The Ambitious Bookkeeper Podcast

219 | Top Scams Happening to Bookkeepers in 2025 with Jock Wols

Episode 219

Share episode

Send us a text

Cyber scams targeting bookkeepers are getting more sophisticated, and I'm sitting down with insurance expert Jock Wols to talk about what's happening in our industry right now. I even share my own recent experience being targeted through the Gusto partner directory—twice in one day! If you think it won't happen to you, think again. This conversation is packed with real stories, practical tips, and the insurance knowledge you need to protect your business in 2025.

In this episode you’ll hear:

  • The most common scams hitting bookkeepers right now, including phishing attacks through trusted directories like Gusto and QuickBooks
  • My personal story of almost falling victim to a payroll scam (and how one of those fake "clients" actually got to another bookkeeper)
  • Why picking up the phone is your best defense against wire transfer fraud
  • What cyber insurance actually covers (spoiler: not all policies are created equal) and the gaps you need to know about

Resources mentioned in this episode:

watch the video version on YouTube >>

Meet Jock Wols

Jock is the Founder and CEO of RiskDesk, an insurance broker and technology company based out of Lexington, Kentucky. In partnership with Nationwide, he established the PT Pro platform (https://www.ptprocover.com) to serve small business’ insurance needs. He has almost 20 years of experience to help professionals manage their risk by delivering market-leading E&O / Professional Liability and Cyber Liability insurance solutions. Before he established RiskDesk in 2017, Jock managed the professional liability portfolio at XL Catlin and was based in London, New York and Lexington. He graduated from Washington & Lee University with a BSc in 2004 and obtained his MBA from New York University in 2013.

Connect with Jock

Reach out directly to Jock at jock.wols@myriskdesk.com or (859) 327-5594.

Thanks for listening. If this episode inspired you in some way, take a screenshot of you listening on your device and post it to your Instagram stories and tag me @ambitiousbookkeeper

For more information about the Ambitious Bookkeeper Podcast or interest in our programs or mentoring visit our resources below:

Thank you for your support of our show. If you haven’t left a review yet it’s super simple. Please go to ambitiousbookkeep

Get access to the Dubsado Decoded Private Podcast Series here>>

Join me and Alyssa Lang, the Workflow Queen for The Advisory Edge Workshop - only $97 >

