How to Protect Against Common Cyberattacks and Insure Against Potential Losses

By Randy R. Werner, JD, LLM (Tax), CPA March 2017

https://www.cpajournal.com/2017/03/21/protect-common-cyberattacks-insure-potential-losses/

Cybercrime is as ubiquitous as the Internet itself, and CPA firms and their clients are as vulnerable as anyone else to
being hacked, scammed, or otherwise victimized. The author provides general information about cyberattacks, lists
examples of currently popular scams, and recommends cyber insurance strategies tailored for CPA firms.
***
Billions of fraudulent email messages are sent every day, and only a small fraction of them need to succeed to fund a
growing underworld industry. One measure of such growth is the number of U.S. data breaches tracked each year; such
breaches hit an all-time high of 1,093 in 2016, according to a January 2017 report released by the Identity Theft Resource
Center (“Data Breaches Increase 40 Percent in 2016, Finds New Report from Identity Theft Resource Center and
CyberScout,” Jan. 19, 2017, http://bit.ly/2ljn3bz). This represents a 40% increase over the 780 breaches reported in
2015. Another measure comes from the Internet Crime Complaint Center of the Federal Bureau of Investigation (FBI),
which saw the number of complaints rise from 262,813 in 2013 to 288,012 in 2015. The combined losses in 2015 were
reported at nearly $275 million.

CPA professional liability claims experience also supports these trends. In the area of fraudulent wire transfers, claims
have carried substantial third-party (i.e., client) exposures, ranging from $250,000 to $900,000. Rather than suffer such an
attack (and subsequent liability) needlessly, CPA firms should inform themselves about the dangers posed by hackers
and scammers and take steps to protect themselves and their clients. This article provides a starting point for such
measures.

Case Study
The following case study, based on a recent claim, illustrates how fraudsters manage to make good money from bad
actions (all names have been changed):
Greg Roberts, CPA, a partner in the public accounting firm of Smith Jones LLP, provided business management and
investment advisory services to several clients, including John Urich, a successful shipping magnate. Urich had
established a trust to care for his disabled wife in the event of his death, and the trust department of Commercial Fiduciary
Bank provided trustee services.
At one point, Roberts received an email message from Urich requesting a transfer of approximately $300,000 to a foreign
account. Roberts called Urich to verify the request and left a message in Urich’s voicemail. Minutes after leaving the
message, Roberts received a message from Urich’s email account confirming the request. Roberts then advised Urich to
send an investment direction letter to the trustee at Commercial Fiduciary and forwarded instructions to the trustee
regarding the transfer of funds. When the trustee received an investment direction letter with Urich’s signature on it, he
followed the instructions provided by Roberts and transferred the $300,000 into the foreign account.
Shortly after that, Roberts received a call from Urich stating that he had not authorized the transfer of funds. Urich was
understandably upset. Urich’s voice-mail and email accounts had been hacked and commandeered by a scammer.
Roberts did not realize that Urich’s voicemail messages were being delivered to his email account, enabling the scammer
to receive and confirm messages. The scammer had also copied an older investment direction letter from Urich’s email
account, updated it with a current message, and forged Urich’s signature on the letter to perpetrate the hoax. Urich
expected Roberts to replace the funds that had been stolen by the scammer.

Authority over Client Funds

Unfortunately, this case is not unusual. Claims related to fraudulent wire transfers generally involve CPA firms with
authority over client funds in order to provide business management or bill-paying services, including wire transfers for
high-net-worth clients.
A fraudulent email request for a wire transfer may resemble prior legitimate requests for transfers. The transfers are often
made to a bank in a foreign country or through a U.S. bank to a foreign bank. When the fraud is discovered after the
transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers,
as laws tend to limit their risk exposures and enable them to deny responsibility.
Wire transfer requests made via email should be verbally confirmed. This includes, but is not limited to, confirming the
dollar amounts, the name of the financial institution, and the actual bank account number. It never hurts to call senders to
verify email links or attachments before opening them. Another way to verify transfers is to confirm information that only
the client would know and a hacker would not. CPAs should consider using both methods to confirm the authenticity of a
request.
Impersonating Users and Faking Messages
Phishing or spoofing email that appears to come from a legitimate sender is often the result of a cybercriminal having
hacked into the sender’s email account and taken it over, controlling messages coming from the account and enabling the
hacker to convince the recipient that the email is friendly or trustworthy.

As cybercriminals continue to develop new ways of impersonating legitimate organizations and email senders, computer
users need to become even more vigilant and circumspect in their daily practices.

A hacker will sometimes insert a link or an extra step into an email message, asking for a password to be entered or
changed, thereby enabling the hacker to take control over the email account. This is called a “man in the middle” attack.
Once the hacker controls both the CPA’s and the client’s email accounts, it can be difficult to ascertain that
communications are being manipulated.
Sophisticated social engineering attacks may employ corporate logos, high-grade counterfeit documents, and bogus
websites to mimic organizations and companies such as tax software vendors. Counterfeit documents may include letters,
insurance policies, checks, credit card notices, travel itineraries, or any item that will make the sender appear to be a part
of the recipient’s network of associates and vendors. Some fraud schemes even provide phone numbers—answered by
fraudsters, of course—to “verify” illegitimate checks, thereby fooling bank employees, attorneys, CPAs, and many others.
As cybercriminals continue to develop new ways of impersonating legitimate organizations and email senders, computer
users need to become even more vigilant and circumspect in their daily practices. A fake email address can be disguised
as a legitimate email address by being off by one character (e.g., “businesware.com” vs. “businessware.com”). By
hovering a mouse cursor over a link without clicking it, a user can check the website address. Third-party and misspelled
addresses are both red flags.
It is best to verify the authenticity of a request and any information in it with a trusted source before complying with any
requests or taking any actions that may harm the firm’s computer system and cause operations to grind to a halt. Instead
of clicking a link, users should go directly to the trustworthy website to access information and updates.

