Q&A: The 2 most prevalent cyberthreats for CPA firms

Hosted by Jeff Drew

Sarah Ference, CPA, is a risk control director at CNA, the underwriter of the AICPA's Professional Liability Insurance Program. She also is a co-author for the Journal of Accountancy's monthly Professional Liability Spotlight column. In her current role, Ference advises firms of all sizes on how they can manage their professional liability risk.  

In this episode, a collaboration with the Small Firm Philosophy podcast, Ference talks with Jeff Drew about what to look for in email, the danger of clicking on unfamiliar links, and more.

What you'll learn from this episode:

  • An overview of two common cyberattacks.
  • What to look for in a potentially fraudulent wire transfer request.
  • The time of year that these attacks are most likely to occur.
  • The red flags that could signify a potential cyberattack.
  • Steps that CPAs can take with clients to lessen the likelihood of such attacks being successful.

Play the episode below or read the edited transcript:

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at

Edited transcript:

Neil Amato: Welcome to a special edition of the Journal of Accountancy podcast. This is your host, Neil Amato. This episode marks the fourth in a collaboration between the Journal of Accountancy and the Small Firm Philosophy podcast, which is produced by the AICPA's Firm Practice Management team, also known as the Private Companies Practice Section, or PCPS.

Today's episode features a discussion describing the most prevalent cyber scams currently targeting CPA firms. You'll hear that conversation right after this word from our sponsor.

Jeff Drew: Sarah Ference is a CPA who is a risk control director at CNA, the underwriter of the AICPA's professional liability insurance program. Sarah advises CPA firms of all sizes on how they can manage their professional liability risk. She has worked with the insurance program for 10 years and also has co-authored the popular Professional Liability Spotlight column in the Journal of Accountancy. Prior to joining CNA, she spent 15 years at a Big Four firm delivering audit and consulting services. Thank you, Sarah, for joining us today.

Sarah Ference: Thank you very much for having me, Jeff.

Drew: We will jump right in. What are the most common scams you are seeing affecting CPA firms in the Professional Liability Insurance Program?

Ference: Two scenarios we're seeing a bit more frequently than we have in years past are ransomware and fraudulent wire transfer requests. Unfortunately, both of these types of attacks are not only gaining in frequency, but they also can be really expensive for a firm.

Drew: Can you give an example of each of these scams?

Ference: Most of us are familiar with ransomware, where a bad actor, a hacker gains access to the firm's systems. This is accomplished usually through a successful social engineering attack where someone gets a fraudulent email and clicks on a malicious link or attachment. From there, malware is downloaded onto a firm system, and the bad actor can perpetrate a ransomware attack.

We've seen attacks come on March 13, say right before filing deadline. We've seen attacks that have deleted some of the firms backed-up data, making it difficult for the firm to restore operations from their backups. More recently, we've seen the attacker place increased pressure on firms to pay the ransom. They threatened to actually release the data they're holding and publicly harm the firm's reputation in doing so.

The wire transfer fraud schemes are a little different. Here it's the client's systems that are being compromised.The bad actor gets into the client system — usually via an email. They then watch and monitor email traffic for awhile, gaining understanding of the cadence and tone of messages. When they gain that familiarity, the bad actor poses as the client, sends an email to the firm, and requests a wire transfer or a bill payment. The firm, just assuming that the email request from the client is real, executes what the hacker is requesting.

In one recent claim I read about, actually just this week, a hacker sent several emails to a firm requesting payments of several large invoices. The firm was providing bill pay services to the client. The firm didn't recognize the vendors that were going to be paid and responded back to those emails, asking the client to verify that these invoices should be paid. Of course, the hacker is posing as the client and has access to the client's email, so the hacker responded back and said, "Yes, of course, pay these invoices." This resulted in a loss of several hundred thousand dollars.

Drew: What makes social engineering attacks such as spoofing so dangerous for CPA firms?

Ference: I think they're dangerous because they're designed to trick you. This is Halloween and so another trick that they play is they take advantage of their recipient's environment or situation or behavior characteristics. CPAs are client service-oriented. When we receive messages or requests from our clients, our initital response is to want to help and respond to whatever the client is asking us to do.

Hackers also know that we're really busy during certain times of the year, busier than normal, and our attention may not be as complete as it is during other times of the year. That's why we see more attacks during January through April. They take advantage of those kinds of characteristics.

The other reason why it's so dangerous is that the bad actors are getting really good at this. It used to be really easy to spot a phishing email, but they're becoming more sophisticated, more personalized. It's becoming very difficult to detect a fake message from a real one. With wire transfer fraud schemes, it's even harder because it's often the client's email that's compromised, making it extremely difficult for the CPA to distinguish between a legitimate request from their actual client or a request from someone pretending to be the client. That's why it's getting more dangerous for our firms.

Drew: I mentioned spoofing attacks in the previous question, and it occurs to me that our listeners may not know what spoofing is. Do you mind explaining that?

Ference: Spoofing is a kind of phishing attack. The bad actor who sends the message is posing as a trusted person known to the message recipient. That's the difference between a more general phishing attack and a spoofing attack. But usually the sender's email address in a spoofing attack might be just slightly off from the real one. Maybe it contains an extra letter or a number, an exclamation point instead of an L. But at a quick glance, especially in busy times, it looks valid. Again, it's designed to trick and deceive the recipients into doing something.