Grab the Spotify Playlists here: ambitiousbookkeeper.com/spotify

Hey Jock, welcome back to the Ambitious Bookkeeper Podcast. I'm excited to have you on again. I think, I know I've had you on once before, but maybe even twice if I'm not mistaken. talked quite a lot, uh, in the past, but it's, it's definitely been once. So that's from my memory too. Yeah, of having me back. course. much appreciated. Yeah. And a lot has, a lot has changed in our industry since I first had you on. And so, I wanted to have you back on to kind of talk through, things that people should be aware of when it comes to insurance and, risk and all of that kind of stuff. But first, can you start by telling us who you are, how you help people, all that good stuff. Yeah. Absolutely. And I, like I said, excited to be, uh, back on your, podcast, Serena. my name's Jock Walls. I am, an insurance professional, so I act as an insurance broker. And so I help clients like bookkeepers, accountants, other professionals, technology companies,, with their insurance programs. So predominantly we focus on. Professional Liability insurance, also known as ENO Insurance, cyber Insurance, and this other product set of products called Management Liability. I used to be on the underwriting side. I worked for an insurer for a long time in London and then New York, and then transitioned to the intermediary side, to the brokering, brokering side. And, uh, yeah, I, forget exactly when we initially kind of connected, but it's. It's gotta be maybe 5, 5, 6 years ago. So it's been a while. And, like to think I'm pretty ingrained within the bookkeeping, community, through, you know, partnerships, like yours and, uh, and others. So we, we work with a lot of, bookkeepers, to help them with their insurance, but also their risk management requirements. Yeah. I can't believe it's been that long. I do remember having you on the podcast in, in the very, you were one of, you know, the first, first 20 episodes. Yeah. What, what, what's your, what's your episode number up to now? We're in the two hundreds now, so, yeah. That's crazy. yeah, and we, give a lap of honor to all the ones that were in the teens, right? So, or up into the teens? yeah. ones, Yeah, for sure. so you run a company called Risk Desk, and. Yes. Sorry, I forgot to That's Okay, I'm just gonna make sure people know and we're gonna link all of your information in the show notes. I switched over to using you guys to, help me with the insurance side of things, several years ago. so walk through kind of, I guess briefly what that looks like for the newer bookkeeper who is listening and they're like, do I need insurance? Yeah, no, for sure. And uh, so there's, you know, we tried to, uh, I should just, you know, start off with. try to take an education first approach, obviously I monetize my relationship with prospective clients through the sale of an insurance policy, but we also wanna be seen as a subject matter expert or a resource to especially, your audience, uh, and others within this, within this community. So from a, from, from an insurance, perspective, the three products I get predominantly asked about are one professional liability, which is also called errors and emissions insurance. And that tends to be the number one, priority by the community. covers you for your main business risk, which stems from the services that you render to your clients. the second product we get, interest in is cyber insurance. that has really skyrocketed in terms of the demand, in terms of the, the need, in response to what's happening. With the, with small businesses, over the last, five, six years. And we, we will, we will get into that a little. then the third product they get asked about is, general liability insurance. That tends to be a pretty distant product, priority, especially those in startup phase. So there's almost like an inflection point at, of when someone has interest in that, product. And it's usually like, Hey, they've got an office location. They've got some, uh, employees or, they, they want to also. Bundle it with some property kind of coverage. So, know, the vast majority of those in startup phase kind of kick ignore that, product. we often kind of recommend, hey, get all these insurance products, but it's not as simple as just, uh, you know, buying an insurance product. also fourth product that comes up, which is called a workers' compensation insurance. know, we don't specialize in that. Some states require that you carry that even if you are, it. Yes. A so even if you, you the only owner or employee of that, business, but that, comes up periodically too. what you mentioned a moment ago was cyber insurance and, I've pretty much from the beginning, I'm pretty sure I've always had a cyber policy. But when I switched to working with you, you actually looked at my existing policies and helped me fill the gaps, uh, coverage because I pretty much just clicked a button when I first started my business. Like, oh, this is what the A-I-C-P-A recommends for an accounting business, and so I'm just gonna buy it. And that was one area I was really impressed with how you work with people on really understanding. Their business. And then the fact that I have two businesses, essentially, with different needs. You were able to help me find policies that made sense for both. And so you, you sat down and