Security professionals warn us to look out for “tailgaters” — people who tag along behind authorized personnel in an attempt to enter secured locations without using or showing access credentials. Makes sense, right? You don’t know if that person should be there or what they might do once inside.
Still, when we see someone running our way yelling, “Please hold that door!” what happens? Invariably, most of us hold the door. Can you identify what transpires in your mind in those few seconds when you (1) assess that individual, (2) determine they pose no risk, and (3) let them in without validation? What is it about this interaction that compels you to act contrary to known guidance? Do you fear confronting strangers?
Let’s change the facts slightly. Instead of a secured door, what happens when you receive a panicky email asking you to wire client funds? Same questions: What transpires in your mind? What compels you to act against guidance?
These two situations have more in common than you think. In both cases, understanding your mental process — how your brain connects available and missing information to form a conclusion on which you then act — and understanding how bad actors actively manipulate your mental process are critical to understanding both why we make risky decisions and how we can avoid making them.
How risky? According to the FBI, estimated loss claims related to business email compromise (a type of fraud scheme targeting businesses that regularly do wire transfers of funds) soared from $360 million in 2016 to $2.4 billion in 2021. Similarly, CNA, the endorsed underwriter of the AICPA Professional Liability Insurance Program, has observed unfavorable trends in the severity and frequency of wire fraud claims.
The psychology of wire fraud
Let’s identify a classic wire fraud fact pattern.
- Your client contacts you with an “urgent” request. Urgent in this case meaning someone gives you the distinct impression they stand to be put to considerable inconvenience if you fail to act immediately. You internalize this pressure to act as real and personal.
- The request may be routine, out of the blue, or for larger-than-customary amounts. Regardless, it comes with a plausible enough explanation. You know of facts that somewhat corroborate the email or dissuade you from probing further (or both) despite any initial hesitations you have.
Like the stranger and the door, you assess and act. Swiftly. Questionably. Now, let’s break down this basic interaction and examine not only how your mental process is actually a key element in the fraudster’s plan, but also why known recommended guidance can fail.
Wire fraud works against CPAs specifically
because of their well-honed sense of client service. Although a hallmark of the profession, in a fraudster’s hands client service can be a professional liability risk. Client service serves the client; wire fraud effectively serves a complete stranger as if they were the client. Those who perpetrate wire fraud are really good at tricking your client-service brain (the one that operates without your conscious awareness) into concluding that your client is on the other side of that email. Once you reach this conclusion, it doesn’t take much to get you moving toward your utopia — making the client happy. But the fraudster wants you to move, and they purposefully injected fake fear into your mental process knowing your response to this fear might push your movement toward their
utopia — you making a complete stranger happy.
In this scenario, two stimuli that resonate with CPAs operate in concert to convince you that your internal GPS is accurate. The first primes you to act by targeting your natural desire to solve client problems. The second creates an emotional minefield because you fear a future where your inaction turned a client’s potential loss into an actual harm. In that moment, it is your client-service brain that unconsciously leads you astray. “What response both removes the mental discomfort and makes me feel good?” Solve this client’s problem. How? If you said, “Doing what they ask,” you took the bait and fell into the trap, just as the bad actor planned.
In wire fraud claims, a CPA typically becomes aware of the existence of fraud well after the money is gone. When the client cannot recoup those funds, they look to the CPA for recourse and recompense. Therefore, protecting against wire fraud requires you to do something you may not be predisposed to do: shut the door and ask the stranger to prove their identity.
Trust but verify
Confirming that a request to transfer funds is from your actual client before funds are transferred is paramount. The simplest and generally most effective way to do this is to pick up the phone and call the client at a number you know to be correct, not at a number associated with the email request. Calling your client and asking, “Do you really want me to send $25,003.48 to Radio Shack?” can be remarkably efficient. Verbal verification via phone works well in conjunction with a prearranged system to address nonroutine or large-dollar-amount (or both) requests. Setting up an advance verification system can help create a strong line of defense against wire fraud attacks. The system should establish both accepted and prohibited methods of communication, delineate dollar-amount thresholds that require more stringent confirmation, and create identity-confirming codes or passwords.
However, verification processes won’t work unless you deploy them consistently. The challenge is that you and your client, over time, default to a state of mental cruise control. In periods of high volume, high stress, or distraction, this cruise control, coupled with ingrained habits (i.e., that client-service brain), can hijack your mental process.
Use your brain to fight your brain
There is no easy way to override the potent combination of urgency and fear when it clouds your mind. But when you are cognizant of what’s occurring (fraudsters using your mental process against you), you can short-circuit your client-service brain and activate your risk-management brain. What should you look for and how should you respond?
- Look for: A sense of urgency.
- How to respond: Pause intentionally. Ask yourself, “In the grand scheme, will the client be disadvantaged if I do this a few minutes from now instead of right now?” The answer is almost always no. Use those extra minutes to apply your verification process.
- Look for: The creation of fear.
- How to respond: Reflect on a greater fear. If you erroneously wire a client’s funds, they will probably blame you and ask that you make them whole. Ask yourself: How certain are you that the costs incurred to address wire fraud are less than the time incurred to verify? Are you including in “costs” your time and professional reputation? Once the fraudster-created fear is no longer the dominant fear, turn on your risk-management brain and protect your firm. Use your professional skepticism. If you receive increasingly insistent emails but cannot reach your client independently, what can you infer?
Remember — bad actors prey on your client-service primacy by design
. They know that satisfying clients is part of who you are. They are betting that with a carefully tailored manipulation, you will respond before you or your client-service brain realize what happened. You can circumvent those tactics by understanding how your mental process works (and how it can be manipulated) and by creating new habits.
The wrong growth trend
The estimated claimed losses from business email compromise schemes in 2021, up from $360 million in 2016. Source: 2022 FBI Report on BEC and Real Estate Wire Fraud.