Ransomware Attacks
Firms of all sizes continue to be plagued by ransomware, which enters computer systems via a clicked link, attachment, or
typed password. Ransomware encrypts all of a user’s files and demands payment to decrypt them. Of course, paying the
ransom is no guarantee that the cybercriminal will actually decrypt the files, further compounding the potential damage.

Ransom demands range from a few hundred dollars to several thousand, depending upon the perceived ability of the
victim to pay. Some attacks rely on software that has known fixes, so a solution might be found online. Other ransomware
programs are technically advanced and have no known fixes, other than the victim retrieving and relying on the latest
available backup files.

Ransomware encrypts all of a user’s files and demands payment to decrypt them. Of course, paying the ransom is no
guarantee that the cybercriminal will actually decrypt the files.

Ransomware may enter a computer system via innocuous-looking MS Word, Excel, or PDF documents attached to
unsolicited or unexpected email. Instructions to “enable macros” or “enable content” should not be followed. Unusual
requests for passwords are also suspect.
CPA firms should institute a policy to frequently (daily, at a minimum) backup files that they cannot afford to lose. Some
ransomware even seeks out backup copies of files, so creating multiple backups in different locations is a good practice.
Cloud services and external or USB hard drives are other options to consider for multiple backups. Encryption should be
used to protect any sensitive information about the firm and its clients. Backups are also an extremely valuable resource
after extreme events such as fires, floods, and other disasters.

Other Recent Scams

The following are examples in which scammers have disguised themselves well enough to dupe unsuspecting computer
users:

 Scammers act as clients or potential clients soliciting tax professional services. If the professional responds,
the scammer then sends a second email with an embedded web address that collects email addresses and
passwords when clicked. The IRS has issued a warning about this kind of scheme at http://bit.ly/2knAL9J.
 Scammers impersonate clients and request that the tax professional change their bank account numbers.
This enables fraudsters to divert tax refunds into their own accounts.
  Scammers impersonate clients requesting wire transfers of funds into a new or foreign bank account, which
is actually the fraudsters’ account. The amounts stolen this way can reach up to several hundred thousand
dollars.
 Scammers pose as tax software companies, recommending that tax preparers update their software by
clicking a link. The link loads malware onto the computer, enabling the scammers to file tax returns and
redirect refunds to their own accounts.
 Even the IRS can be impersonated. Scammers ask tax preparers to update their e-services information via
email, and the links in the email capture user-names and passwords when clicked. The IRS does not initiate
contact with tax preparers or taxpayers by email, text messages, or social media channels to request
personal or financial information. An IRS warning about this scam can be found at http://bit.ly/2kXz72l.
Scammers also send taxpayers emails with a Notice CP 2000 attached, claiming that there are
discrepancies between income reporting on their tax return and the employer’s reporting. These notices also
sometimes refer to the Affordable Care Act, further confusing potential victims. The IRS warns of this scam
at http://bit.ly/2lzpJ2b.
 Scammers can take over a user’s computer security system by displaying a pop-up “Security” screen or
similar message and requiring a password before allowing the user to continue using the computer. The
password then enables the hacker to access the user’s email account and send out phishing messages to
the user and others.
More information about phishing and online scams can be found on the IRS website. A listing of IRS news releases
containing alerts and warnings about email scams can be found at http://bit.ly/2lxl3ZM, while information about what to
do about suspicious IRS-related communication is located at http://bit.ly/2kdzC3H.

Many professionals—CPAs included—make the mistake of believing that they are too small to attract the attention of
hackers.

Training Recommended
Providing regular staff training to enhance awareness of potential threats can make all the difference in a business’s
protection against fraudulent schemes. Some experts recommend scheduling data security training at least once per year.
Security awareness can also be tested by “inoculation,” in which all users are sent benign phishing e-mail; those who fall
for it then receive education about phishing scams and how to avoid them.
Many professionals—CPAs included—make the mistake of believing that they are too small to attract the attention of
hackers. This attitude results in a lack of preparation and vulnerability to unnecessarily prolonged setbacks and expense if
and when a cyber incident occurs. Fortunately, expertise and resources are available to help CPA firms avoid or mitigate
the damages and aftermath of an attack or breach, including ways to minimize and repair damage to assets such as data,
work products, reputation, and brand value. Cyber insurance programs should include education on how to safeguard
information, increase awareness of cyber risks, and assist the firm in responding to potential data incidents. Cyber
coverage should provide risk and legal advisory services to guide investigations, ensure compliance with applicable laws,
and protect confidential communications and information.
In the event of a potential incident, a CPA firm should consult with its cyber insurance carrier or attorney before hiring a
forensics investigator. If an investigation is conducted outside of the firm’s relationship with an insurance carrier or
attorney, the communications produced by the investigation may not be protected by attorney-client privilege.
Firms should have a cybersecurity expert evaluate, test, and secure their computer systems before an incident occurs.
The expert will then be familiar with the firm’s systems and can work with insurance and breach response service
providers in reducing any damages from a breach, reducing the costs to eradicate problems, and enabling the firm to get
back on track sooner rather than later.