NAPLIA's Professional Liability Blog / Resources / Articles

Fraudulent Transfer Scams Plaguing CPAs & Advisors

Posted by Alison Simons on Fri, Aug 21, 2015 @ 08:56 AM

Be very wary of emails requesting transfers of funds from hacked accounts.

We've recently seen two phishing scams that have resulted in fraudulent client fund transfers. While the amounts are typically not large (under $50,000), in both cases there were multiple transfers. The losses are different but the claims are essentially identical.

Each of our insureds received an email requesting transfer of funds, and in both cases the email requested that monies be wire transferred from their accounts to a Wells Fargo account. These fraudulent emails included significant identifiable personal details and signatures on faked transfer forms. Signatures were verified against signatures from other valid transfers and determined to be authentic -- so they thought.

In one case the bank asked for a phone number to verify the transfer as the transfer form was slightly hard to read (red flag). An email was sent to the hacked account requesting a cell number to verify the transfer. In an email response the sender asked if they could call the bank to verify, and this was allowed as the caller had the correct banking information, social security number and other personal identifying information details to convince the bank to move forward and transfer the funds.

Both of our insureds' clients have been asked to be made whole, and we are in the process of determining the liability associated with each claim.

With one of these claims, the bank clearly has some liability as it did not follow proper protocol and allowed a deviation of standards by accepting a “call in” as opposed to the “bank calling out.”

(Side note: both of these clients are longstanding, very profitable accounts, and our insureds are trying to mitigate damages to maintain the relationship.)

OK, now that you have read the claim summary what’s next? Your office needs to take steps to reduce your liability while protecting and safeguarding your clients’ bank accounts.

Here are several steps that you should incorporate into your due diligence internal controls:

  1. Email requests must be verified by a second means of verification. In many cases a text message to a cell phone can insure some protection. The theory is that hacked email accounts are usually done from a far (Russia, China, West Africa), and the hackers would not be in possession of the cell phone. Additionally, the text message could include a request for an additional identification password that may not be known by hackers (for example, frequently we see questions like name of their dog or name of their high school). Also often emails have been hacked weeks before the owner becomes aware, and the hacker waits to gather information to be used fraudulently. On the other hand if your cell phone is missing for more than four hours you start to panic and take steps to prevent misuse.

  2. Be suspicious and examine emails closely, looking for ‘red flags’ such as misspelled words, forms that appear to be scanned and are slightly illegible, salutations that are not consistent with other email correspondence. In some cases a word seems out of place or used incorrectly. In other cases our insureds received numerous follow-up emails asking for details on when exactly when the transfer was completed which showed a level of desperation.

  3. Include internal protocol procedures stipulating that your employees to have a second person review and sign off. If possible include the key person in the office that has the relationship with the client, as they may have more personal knowledge of the client and sense a fraudulent request.

  4. For larger transfers, elevate the due diligence, requiring absolute second live verification before transfer of funds.

  5. Consider adding language to the engagement letter that states you will make every effort to verify transfers, and in cases where you are unable to verify the validity of the transfer you will refuse until satisfied that it is an authentic request.

 

By incorporating these preventative measures, you could thwart criminal fraud and you are building your defense should the fraud occur.

Tags: accountants, CPA Alert, Information Security, liability

Cyber tip: How often to change passwords

Posted by Alison Simons on Thu, Aug 06, 2015 @ 03:10 PM

As an insurance agent we deal with applications every single day, yet, when I have to fill one out, I have the same reaction as my insured’s, “I hate applications”.

However there are times when an application is a good thing, like a cyber-application.

The cyber application is designed to ask risk management questions that hopefully provide some insight on cyber exposures.

For example: How often do you change passwords?

The majority of answers is anywhere from 90 days to once a year by most applicants.

So what is the best answer? Monthly

We all get careless with passwords and we are never sure if they have fallen into the wrongs hands.