understood my business, what my revenue is, where my risks are, and all these things. And my risk tolerance, which I'm sure you're gonna talk about. yeah, Um. And helped me, helped me find the best program of insurance, for what was in my budget. yeah. Totally. So, Yeah, I, I was just gonna kind of jump in there and, cyber threats, cyber risk, grabs a lot of attention based on what's kind of going, going on, and, you know. Most weeks, you can read something in the press about, Hey, this business has suffered a cyber attack, or here's this ransomware, or this, school district has suffered this ransomware attack, right? So we, we see it a lot. what's changed over the last 6, 7 years, maybe 2020 1920 onwards is. Who cyber criminals have been targeting. If you wind back to two, like 2010, 2015, it was predominantly midsize to large organizations. Organizations that had, exposure through the industry, that they were part of. So I think healthcare, financial services or the volume of information that they had, which was attractive to cyber criminals. More recently, other threats have become very popular amongst, cyber criminals. And they typically kind of fall under the social engineering fraud umbrella. So think of phishing, spear phishing, wailing. There's a couple different iterations of social engineering fraud and the objective by the cyber criminal. There's, there's, there's, there's a couple different ones, but they basically, try to deceive you into, take into taking a certain action. And that can mean wiring money to a fraud loan account. up a, a, a file that deploys, you know, ransomware or some other virus, getting you to log into a fake, website that then gives up. You give up your user credentials or other sensitive information, and then they either, you know, with wire transfer fraud or ransomware, you know, once a money's gone or your system's locked, you know, pretty much immediately that you've been compromised. But then also as a small business. And this is why it's attractive to, uh, cyber criminals targeting the small business community. your cybersecurity safeguards are a little lower. They're not as sophisticated as a mid-sized or large organization, but they can use you as a springboard to attack. Think of your clients or vendors or others, to then commit the real scams. So, so there's, there's, there's quite a bit, kind of going on there. And so, the cyber insurance policies. And this is the situation that you as a buyer, as a first time buyer, you see this thing called insurance and it's this side on top of it and you're like, okay, great. I've got a cyber insurance policy. Unfortunately, the devil is in the details and what's covered under these cyber insurance policies is can vary dramatically from being basic. And I'm being kind there in terms of, uh. Very limited, cyber attacks would be covered under very basic, uh, kind of solution to a market leading solution. So think, and, and, and really the kind of key giveaways are ransomware, wire transfer fraud, and social engineering fraud. If those three things aren't reflected in that policy, then it's, it's, it's an outdated solution. So, you know, in the eyes of the cyber insurance solution, a cyber attack isn't automatically covered. It has to be specifically referenced. Uh, and so that's, that's where, you know, if someone does get tripped up, that's where they can get, uh, kind of tripped up. And it's not, it's not necessarily the fault of the, of the buyer. They just, you just don't know what to look for. So, our approach is we want to work with those insurers and we work with plenty insurers, who offer market leading cyber insurance policies. so you mentioned a couple different types of fishing, so I, I didn't know that there were. So many different types of phishing until recently. when I, and I teased this before we hit record, I was like, I have a story. Yeah. So if anyone here is, is listening to the podcast and you are a subscriber to my email newsletter, I've been putting out a biweekly, kind of behind the scenes newsletter of just my pure thoughts and ideas that I feel like writing about pure inspiration. One of the ones that I shared was, I was recently targeted through the Gusto partner, directory by, two different businesses within a day of each other requesting payroll services. And they were like, we're really interested in all the services you have to offer, but first we need payroll set up. Our employees are like. You know, really demanding their pay or whatever. And so like that was red flag number one is like the rush of it And so. I, put them through my process of like getting to be a client, the proposal engagement letter, all of that kind of stuff before starting to work with them. And in that process, because of their pushiness, I decided to go and make sure these companies really existed. So I searched them online cause they were both very, very similar and they only wanted to communicate via email. They didn't wanna hop on a call, which is another huge red flag As a, an accountant or a bookkeeper, if someone isn't willing to get on a call with you, they are probably not actually looking to. They're not, they're not a valid client. Like think of yourself, would you actually hire someone you've never talked to to manage your money? No. Yeah. Right. Yeah, totally. Um, so I ended up, one of them, I called