. Hold regular company-wide training focused on data security risks and evolving social engineering efforts. Training should cover common warning signs of a fictitious email, emphasize the importance of not clicking on unknown links and attachments from unknown senders, and teach what to do if you suspect a malicious email. Email is available or responded to.

3. Test your employees’ ability to identify potential cybercrimes

Consider hiring a third party to conduct simulated social engineering attacks on your partners and employees to assess the organization’s readiness to detect and deter actual cybercrime. The results of simulated attacks can help identify where additional training or data security protocols are needed.

4. Use secure methods to communicate with customers

Use secure web-based portals to exchange information such as tax or financial reporting data and to process certain types of business, such as payment requests. Portals offer greater protection than traditional email. If a client does not want to communicate with the firm through a portal or other secure means of communication, consider whether the client poses an unnecessary risk to the firm.

EXECUTE CAREFULLY

Be careful and prudent with any request for money.

5. Agree on payment protocols in advance

At the start of an engagement that involves access to client funds, you agree payment request and approval protocols with the client. How are payment requests submitted to the company? Who is authorized by the customer to request payments? How does the customer approve and authenticate the payments to be made? What should you do in the rare emergency or if the authorized customer contact cannot be reached? Once payment protocols have been established, they should be recorded in writing, whether in the engagement letter or some other form of documentation. The Customer should also acknowledge that it understands and accepts the risk that a fraudulent transfer may still occur even if the Company follows the protocols agreed with the Customer.

6. Encourage customers to implement their own security measures

In some wire fraud scenarios, the customer’s email address is compromised and the fraudster sends a fictitious payment request using the customer’s hacked email account. Therefore, include a provision in an engagement letter that requires the customer to protect their personal safety own Email account or other method used to communicate with and provide information to the Company’s engagement team. Although this provision may not completely relieve the CPA firm of liability if a deemed payment is made, it helps alert the client that they, too, have a responsibility to protect the safety of their assets.

7. Require double authentication for all payments

Before transferring funds, CPAs should confirm that the request to transfer funds is from actually Customer. Double authentication is an important step but is all too often skipped. The process for authenticating requests, including who to contact and phone number(s) to use, should be included in the previously agreed payment protocols. Do not authenticate a payment request using a phone number included in the payment request email.

Some sophisticated systems may use deepfake voice technology, especially if the customer is a prominent person such as an athlete or celebrity. To counteract the risk of deepfakes, insist on a live discussion and pay attention to unusual word choices, voice tones and tones. Also consider using passwords or codewords in addition to authentication during live phone calls.

8. Involve more than one person

Separating duties when handling cash is good advice not only for a client, but also for the accounting firm. If possible, involve more than one person in the bank transfer and bill payment transactions. For example, there are separate responsibilities in the company where the person who receives payment requests is not the same person who authorizes and processes the request. This divide-and-conquer approach adds additional layers of security to prevent errors, detect fictitious payments, and mitigate the risk of theft by an accounting firm employee.

9. Slow down. When in doubt, stop

With rare exceptions, nothing is so important that it cannot wait. CPA firms should always be alert to the possibility of fraud, particularly in the event of sudden or urgent changes to previously agreed upon written transfer instructions or a request indicating that funds are needed immediately or shortly before a weekend or holiday. The alleged customer’s alleged crisis should not deter the company from following sound risk management practices. Your customer should and will understand that these procedures are in place to protect their money.

FOLLOW IMMEDIATELY

If a CPA firm falls for wire fraud, acting quickly can help recover the stolen funds.

10. Inform relevant parties

Contact the sending bank and attempt to freeze the transfer. File a complaint with the FBI’s Internet Crime Complaint Center and contact your local FBI field office. Report the incident to your professional liability and cyber insurance. The contact information for these parties should be included in the company’s incident response plan. Contact the company’s IT security team, but be sure to retain all records of the incident. Since most wire fraud attacks originate from compromised emails, the fraudster may have gained access to the company’s systems and a forensic investigation may be necessary to determine whether other sensitive data has been compromised.


Fraudulent emails

$2.9 billion: The amount of reported business email compromise losses reported to the FBI’s Internet Crime Complaint Center in 2023 increased 7% compared to 2022.

Source: Federal Bureau of Investigation: Internet Crime Report 2023.


Sarah Beckett Ference, CPA, is risk control director at CNA. For more information about this article, please visit [email protected].

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the national program administrator for the AICPA Professional Liability Program, can be reached at 800-221-3023 or visit us cpai.com.

This article provides information and not advice or opinion. The information is accurate to the best of the author’s knowledge at the time of writing. This article should not be considered a substitute for recommendations from a hired professional. Such consultation is recommended when applying this material in specific factual situations.

Examples are for illustrative purposes only and are not intended to establish standards of care, serve as legal advice, or to acknowledge that a particular situation is covered by CNA insurance. The applicable insurance policy will contain the actual terms, coverages, amounts, conditions and exclusions applicable to an insured. Not all products and services may be available in all states and are subject to change without notice.