top of page

How scammers are weaponizing your CPA to steal from your customers

Beware of a new scam targeting your CPA or finance person. Scammers are using specialized accounting terminology against finance teams to obtain sensitive financial data with the intent of scamming your customers.

Here’s how the scam works. An aging report, or schedule of accounts receivable as it is also referred to, lists unpaid customer invoices and unused credit memos. It’s an essential tool for both accountants and management to maintain an overview of their credit and collection processes. In short, it’s a list of which customers owe you money. It’s these reports that bad actors have identified as premium intelligence material, containing all the information they need to intercept existing payment channels and target your customers.

Scammers are now trying to obtain a copy of this aging report by leveraging the identity of a criminals’ favorite persona: the CEO. Using free and temporary email accounts and employing display name deception, these scammers are making direct requests for an accounts receivable report from the CPA/CFO or other finance person.

Unlike other business email compromise (BEC) scams, these scammers don’t want the target to make a payment to a bank account or purchase gift cards, they just want the report. Here’s what the email looks like:

Armed with this intelligence—customer names, their outstanding balances, and contact information—the scammers’ next targets are your customers. With this information, they can create a credible-looking email account alias, assume the identity of an employee on your finance team, and request that they pay the outstanding balance referenced on the aging report.

The scammers will likely offer incentives for them to resolve their “debts” more quickly, such as reducing the amount they owe if they settle their outstanding balance immediately. The threat actor only then has to inform the payee that there has been a recent change of banking details and provide them with an updated account number they control and that money could potentially be gone forever.

The Takeaway

To protect your employees, organizations, and customers from becoming victims of this type of attack, we recommend taking a multilayered approach.

This scam and many others like it prays on poor email protection and a little common sense. If you don’t already have enhanced email protection, it’s a bit of a manual process. If an unusual request comes into your inbox from someone in your company, follow it up with a phone call. As a vendor double check suspicious or unusual  correspondence by phone and go the old fashioned way – paying by check and doing a phone call follow up.

If you believe you have fallen victim to any of these scams, you are encouraged to file a complaint with the Office of the Hawaii Attorney General or with the Federal Trade Commission. We have a complete list of resources, all in one place for you here:

Stay safe out there.


bottom of page