the number that they had listed on their intake form and it was someone with very broken English and they were driving and they kind of like. I don't even know how to explain it, but they basically were like, oh, well I'm not at my desk. I'll have to get back to you later type of thing. And I was like, okay, this Is suspicious. And then I looked up that company, and they were, the other thing too is that both of these companies had things that made them, actual good viable potential clients for me. One of them was based in Arizona and the other one was actually in the industry that I work with in my niche. So. I reached out to both of you. profile? Huh? Are those metrics, are those data points on, on your Gua profile? Yes. I. So I reached out to both of those companies directly from the information I found out about them online. One of them I found on Instagram, dmd, him, they were a, a musician, an online course creator. and the other one was an insurance agency down in Phoenix, here in Arizona. And, I called the insurance office, spoke to someone in the office, and I asked them like, did you guys request payroll services through Gusto? And, they were like, no, we already have. Payroll set up. And, I was like, is your, is the agent that you work under, do, do they have broken English? And they were like, absolutely not. She's very well spoken. And so I was like, okay, so someone has your information and is trying to use it in some regard. The other one that I, ended up contacting on Instagram had not already had a Gusto account, and he had never even heard of Gusto. And then. He reached back out to me a few days later saying that, he had whatever that scammer was doing, they got to another bookkeeper or someone else and they were able to pull money out of his account. So they set up a fake payroll account with all of his information that they had somehow about his business, and were able to. the musicians Yes. what? Yeah. so they had his business LLC information, his EIN number somehow, and were able to set up a fake payroll company through Gusto and actually. Or make it look like it was through Gusto. I'm not sure exactly what ended up happening on his end, but he had reached out to me and said they ended up getting me, if you have any information on them, I would love to have it. And I was like, Yeah. you should report them to cyber crime. Yeah, it's crazy. Yeah. very. the approach that they took, there were very subtle things that were red flags that I'm just a skeptical person to begin with, and that's kind of how we're trained as accountants. But I recognize not everybody in the bookkeeping industry has gone through fraud classes and training like that to become skeptical. And they are really just trying to help people. And they also are in it for, to get paid. And so. Someone could, obviously, someone easily was susceptible to this because it worked. and so one of the things that we talked about before we hit record was there's risk management as far as mitigation and then risk management as far as, insurance. So can you talk to the mitigation piece? Yeah. Yeah, absolutely. I mean, it's, it's, and, and, and, and they're kind of related, right? So Yeah. of the, the insurance part, the risk transfer part is intended to not, not be a catchall, but yeah, they, they kind of work, uh, work together, uh, in a way. So, and insurers, they look at the risk, mitigation in terms of evaluating your risk profile. So. If you are thinking about, let's just use something very simple as a professional, you have agreements, you provide a service to your clients from a risk management perspective to outline the agreement between what you're gonna provide and what the client's gonna accept. You're most likely gonna use an engagement letter, or that's kind of the accepted standard, these days. Right? that engagement letter, you'll probably outline your payment terms, you're gonna outline the scope of services you will provide. Maybe you'll even outline the scope of services you don't provide. So that's the mitigation, part of it, right? You that not only helps you the engagement letter and uh, not only helps you. Enter into an agreement with the client. It also outlines the parameters you're kind of working with. If there's some kind of miscommunication, if your client's like, well, I want you to provide investment advice, and you're saying, well, I'm not gonna be providing investment advice, it's clear in my engagement letter. Okay. If they have a misunderstanding, you capture it before you, start working. Or if they sue you and say, you failed to provide investment advice, well, actually I wasn't hired to provide investment wise. So, so that's kind of the mitigation, part that we talk about. And there's lots of processes and procedures that, in terms of, yep. timeframe, deadlines that you wanna make, use certain software to help you with that engagement. Uh, letters. when it comes to cyber, cyber risk is, you know, and this is an evolving. Threat to, businesses. And so what you were kind of talking about in terms of, I feel like these user profiles on Gusto and QuickBooks and, certain, and associations, that's a pretty, it's not uncommon. It's not the first time that I've kind of heard about that. Right. so for cyber criminals, they look at that as. Oh, great. here's some data points that I can kind of lean