It looks like javascript is disabled. In order to use this site, you must have javascript enabled.
After enabling javascript, please click here or reload the page.
TechTalk
by Randy Werner
Safe Email
in which all users are sent benign phishing
emails. Those who err are then educated on
how to avoid the errors.
Strengthening passwords for computer
C
and software access also is a good practice.
Passwords should be at least eight digits
long (longer is better) with a mix of
numbers, letters and special characters.
Or use a passphrase that is easy to
remember, but change some of the letters to
numbers, such as “E” to “3.” For instance,
“ILoveCaliforniaSocietyofCPAs” is changed
to “!L0Vc@Lif0rniaS0cietyofCP@s.”
Cybercriminals continue to target
and defraud CPA firms and their clients by
deploying new phishing schemes to steal
information and money. Damages resulting
from the scams can range from several
thousand to several hundred thousand dollars.
The lower end of the range of damages
involves tax return schemes that target
the large volumes of personal identifying
information handled by tax preparers. The
IRS recently warned tax return preparers
about phishing schemes in which scammers
send emails purporting to come from tax
software companies, fooling tax preparers
into clicking on a link to update the software,
but which loads malware on their computers
that permits cybercriminals to obtain remote
control of a preparer’s computer system.
Criminals then file client tax returns and
redirect refunds to the fraudsters’ accounts.
Similar email schemes have targeted
individual taxpayers as well.
Lessons and Tips
Never click on unexpected links or open
email attachments. Instead, use the software
or other provider’s website to connect
regarding updates. Tax professionals should
also run a security “deep scan” to search for
viruses and malware on computers.
Providing regular staff training will
enhance awareness of the dangers of phishing
scams, which can come in the form of emails,
texts and phone calls from scammers posing
as vendors or contract workers. Some experts
recommend adding a data breach simulation
to the training schedule at least once per year.
Others will test awareness by “inoculation,”
22 C ALIFORNIA CPA OCTOBER 2016
Hackers Stealing Tax Refunds
Hackers also will send fraudulent emails to
tax preparers with bank account numbers
different from legitimate client account
numbers in an attempt to divert tax refunds
into their own accounts. Once the refund is
sent to the wrong account, it’s immediately
withdrawn. Taxing authorities have no
responsibility once the refund has been sent
to a banking account.
A common spoofing technique involves
the hacker’s email address being one letter
or digit off from the legitimate client email
address (e.g., “businessware.com” becomes
“businesware.com”)—enough to look like
the client’s address and get the tax return
preparer to change an account number.
By hovering your mouse over a link,
without clicking it, you can check the address
or URL to ensure it’s legitimate.
Tax preparers should verify with clients
over the phone any changes in bank account
numbers before filing. It’s also wise to have
insurance coverage in case the fraudulent
scheme is not detected in time.
Phishing schemes also target W-2 forms,
employee Social Security numbers or credit
card information, which can then be sold or
used in attacks against the employees’ own
computers, credit cards and other accounts.
Fraudulent Wire Transfers
At the upper end of the range of damages
are claims involving firms with authority over
client funds. Business management or billpaying
services are usually involved. Firms
receive email requests that look like prior
legitimate requests, but were actually emailed
How to Avoid Being Reeled Into Scams
by a hacker who commandeered a client’s
email account.
The CPA/recipient clicks a link in the
initial fake email from the client, opens an
attached document or enters a password, thus
enabling the hacker to take control over the
email account and messages. This is called a
“man in the middle” attack. When the hacker
is controlling both the CPA’s and the client’s
email accounts, it can be difficult to figure out
that communications are being manipulated.
The requested transfers are often made
to a bank in a foreign country or through a
U.S. bank to a foreign bank. When the fraud
is discovered after the transfer, the funds are
usually not recoverable. Domestic banks are
not always helpful in preventing fraudulent
transfers, as laws limit their risk exposures and
enable them to deny responsibility.
Red Flags
Be suspicious if asked to do anything out of
the ordinary. Messages may contain broken
English that is inconsistent with the client.
A new bank account receiving the funds is
often a red flag, especially if the account is in
another country.
Beware of any wire transfer requests
made via email and only proceed after
verbally confirming the transfer with the client
(this includes, but is not limited to, confirming
the dollar amounts, the name of the financial
institution and bank account number).
Call senders to verify email or attachments
before you open them, especially if they were
unexpected. Also, you can verify transfers with
a client by having them confirm information
only they would be able to provide.
As CPA firms, tax professionals and
clients continue to be victimized by
cybercriminals, firms should redouble their
vigilance with email and other cyber activity,
and create policies to prevent such crimes.
Preparing and educating your staff on cyber
risk exposures will help deter criminals when
they target your firm.
Randy Werner is a loss prevention
executive with CAMICO
(www.camico.com). You can reach
her at rwerner@camico.com.
www.calcpa.org
Right click(Command + click) your mouse on the magazine pages to pop up a Quick Menu of the most used reader features:
To open up additional features, hover over or click on the arrow on the left. You can pin this pull-out menu to have it remain visible (or close by clicking on the push pin ). Included in this tab:
A: Our print feature relies on your web browser's print functionality - and how that browser communicates with your specific printer. If you note that pages are getting cut off, or you are having other issues when printing, it is likely that you need to adjust your printer's settings to scale to fit page.
Alternatively, if there is a PDF Download option available you can download the PDF first and then print using Adobe Acrobat Reader’s print feature. There are known issues in printing fom Internet Explorer 7, so if you are using this browser, you may wish to try a different one. If you are able to print from your browser normally but are having issues specifically with printing pages from the magazine, then please contact technical support.
Thank you for sampling the digital edition of California CPA To continue reading this issue, you must be a subscriber.
If you are a subscriber, you must log-in before you can continue viewing the digital edition.
Click here to log-in
If you are not yet a subscriber:
Click here to join.