Drew: What are some of the other common characteristics or red flags that CPAs should look out for?

Ference: Here are some tried-and-true red flags.

  • Any request that asks the CPA to supply credentials or divulge sensitive information, even if it looks like it's coming from someone trusted. Most people will never ask for that information over email or shouldn't ask for that information over email. It's not a secure way to communicate that.
  • Anything that's time-sensitive or urgent. Yes, our clients all have time-sensitive or urgent needs, but when it's combined with a request for payment, that should raise a red flag.
  • Maybe anything you weren't expecting to come. But also be careful of that because as I said, the client's email might be compromised so they might be a bad actor sending something to the firm from the client's email. Just again, be on the lookout for something like that.
  • Maybe anything that goes outside of the established communication protocols. Say you use a portal to gather information from your client. That's the established communication protocol, and the client sends you something instead via email, maybe an attachment of something you're looking for. But it doesn't follow those methodologies that have previously been agreed. That should raise a red flag.
  • Really anything with a different tone or different word choice than what you typically receive from a client. I spoke with one firm whose staff member had received an email from what looked like the managing partner. She knew something wasn't quite right because he signed the email "Fondly" or "Warmly" or something like that. She joked that wasn't his typical way of signing a message. Just be wary of those kinds of things.

Drew: In what ways are these attacks becoming more sophisticated?

Ference: They're really becoming harder to detect. It just takes more time to identify that there could be something wrong and probably requires an extra step to confirm the authenticity of the sender. Time is something that CPAs just don't have much of. We've never had much time, and now we have even less of it. Unfortunately, it takes time to properly scrutinize some of these messages to identify something that's fictitious. That's why they're just becoming more sophisticated and therefore harder to detect.

Drew: On the wire transfer fraud, when a bad actor has compromised a client and is in the email, the email address will appear to be coming from the client. But if you replied to it, the reply would go to the client's email address or is that where you would spot like an extra letter or a number in the address?

Ference: Since the client's email would be compromised, that reply would actually go back to the client's email, which has been taken over by the bad actor. The client would actually have no idea.

Drew: When you're looking for the little tells in the addresses, you should be looking at where you're sending the money?

Ference: Yes. It's where you're sending the money because it could be a new vendor or a change in account number or routing number. But it's really any request that's coming in to transfer money, even if it looks like it's coming from the client's email address. We recommend that it be verified in a different way other than email prior to actually executing the transfer.

Drew: What types of precautionary measures can CPA firms take in response to these attacks?

Ference: There are a lot of different things that firms can do. Unfortunately, due to the evolving nature of the risk and the schemes, it's not a one-and-done thing. There are things that the firm's IT provider can do, such as installing firewalls and anti-phishing tools and installing patches as soon as they're released. A lot of companies conduct phishing simulations to test the ability of their employees and partners to identify a phishing attack or a phishing email.

The firm itself can provide training to its staff about how to spot a phishing attack, just to be on the alert for it during critical times of year. They could provide a method for reporting suspected phishing emails. A lot of email programs have that now.

Really, everyone, regardless of who you are at a firm, should make sure you're aware and alert. Adopt that mindset of being skeptical at the beginning and confirm authenticity of a sender.

Don't click on links unless you are sure [they are safe]. A lot of times you can just open your browser and go to the website directly rather than clicking on the link in the email.

With wire transfer requests, I've mentioned that anytime the firm handles client money, whether it's executing investment transactions or paying bills, you're going to have a risk of this attack. A couple of things the firm can do is to establish the communication protocols with the client at the beginning of the engagement. Tell the client that you're going to call them and confirm their request prior to making payment. If the client balks at that, maybe that's not the best client because you can't care more about the security of their money than they do.

Make sure that you say to the client, "Here's our process, here's what we're all going to follow to make sure that we're mitigating this risk as much as possible." Then when you get a request from a client, call them at a phone number that you know. Do not email them back because you're should not assume that the person responding to the email is actually the client. Call them over the phone so, if you know their voice, you can confirm that they made that request. We understand this is challenging and time-consuming, but it really is the only way to prevent this sort of attack.

There is another thing I've been suggesting firms do. While this does not eliminate risk, it puts some of the responsibility on the client. Tell the client that it's their responsibility to protect the security of their email account or whatever method they are using to communicate with the firm. We're actually putting that in our sample engagement letters that we provide to our policyholders this year as part of one of the client responsibilities.

Drew: Is there anything else that I should have asked but didn't?

Ference: I think at the end of the day, even with all of these risk management protocols that a firm puts in place in training and awareness, you can never totally eliminate any risk. I'm not just saying this because I worked for an insurance company, but that's where insurance comes in. Cyber insurance is just now one of these essential coverages that all businesses should have. It's just part of doing business. A lot of professional liability policies, including our own in the AICPA member insurance program, provides cyber coverage as an endorsement to the professional liability policy.

I would strongly encourage anyone who doesn't have it to make sure they get that as part of their suite of insurance coverages. Other thing I would say is just that if I could put a plug-in for the member Insurance Program website, which is www.cpai.com. All of our risk management content and articles and information about the program is on that website, and there's some great information that`s ungated that anyone can use.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.

This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, intended to constitute a contract, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.