into and sort of create my own, kind of funnel. then, you know, initiate, I mean, in a perverse kind of way, they, they've got their own kind of marketing, funnel, right? And then they say, and, and each one, each tactic, each scam is a little, uh, a little different. but kind of going back to those directories. It provides 'em with some information and they say, okay. And then they try to pick on certain, you said, Arizona, your industry, they try to pick on, certain things that lures you, small data points that lure you into, uh, a false sense of security when you get these things. And, and there's one other one that I've seen recently within these bookkeeping communities. Again, the link to these, linked to clients, uh, or the cyber criminals trying to, initiate the scams. but developing and thinking critically around, okay, what is this prospective client asking me to do is really important. And so, it starts with education. mentioning, you talking about, hey, gusto scams are coming from there. Doesn't mean every, every, referral is a scam, right? Uh, but you want to be sensitive to that. If you see that you want to, your, your census should be on high alerts and say, okay, it's come from Gusto. come from a directory. Okay. What are they asking me to do? Okay. They only want to communicate via email. Okay. Red flag doesn't mean it's a scam, right? But, okay, let me, I, I gotta be a little more sensitive. They ask, they ask me to wire funds, gotta be sensitive around that, et cetera, et cetera. one other thing that I've, and this is I haven't experienced it with any of my clients or seen it with any of my clients, but someone reaching out and saying, Hey, I wanna schedule an appointment. Please download my Zoom link or whatever. Please use this video linking, tool. And so they embed this link within, the communication, the email communication, again, because you know, as you want to have that video, communication that from a risk management perspective, that'll reduce your exposure. So they, they're kind of picking up on that and they say, Hey, download this. And when you download it. downloads a virus onto your system and it locks you out, and then they gain entry into your system. It's something that's, that's starting that we've, that I've seen within the communities. A couple people kind of post about it over the last 3, 4, 5, 6 months. Yeah. hit a big wave. But again, you know, you gotta think about what are my processes, what are my procedures? and what am I doing? And not deviating from them because they will try to get you to deviate from your own processes and procedures that you are familiar with, that you trust in, in yourself to take a certain action that lose you into that, we become a victim. Yeah. I had another similar thing happen to me where someone had, gotten a hold, probably gotten a hold of access into my trademark attorney's system and. Gotten access to her email list somehow. And they emailed out, an email that looked very, very similar to the emails that she sends out when we have a document to review or whatever. So it all had like her branding, her colors, and it was like the subject was like, there's a correspondence from the trademark office. Click here to read it. So anyone who was on her list That has used her to file a trademark, got that. And I initially thought it was strange when I saw it and I was like, she usually will call us, she'll usually call me if she has a notice or put in the body of the email What? the notice was about and then have it attached or whatever. There's usually something slightly different. Um, but my. My dumb ass, click the button. Because everything looked so legitimate. It even looked like it came from her email. And that's another thing that always hover over links before you click on them to make sure they're the link that you're expecting. You can inspect the link. There's different strategies. but this one. There was like maybe one letter off of her email address, right? And so it looked real. they'll go to great lengths. They will create an email domain or an alias that looks exactly like where you're expecting things to come from, and, clicked the link and then it prompted me to log in with Gmail and it looked like a whole, you know, that single sign on thing. Yeah. Right. But then it just kept looping and I was like, okay. I emailed her and I was like, was this legit? And then she was like, no, I have to send a mass email.'cause I'm getting all sorts of emails from people about it. I immediately changed my passwords and everything. But Yeah. it was. so there is a, um, these phishing scams can vary in sophistication. So what you were talking about in terms of, hey, cyber panel sets up a new domain name, the, the, got an additional L or additional i in the, you know, in that domain. Um. it's a mass marketed email to a certain audience. where user lists or some kind of compromise or some, you know, information, gusto information can help refine and help the cybercriminals target that audience. But there's also, uh, that's one, type of scam, and that's been obviously around for decades. Right? Or, or a while. the other more sophisticated scam is if that cyber criminal breaches a system and basically with that attorney, and I'm not saying this is what happened, but this is what we've seen with some of our bookkeeping clients. cyber