Safe Email

October 01, 2016
How to Avoid Being Reeled Into Scams  

By Randy Werner
Cybercriminals continue to target and defraud CPA firms and their clients by deploying new phishing schemes to steal information and money. Damages resulting from the scams can range from several thousand to several hundred thousand dollars.

The lower end of the range of damages involves tax return schemes that target the large volumes of personal identifying information handled by tax preparers. The IRS recently warned tax return preparers about phishing schemes in which scammers send emails purporting to come from tax software companies, fooling tax preparers into clicking on a link to update the software, but which loads malware on their computers that permits cybercriminals to obtain remote control of a preparer’s computer system. Criminals then file client tax returns and redirect refunds to the fraudsters’ accounts. Similar email schemes have targeted individual taxpayers as well.

Lessons and Tips
Never click on unexpected links or open email attachments. Instead, use the software or other provider’s website to connect regarding updates. Tax professionals should also run a security “deep scan” to search for viruses and malware on computers.

Providing regular staff training will enhance awareness of the dangers of phishing scams, which can come in the form of emails, texts and phone calls from scammers posing as vendors or contract workers. Some experts recommend adding a data breach simulation to the training schedule at least once per year. Others will test awareness by “inoculation,” in which all users are sent benign phishing emails. Those who err are then educated on how to avoid the errors.

Strengthening passwords for computer and software access also is a good practice. Passwords should be at least eight digits long (longer is better) with a mix of numbers, letters and special characters. Or use a passphrase that is easy to remember, but change some of the letters to numbers, such as “E” to “3.” For instance, “ILoveCaliforniaSocietyofCPAs” is changed to “!L0Vc@Lif0rniaS0cietyofCP@s.”

Hackers Stealing Tax Refunds
Hackers also will send fraudulent emails to tax preparers with bank account numbers different from legitimate client account numbers in an attempt to divert tax refunds into their own accounts. Once the refund is sent to the wrong account, it’s immediately withdrawn. Taxing authorities have no responsibility once the refund has been sent to a banking account. 

A common spoofing technique involves the hacker’s email address being one letter or digit off from the legitimate client email address (e.g., “” becomes “”)—enough to look like the client’s address and get the tax return preparer to change an account number. By hovering your mouse over a link, without clicking it, you can check the address or URL to ensure it’s legitimate. Tax preparers should verify with clients over the phone any changes in bank account numbers before filing. It’s also wise to have insurance coverage in case the fraudulent scheme is not detected in time.

Phishing schemes also target W-2 forms, employee Social Security numbers or credit card information, which can then be sold or used in attacks against the employees’ own computers, credit cards and other accounts.

Fraudulent Wire Transfers
At the upper end of the range of damages are claims involving firms with authority over client funds. Business management or bill-paying services are usually involved. Firms receive email requests that look like prior legitimate requests, but were actually emailed by a hacker who commandeered a client’s email account.

The CPA/recipient clicks a link in the initial fake email from the client, opens an attached document or enters a password, thus enabling the hacker to take control over the email account and messages. This is called a “man in the middle” attack. When the hacker is controlling both the CPA’s and the client’s email accounts, it can be difficult to figure out that communications are being manipulated. 

The requested transfers are often made to a bank in a foreign country or through a U.S. bank to a foreign bank. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws limit their risk exposures and enable them to deny responsibility.

Red Flags
Be suspicious if asked to do anything out of the ordinary. Messages may contain broken English that is inconsistent with the client. A new bank account receiving the funds is often a red flag, especially if the account is in another country. 

Beware of any wire transfer requests made via email and only proceed after verbally confirming the transfer with the client (this includes, but is not limited to, confirming the dollar amounts, the name of the financial institution and bank account number). 

Call senders to verify email or attachments before you open them, especially if they were unexpected. Also, you can verify transfers with a client by having them confirm information only they would be able to provide.

As CPA firms, tax professionals and clients continue to be victimized by cybercriminals, firms should redouble their vigilance with email and other cyber activity, and create policies to prevent such crimes. Preparing and educating your staff on cyber risk exposures will help deter criminals when they target your firm.
Randy Werner is a loss prevention executive with CAMICO.
Back to News