CPAs, like other professional service providers, have become targets for wire/fund transfer and social engineering fraud as cyber criminals continue to improve their hacking skills. Nationally and globally, we’re seeing an increase in schemes that trick companies into wiring funds to fraudulent bank accounts. While internal controls are essential, they can only go so far.
What’s the Best Course for CPAs?
Specialized insurance coverage protects CPAs in the event of such cases; however, courts have reached different results on the issue of coverage for social engineering fraud under traditional crime policies. Because social engineering fraud is growing, CPAs are wise to evaluate their risk profiles concerning computer fraud and funds transfer fraud by consulting with their insurance broker and coverage counsel.
Wire Transfer Fraud
According to a survey by the Computer Security Institute, the average financial loss due to wire transfer or social engineering fraud is $500,000. It is a major headache for businesses with some 100,000 attacks occurring each day. Wire transfer or social engineering fraud takes a variety of forms but usually involves email impersonation, phishing, whaling (scamming or phishing directed at CEOs), fake caller IDs, email spoofing (often including embedded code to make fake email accounts look like internal email accounts), pretexting, and related email hacking and account compromise.
What Can CPAs Do to Prevent Wire Transfer Fraud?
Best practices in basic internal controls to safeguard wire transfers from fraudulent accounts already implemented by leading CPAs include:
- General internal controls
- Wire transfers should require review and approval by at least two high-level managers and should not be automated without human overview.
- No “emergency” situations can circumvent internal control procedures.
- Agreements with banks/financial institutions require that businesses follow the bank’s standard wire agreements and procedures, including password and encryption controls, authorizations, etc. Review these wire agreements annually. If the provisions of the wire agreement are not followed, the bank may not indemnify the company if a fraudulent wire transfer occurs.
- Segregation of Duties: separate the roles of the initiator of the wire transfer from those authorized to execute and send them.
- Approval Signatures are stronger if they are executed manually vs. computer-generated facsimile signatures, which demonstrate a review and approval of the wire transfer.
Even with these safeguards in place, wire transfer fraud happens.
A standard crime insurance policy will usually include computer fraud and funds transfer fraud coverage.
However, insurance coverage for social engineering fraud and wire transfer fraud is challenging because the fraud originates from the victims voluntarily acting to transfer funds.
Insurers are closely watching the results of two court cases to be heard in 2018; the first is a case before the Sixth Circuit Court of Appeals involving the American Tooling Center, Inc., which was tricked into authorizing $800,000 in payments to a fraudulent bank account it believed belonged to one of its vendors. The second case is before the second Circuit Court of Appeals and involves Medidata Solutions Inc, which made a $5 million payment for a fake acquisition. The wire payment was based on a fraudulent phone call from an impostor “attorney” and an email authorization that was purportedly from the company’s president but in reality was a “spoofed” or hacked email with embedded computer code to make it look authentic.
Given the risks of wire transfer fraud, policyholders must be vigilant by reviewing their policies and consulting with their brokers and advisors to find the appropriate coverage.
Let PCIA guide you in selecting the best coverage to meet your needs. Learn more about our professional liability insurance options. Looking for more resources for CPAs? Check out our Accountants’ Update newsletter.
Additional resources include the CPA Firm Management Association.
About the Author
Mike Cosgrove is President and CEO of PCIA. Throughout his career, he has established a reputation as a “hands-on” problem-solver for his clients’ insurance programs. He especially assists clients by training their staff to reduce their firm’s professional services risks. In addition, his services include risk evaluation and insurance placement, contract reviews and negotiations, assistance with mergers and acquisitions and international project pursuits and risk management seminars.