Changing passwords monthly insures a better risk management landscape it also makes employees responsible for managing their passwords and not used as afterthought.

The main reason for not changing passwords is “I have so many” and “I can never remember them” however in reality this is more consistent with passwords that you may only use once in a while. To help safeguard your business network, passwords should be used every time you log on. One common error when choosing passwords is the employee uses the same login as their personal bank account or Amazon account.

This now puts the business at risk when any other of their personal accounts are hacked and the hacker goes phishing for other easy computer systems connected to that individual.

Let’s look at a recent case of password hacking. Employee Alice, Facebook account was taken over without her knowledge and they used this information to gain access to her Amazon account where her credit card information was stored. Alice’s G-mail account was the next hacking opportunity using personal information they were able guess her password using a combination of personal information and birth date.

Alice had several work e-mails in her personal account so they now went after her work e-mail, the first password used on her employer system was her Gmail account password and instantly they are now in the company’s server.

Hackers know that people re-use or use one password for many applications (log-ins). With Alice’s work e-mail account accessible a series of e-mails were sent pretending to be Alice to capture additional confidential information. Think about a co-worker sending e-mail requesting information that appears to be a legitimate e-mail, most of us would respond. In this case human resources was sent e-mail asking for her personal banking information, explaining that her direct deposit account was hacked and she need to change the account prior to the next pay period.

Fortunately there was no theft of funds and the HR person called Alice and the jig was up. However that was not the end of the story for Alice’s company. The company was concerned that their data may have been compromised and brought in an outside forensic IT company to ascertain any data breaches. Calls were also made to their attorney to review if this was a reportable event to state regulatory agencies.

All company passwords were changed and remote access from outside employees was shut off. It was several long days before the business was back to normal. Although the company escaped any real threat, there were still significant costs incurred not including lost employee time and production.

Alice was able to notify all her credit cards and banking relationships and re-establish her social media accounts. Hundreds of fake e-mails were sent posing as herself to friends and family and several months later she is still monitoring all of her accounts closely.

The moral of the story, employers need to carefully monitor passwords. Passwords should have all of the following attributes:*

  • At least 10 characters long

  • A mix of lower case, upper case, and non-alphabetic characters and numbers

  • No words found in the dictionary (English or a foreign language)

  • No more than two consecutive characters

  • No common names, terms

  • No simple pattern


In conclusion: changing passwords every 30 days helps mitigate potential access. Establishing rules against employees using work passwords for personal use is strictly prohibited. Training employees to protect and secure passwords is one way to try and avoid hacking incidents. So when the cyber applications asks the question how often do you change passwords, and the first answer is 30 days, consider reflecting on the answer from a risk prospective position.

 

*Taken form the Cyber and Data Security Handbook written by Eric Hess, July of 2015 for NAPLIA

Tags: Data Breach, NAPLIA, Information Security, identity theft, cyber, records

Active Response to Cyber Attacks Has High Risk

Posted by Alexandra Swan on Wed, Apr 10, 2013 @ 12:38 PM

With an increase in Cyber exposures and cyber claims against CPA firms, CPAs need to be aware of the strategies to minimize these risks and ensure that the strategies are legal. There are both national and international laws governing the ways in which firms combat cyber exposures. The article below explains the added exposures that may result from not knowing the laws. 

http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk 

Tags: Data Breach, employee dishonesty, fraud, Information Security, identity theft

The incalculable cost of Identity Theft to your firm

Posted by Tom Henell on Tue, Jul 10, 2012 @ 01:50 PM

The Computer Crime and Security Institute has estimated that as many as 43% of US businesses experience some level of cyber security incident.  The cost of a cyber incident to your firm can be calculated in claims and lost wages.  In addition, with more than 46 states having State Security Breach Laws, client notification costs can be significant ($5 - $10 per client).

