Friday at 3 p.m. An all-caps text is received from a bill-pay client. The client needs a contractor to be paid immediately so remodeling may continue at one of her restaurants in preparation for a much publicized relaunch. With remodeling occurring at multiple locations, who can be surprised? An "emergency" distribution seems to happen every day. Just a quick text back telling the client to consider it done, make the transfer, and start the weekend. Unfortunately, the request wasn't from the client, but a bad actor posing as the client. When the client was shown the text, she agreed that everything indicated it was from her, except that it was sent from a different type of telephone than she used. The CPA took the bait — hook, line, and sinker.
Cybercrimes have exploded in recent years. If the U.S. government or major U.S. companies can be infiltrated, so can a CPA firm. Not only do CPA firms possess valuable, confidential client and employee information, but they also often have authority to access and distribute client funds.
Fortunately, data security protocols can be created that may help reduce the risk of a cyber incident when such protocols are implemented and followed consistently. Let's review the protocols.
TRAIN ALL STAFF TO IDENTIFY PHISHING EMAILS
Many cyber incidents begin with a phishing email, an operation initiated by a bad actor, where the recipient is duped into revealing personal or confidential information that is then used for illicit purposes. Phishing emails contain many common characteristics, including:
- Urgency: Improper requests frequently occur on Friday afternoons or near filing deadlines.
- Slight differences in important information: The bad actor may have a similar email address but use a different extension or include a different character in the address. A text message may be sent from one type of device when the purported sender uses a different device, or a phone number may be one digit off.
- Request for action: To spy on your computer, many phishing emails contain links or attachments that activate malware by clicking on the link or opening the attachment. Alternatively, the bad actor may pose as a client requesting you to make an unauthorized disbursement.
- Poor spelling and grammar: Phishing emails often contain spelling and grammatical errors, even if such mistakes are not as prevalent as in years past.
Train firm members how to spot and respond to potential phishing emails. After completion of training, consider testing all firm members by sending simulated phishing emails to demonstrate whether they are applying knowledge learned.
USE CAUTION WHEN WORKING REMOTELY ON A WIRELESS NETWORK
Bad actors may infiltrate the wireless internet when firm members are working remotely. Mitigate this risk by using a virtual private network (VPN). VPNs create a secure tunnel between the remote user and the CPA firm across the internet. Data traveling within the tunnel is encrypted and, if intercepted, is generally indecipherable.
ENCRYPT EMAILS CONTAINING CONFIDENTIAL INFORMATION
To further reduce the risk of an email being intercepted, use encrypted email for confidential information sent outside the firm's network. Email encryption helps protect data confidentiality by transforming emails sent and received into an unreadable format for unauthorized users. However, if the bad actor has access to the CPA's or client's email account and password from a prior phishing scheme, they will be able to view the encrypted emails.
CLIENT PORTAL USAGE
More effective than email encryption, use of a portal is one of the most secure ways for CPAs and clients to share information. Portal recipients receive an email when an item is awaiting review. The recipient can then click on a link, enter their login information, and access the content.
PRACTICE GOOD INFORMATION TECHNOLOGY HYGIENE
Use antivirus and anti-malware solutions. Install updates and security patches to software on a timely basis, as they are often deployed to address known security issues. Follow the U.S. Department of Commerce's latest guidance on passwords, found in the National Institute of Standards and Technology's NIST Special Publication 800-63B,
Digital Identity Guidelines, which is available at
nvlpubs.nist.gov.
VET VENDORS
CPAs use third parties for many services such as seasonal help, tax preparation software, cloud storage, portals, or payroll platforms for employees and clients. Paragraph .02 of ET Section 1.700.040,
Disclosing Information to a Third-Party Service Provider, of the AICPA
Code of Professional Conduct requires one of the following before the CPA firm discloses confidential client information to a third-party service provider:
- Enter into a contractual agreement with the third-party service provider to maintain the confidentiality of information received and provide reasonable assurance that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential information to others; or
- Obtain specific consent from the client before disclosing confidential client information to the third-party service provider.
Do your homework before using a third party, ensuring that its data security practices are, at a minimum, as comprehensive as yours. Consider including language in your third-party service agreements requiring the provider to maintain cyber insurance and to agree to defend and indemnify you for any breach caused by them.
INSURE PROPERLY
Consult your agent or broker to understand how the CPA firm's various insurance policies respond to a data security event. Discuss ransomware, which has become a trending cybersecurity threat. Inquire as to how coverage would apply if a payment was improperly disbursed on behalf of the client or firm.
ADDITIONAL TIPS FOR CASH DISBURSEMENTS
Remember our restaurant bill-pay client in need of an urgent disbursement on a Friday afternoon? Unfortunately, many CPAs have fallen prey to similar schemes. To help avoid becoming the next victim of a fraudulent act, CPAs providing services that require the distribution of client funds should consider, among others, the following:
- Establish disbursement parameters with the client. Transaction types, disbursement limits, and bank accounts to be used should be documented before services commence.
- Use multiple methods of communication if a change from the established disbursement parameters is requested. For example, if an outside-the-norm disbursement was received via email, confirm the request via a phone call to a phone number known to be valid and from a CPA firm employee who will recognize the client's voice. Video calls where you can physically see and confirm the identity of the person authorizing the urgent distribution are likewise effective. Document who made and received the call and the number used.
- Require advance notice for changes to disbursement parameters. As the engagement progresses, changes may be required. Ensure sufficient time is provided for the CPA firm to confirm and implement the changes.
- Establish written protocols for unusual or out-of-the-ordinary transactions. These protocols should provide that the client examine and verify the transaction before it is processed. If the authorization is oral, document the client's approval as described above.
- Use the firm's client database to confirm information. Do not use the email reply function or a phone number on the email to respond to clients. Instead, telephone numbers and email addresses from the CPA firm's database should be used. Include the information used in documentation of the client's approval.
- Use security questions. Predetermine a method for verifying the client's identity before services commence. For example, agree to security questions that require a subjective response. Use the security questions if communication is suspect or any doubt as to validity exists.
In summary, verify twice and distribute once. Always take the cautious approach. You are not only helping to protect the client's money but also the firm's liability.
FINAL THOUGHT
The schemes orchestrated by bad actors cast a wide net, and those bad actors are regularly changing their schemes. Phishing attacks are not limited to email. Text messages, voicemails, and other mobile devices also are phishing vectors. So, the next time you receive an unusual request or message, proceed with caution and ... don't take the bait.
Deborah K. Rood, CPA, is a risk control consulting director at CNA. For more information about this article, contact specialtyriskcontrol@cna.com.