There’s Nothing Magic about Preventing Cybercrime

by Kim Stone-Vilim, CPA | Aug 31, 2017
Pennsylvania CPA Journal
Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Arthur J. Gallagher & Co. provides this column for your review. For more information about liability issues, contact Irene Walton at irene_walton@ajg.com.

Every little thing you do is magic, to paraphrase a song by The Police. Well, maybe not exactly magic, but the little things you do sure can save you headaches and maybe even a lawsuit.

Almost daily we hear news of computers and e-mails being hacked, credit card numbers and identities stolen, and all sorts of fraud. CPAs are generally more in tune with this news than perhaps some other professions, and usually take steps to protect themselves and their clients.

However, it’s often the little things that cause problems, as demonstrated by the following actual claim situation (though the names have been changed).

ABC Accounting had a long-term relationship with one of its clients, Junkers Ltd. As time went on, ABC took on more and more responsibilities for this client.

Junkers would often e-mail ABC Accounting and ask various questions about tax issues or other business-related questions. Junkers would send these questions to the owner of the firm and copy in one of the staff that also worked on its account. ABC prided itself on being responsive to client needs, and would provide timely responses.

One of Junkers’ e-mails requested that ABC Accounting pay bills for them since Junkers had really taken off and the staff didn’t have time to handle that part of the business. ABC agreed to handle the bill paying for Junkers, and made sure to put controls in place, such as having all bills preapproved by the client.

During a busy day in April, right in the midst of tax season, Junkers sent over a request to ABC Accounting to wire monies to a client in Singapore for the purchase of artwork. The staff accountant sent an e-mail back to Junkers and requested a copy of the invoice and the banking information so the money could be wired to Singapore. Junkers complied, the money was wired, and all was good. Or was it?

Two days later, ABC Accounting received a frantic call from the owner of Junkers. He was reviewing his bank account online and noticed a wire out of the account for over $200,000. 

ABC Accounting explained that its staff accountant had initiated the wire per Junkers’ e-mail request. ABC forwarded the e-mail and the preapproved invoice it had received back from Junkers.

Upon review, the client found that his e-mail account had been hacked. He had not requested the transfer of funds. By this time the funds had cleared his bank. The accounting firm and client made attempts to contact their bank, but they were not able to retrieve the funds. The FBI was contacted to assist with the investigation.

Ultimately, this situation was turned over to ABC Accounting’s malpractice carrier, and the client was reimbursed for the stolen funds.

The lessons learned by ABC Accounting were plentiful. At the top of the list, procedures that were in place needed fine-tuning. The firm did receive client approval on invoices, but stronger controls should be in place for larger invoices. Invoices above a certain threshold should require client signature and be followed up with a call to the client to verify it is a legitimate expense.

Also, the client had never before purchased any artwork for the business, so this should have been another question ABC Accounting posed to the client.

Furthermore, anytime a payment is being sent overseas a call should be made to the client to confirm. It is often not possible to recoup those funds once they are gone. Firms should be sure they speak directly with the client and do not accept a voice mail or text message as confirmation, as these avenues are often used by fraudsters when perpetrating a fraud. Technology cannot replace human interaction for verification.

Additional staff supervision would have been helpful too. It’s a good idea to have a supervisor approve any payments in excess of a certain amount. Another set of eyes to review and question items is always beneficial. Staff should also be encouraged to discuss any items that appear questionable with a supervisor.

Ongoing discussions with staff members about current topics affecting businesses is crucial. In this situation, there have been many articles and stories in the news about phishing e-mails and requests to send funds overseas. If the staff was aware of this trend, maybe questions would have been asked and this situation could have been prevented.

These might seem like little things, but these small steps could have prevented a bigger problem. And there is really nothing magical about them.



Kim Stone-Vilim, CPA, is accountants program manager at All Risks Ltd. in Geneva, Ill. She can be reached at kstone@allrisks.com.
Read It Your Way

digital edition

Read the latest edition of the Pennsylvania CPA Journal via the web, digital edition, or mobile app. 

Read Now
Member Benefit

The Pennsylvania CPA Journal is a PICPA member benefit.f Receive quarterly editions of the Journal delivered to your doorstep.

Join
JournalMobileApp_160x160
CPA Now