What can't be measured is the cost to your brand.  According to Ponemon Institute 2010 global costs of a data breach, the value of brand and reputation can decline 17% - 31% after a breach.  In addition, it can take over a year for an organization to recover it's corporate image.

Having a formal security breach plan in place can assist you in informing your clients the steps you have taken to protect their data in the event of a loss.

For more information download our White Paper on Information Security & Cyber Liability: Essential Steps to Protecting your Firm

Tags: accountants, Data Breach, Information Security

What is the cost of a Data Breach ?

Posted by Tom Henell on Thu, Oct 27, 2011 @ 09:02 AM

When evaluating the potential cost of a data breach we have previously referenced the direct first party costs incurred by a firm as $5 to $50 per client.

Further information provided by the Ponemon Institute estimate this cost to likely be closer to $214 per record.  The Ponemon Institute conducts independent research on privacy, data protection and information security policy. 

cost of data breach

Their research estimates direct costs of $73 per record.  Direct costs may include forensic, notification, call center, credit monitoring, victim assistance, legal defense costs, and breach consulting.

However, they further consider the indirect costs of diminished customer trust as approximately $141 per record.  This creates a total potential cost for a data breach of approximately $214 per record, not factoring any potential Errors & Omissions claims related to to the breach. 

Tags: accountants, Data Breach, Information Security

Emerging Cyber Threats; You can’t hide your head in the sand

Posted by Tom Henell on Thu, Oct 20, 2011 @ 11:08 AM

According to a recent report by the Georgia Tech Information Security Center, Emerging Cyber Threats Report 2012, Cyber threats against personal information [data] continues to evolve.  We will see advances in the sophistication and implementation of attacks in the near future.

As a professional who maintains personally identifiable information (PII) of your clients it is essential to be aware of these new and emerging threats, and take possible steps to safeguard your data.

Some of the areas cited in the report include:

  • Mobile Phones / browsers

There are currently four billion mobile phones in use around the world and mobile Internet is expected to outpace desktop Internet usage by 2014 (http://www.digitalbuzzblog.com/2011-mobile-statistics-stats-facts-marketing-infographic/ ).  Characteristics of mobile browsers create a new platform to introduce threats to data, as well as, potentially bypass existing firewalls and other security measures.

  •  Botnets

Botnets have been around for a long time but they continue to evolve.  PII is big business and this means increasingly sophisticated processes to access information.  Botnets have gone from targeting small pieces of data to creating complex demographic models that can potentially be sold into legitimate markets.

  • Online Information

We live in the digital world and more business and personal interaction is transacted online than ever before.  Marketers continue to expand the way our personal information is utilized to “control” our online experiences.  In addition, attackers are now capitalizing on search engine optimization (SEO) to increase rankings and, therefore, credibility.

  • Technology Advances

Advances in technology that enhance the way we conduct business also increase our potential exposure.  Cloud computing creates new exposures that were previously addressed through physical servers.  However, human error, education, and weak passwords continue to create the most vulnerability.

You can read the whole report here.  It is not necessarily possible to understand all of the exposures created through enhancements in technology.  However, broader education creates awareness to avoid potential disasters.

If you have not already, download NAPLIA’s recent White Paper on Information Security: Essential Steps to Protecting your Practice.

Tags: accountants, Data Breach, cpas, Information Security

Insurance claims for data theft worldwide jumped 56% last year

Posted by Tom Henell on Tue, Aug 16, 2011 @ 08:57 AM

According to a recent newsletter from Willis, data production is growing at an exponential rate (currently compound annual 60%) and that claims for data theft worldwide jumped 56% last year.  

In our experience, questions regarding insurance coverage for data security and identity theft are increasing daily.  Professional liability policies are intended to cover errors or omission in the delivery of professional services.  The question that often arises is, if data is lost or stolen outside the office (i.e. theft of a laptop computer) is there a connection to the delivery of professional services?

In addition, first-party expenses often triggered by state security breach laws are generally not covered under a professional liability policy.  This is the direct cost of client notification and credit monitoring that can run between $5 - $50 per client.