criminal basically takes over the email or has access to that email and then actually launches the cyber attack from that email domain. So it is the actual legit email. Okay, so maybe that is what happened yes. And so, so there's a couple different, you know, I got something similar, this was earlier this year. Someone like, Hey, jock here. it was one of my, bookkeeper clients. She, sent this, Hey, please open this Dropbox file. And I was like, Hmm, that's a little, strange. So called to within. Yeah, I was like, eh, it's, uh, good. Let's see what's going on there. So I, I called her, uh, within. That morning, and she's like, yeah, something happened. Um, so we basically notified the cyber insurer and pretty quickly, you know, what happened was she gave up her user credentials somehow cyber criminals got in there, and then they started, they slowly tried to take over the system in the environment that you operate in. and so that, that was resolved, fortunately, relatively, quickly, for her. but then also, another attack that we've, another scan that we've seen, similar kind of playbook where Cybercriminal, got into a bookkeeper's client's domain, email, and they sat in that email or in the, in the, in that environment for months or so, identified that the bookkeeper was, one of the trusted partners. Understood that they processed, funds on behalf of the client. Knew that the client, the business owner, predominantly emailed, in terms of, correspondence. So they basically this thing up where they, they said, Hey, here's, here's this vendor. We need to pay this vendor 50 grand, or whatever it was. And let's first pay the five grand and they piggybacked off an existing email chain, between the bookkeeper and the, business owner. where, so again, it looks. Legit, it did come from the business owner's email, Wow. and they said, Hey, our bank balance is X. You know, let's just first pay the five grand. And then once we have this incoming transaction, we'll send the remaining 45 grand or 40 grand, whatever it was. so again, came from the, came from the business owner. Cybercriminal, but from the business owner's email, business owner predominantly communicated by email. they piggybacked off an existing, email thread. they said, here's our bank balance. So it's low. So, so piggybacking all these like little data points that basically load you into this false census security yeah, we got 50 grand, 50 grand outta that. So, you know, you just gotta be. with wire transfer fraud, there is one thing, if there's one takeaway of today's, uh, podcast, if you get tasked to wire funds comes electronically, that should be your first sort of, census should be on, on, on alert. But then if it's a new bank account, so it's a new vendor, you've never, the business has never wired funds to that. Or they say, Hey, I've just, you know, I'm an employee. I, I switched my, I've got a new bank account. You gotta pick up the phone and call. Yeah. to pick up the phone and call Yeah. there's, if that is the most effective, the effective way to kind of manage that risk. Which is just our personality type as bookkeepers. A lot of us are introverted and we love that everything happens. Virtually and that we don't have to be on the phone and everything is asynchronous. I, I like my body tightens up when my phone rings. I do not like answering the phone. I don't like making calls. I don't even like calling my dentist to reschedule an appointment. So it's, this is, they're really prey on our personality type here. well, okay, so here, here's the value in picking up the phone and calling the pros your client in terms of saying, Hey, I, I just wanna verify this. You actually elevate your level of trust with that client so you get something in re or you should get something in return. In terms like. hey. They, they were looking out for in my be Yeah. Even if they confirm that, Hey, it's legitimate, go ahead. Yeah. know that you're looking out for their best interest. So there is a value to you in terms of like just doing that extroverted action of picking up the phone and, uh, Yeah. calling the, calling the client, and the client can then say. And, and if it's, and if it's not, then they, they're like, well, you got, you got our back. You know, you know what you're doing. And so that is either you can prevent something from happening or you can reassure them that you are the, you're the right professional to, to work for them. So, so there is value in, in that, that, know, you can't really attach, you're not getting paid for that. But, uh, but, but you get. There's an, there's an inferred kind of reward towards that. So think of it from that perspective. Absolutely. and, and it, it not only protects your you, but it also protects your clients. So What if somebody is victim to something like this? I, know all of our listeners are now gonna be very high on alert With every little thing you're gonna be picking up the phone and calling your clients yeah. all the things and not clicking on any links unless you asked for the link. But what is someone supposed to do if something like this happens and they do have a cyber insurance policy, or maybe they don't even, but like what are the steps someone should take? So when it comes to cyber threats, speed to respond. It matters a lot. And so with that, that breach that I was, talking I. where with