War stories: voicemail-email fraud.

• Author: Werner, Randy R.
• Position: Tech Talk

The following is drawn from CAMICO claims files to illustrate dangers and pitfalls experienced by CPAs. All names have been changed.

Wealthy shipping magnate John Urich established a trust to care for his disabled wife in the event of his death. Urich's CPA, Greg Roberts, provided tax and investment advisory services to Urich, including directions to the trustee to make transfer. A commercial fiduciary bank provided the trustee services.

Recently, Roberts received an email from Urich requesting a transfer of approximately 1200,000 to a foreign account. It was a fairly common request by Urich, though Roberts still left Urich a voicemail to verify the request. Minutes after leaving the voicemail, Roberts received a message from Urich's email account confirming the request. Roberts responded to Urich advising him to send an investment direction letter to the trustee at Commercial Fiduciary Bank. Roberts forwarded the firm's instructions to the trustee regarding the transfer of funds.

When the trustee received the investment direction letter with Urich's signature on it, he followed the instructions provided by Roberts and transferred the $200,000 into the designated foreign account. Shortly after the transfer, Roberts received a call from Urich stating that he had not authorized the transfer. Ultimately, Urich expected Roberts to replace the $200,000 claiming the phishing scheme theft was Roberts' fault for failing to have appropriate safeguards for verification of transfers.

What Went Wrong?

Roberts and his client were victims of a scammer who had hacked into Urich's email account through an earlier spear-phishing attack, which downloaded malware onto Urich's computer. This enabled the hacker to send and later delete fraudulent messages from Urich's legitimate email account, as well as the voicemail left by Roberts. Roberts was unaware that Urich's voice over internet provider voicemail messages were being delivered to his email account, allowing the hacker to listen and confirm the information requested by Roberts. The hacker copied an older investment direction letter found in Urich's email trash. The letter had been previously scanned, was unencrypted and contained Urich's signature.

Loss Prevention Tips

Never assume a response to your request for a confirmation of a transfer of funds by email is valid. Transfers of funds should always be verified through a secure method, such as a phone call to the client. The person verifying the request...