Download NAPLIA's White Paper on Information Security & Cyber Liability to learn more about essential steps to protecting your firm.

Tags: accountants, Data Breach, Information Security

Laptop Security – Important Steps to Mitigating Risk

Posted by Tom Henell on Wed, Jun 08, 2011 @ 03:00 PM

Modern technology allows us to enjoy a more mobile workforce.    With Laptops, Tablet Computers, Smart Phones, and other devices we are able to access work from virtually any location.  However, these devices also expose companies to new risks previously not experienced by a desk-bound workforce.

Here are several simple steps to consider to protect your mobile computers, and mitigate your personal, and professional exposure.

  1. Identify your potential exposures.  The first step is to simply acknowledge that you may have weaknesses in your network security and take the time to identify them.  This process will require some research on your part, but is well worth the time.  For more information, download our recent White Paper: Information Security & Cyber Liability: Essential Steps to Protecting your Firm
  2. Use visible locks on laptops in your office.  A number of cable style locks are available to secure laptops to a desk when in your office.  These will not prevent a determined burglar, but a high percentage of laptop thefts are snatch & grab and can be prevented with a simple lock.
  3. Treat your laptop like a wallet or purse.  You would not leave your wallet sitting on your desk when you leave for the night, nor would you leave it sitting in the backseat of your car.  Laptops are prime targets for theft and simply keeping them out of sight will remove the temptation.  Lock them in your desk, and put them in your trunk if necessary.
  4. Do not store client data, passwords, or other important information on your laptop.  Only use laptops to access a server never store personal or confidential information, instead use the laptop as a portal to see but not store information.
  5. Keep your anti-virus software and firewalls updated.  In addition, make sure that laptops are encrypted to prevent access, as well as, have encrypted hard drives.
  6. Consider laptop tracking & recovery software.  There are several programs now available that can track, locate, and remotely delete files from stolen or lost laptops.

Not convinced?, read an actual claim scenario by one of our clients.

Tags: accountants, Data Breach, Information Security

Liability Insights for Accounting Firms - Free Seminar

Posted by Tom Henell on Fri, May 20, 2011 @ 09:53 AM

Gary Sutherland, CEO of NAPLIA will be speaking on Cyber Liability and Information Security at an upcoming seminar in Massachusetts, hosted by LeClairRyan.

describe the image

Technology, government reform and new case law all play critical roles in new pitfalls for even the most well-seasoned accounting professional. A solid knowledge base can help guide you where there's no real treasure map. Where do the risk factors lie? How can emerging technologies create potential security problems? What are the audit concerns with the SEC? Feeling a little foreign to the Foreign Corrupt Practices Act or Dodd-Frank? New regulations on the ADAAA were published by the EEOC - as an employer, do you need to know more? Join LeClairRyan for this free event to better hone your strategies to manage risk.

Learn more, and Reserve your space

Tags: accountants, Data Breach, cpas, Information Security

Information Security & Cyber Liability: Essential Steps to Protection

Posted by Tom Henell on Fri, Apr 01, 2011 @ 09:50 AM

These days, it is almost impossible to be in business and not collect or hold personally identifying information (PII) about your customers, employees, or business partners. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.  More than 9 million Americans have identities stolen each year, and the impact to your business from a data breach could be significant. 

At least 46 states have enacted legislation requiring notification of security breaches involving personal information.

See State Security Breach Notification Laws by State

It is essential for your business to understand your potential exposure and take specific steps to mitigate your risk.  

information security, cyber liability

NAPLIA's Information Security & Cyber Liability White Paper will assist you with:

  • Identifying the potential exposures faced by your firm
  • The development of an Information Security policy
  • Understanding the insurance options available to you

Download NAPLIA's White Paper on Information Security & Cyber Liability Now.

Tags: Data Breach, Information Security