that Dropbox file that I, or that request that I got, had a very similar situation. A couple months later, similar kind of playbook system got taken over. and unfortunately that particular individual. Just took longer to respond. Initially, they tried to handle it themselves, with someone, an IT connection that they had locally. They thought they resolved, it didn't get resolved a month, and, and then they had a side insurance policy. Uh, a, yeah, I think it was four, four or five weeks later, maybe even six weeks later, they reached out to me and said, Hey, I've got this issue. and that thing has been dragging on for. Almost four months now, it's finally getting to this point where it's getting resolved. So if you would've taken action immediately, either with your insurer or with a qualified IT professional, can, I mean, you can, you can resolve it and, and contain it much more. You know, along those four months, she lost most of her lines. she's basically Has to restart from scratch. It, it's very difficult, kind of situation. and by default we kind of recommend get a cyber insurance policy, right? But there's also other things beyond the insurance policy, you know, from a risk management perspective, processes and procedures, you know, what, what you're clicking on. Education is really helpful. Sitting in listening to podcasts like this. Any, around, cyber threats, cyber risk, uh, can be helpful. If you know that, Hey, Gusto, gustos, great, but if I get a referral from from the directory, I'll think a little more critical. Or hopefully you'll think a little more critically, critically now around that because you heard it on your podcast, right? And so, so learning from others in the community is, can be really, helpful, when it comes to wire transfer fraud. Number one thing you wanna do is have that verification process in place. No exceptions, zero exceptions. I've seen things where someone's made an exception and smart individual, they just get nailed. Yeah. so don't make any exceptions. Don't bend your own rules. And if the client doesn't like it, you know, either try to explain it to them or just., In a way that you're looking out for their best interests, because you know what the exposure is to your business. In a way. It's an exposure to their business too. And then maybe they're just not a good client. So, the client selection does in quality of clients, as we all know, you know, you have good, good clients. If you've got bad clients and, uh, Some, it depends also where you are with your business. Sometimes you just have to take on those, bad clients. But if you can let someone go, if they're not a good fit for you, then sometimes you have to make that difficult, decision. Let me just talk about wire transfer fraud because right now in the cyber insurance market, there is a, a delineation and it's, of what is covered under the funds transfer fraud coverage part. And so the best way to kind of think about it is you will be covered for the loss of your own funds. You will not be covered for the loss of funds beyond your control. So it's a problem for professionals like bookkeepers, lawyers, tax professionals, accountants, real estate agents where you trade, you're part of your client's environment, and you may be privy to those transactions that are flowing through a particular deal, or through your, client's, uh, accounts. If you get tricked into wiring your client's funds to fraud an account, the insurer's gonna say, that's not us. Should be the other party's insurance policy that needs to respond. So effectively we want our clients to also have cyber insurance. Yeah, potentially. So I mean, that's, that, that's one part of it. so And also maybe don't manage client funds if You can avoid that. Like we don't do AP or anything, we don't manage any client. We only have you only access to bank accounts. So that's probably the best way you can protect yourself. But I do understand that some bookkeepers are very embedded in their clients. Or if you're an in-house bookkeeper for a company and you're actually cutting checks and you have control over the bank account. Yeah. And, and again, you know, my role is not yet to tell you how to run your business or what you should or shouldn't be doing. Everyone makes you make business decisions, but this is like a data point that you can kind of consider. So if you think you're covered by a cyber insurance policy, you won't be, the cyber insurance market is, you know, it took a U-turn or 180 in 2020 1, 22. Cyber insurance market was underwater. So that was one of the responses by cyber insurers that remained in the marketplace where they said, Hey, we've gotta draw a line in the sand. Which in a way is like, well, if it's such a problematic area, then obviously clients or policy holders need that coverage part, right? So that's, and the flip side, we're getting to a point where it's softening up a little. So cyber insurers are starting to make money again. we want our insurers to be profitable because that means. the, the policies will be broader, hopefully, also cheaper. so that's, that's what we wanna see from our, cyber insurance. But we're seeing certain, you know, with, with lawyers for example, they've. of our preferred insurers have said, Hey, funds in escrow will be deemed as funds under your control. Right? Not necessarily your client's, bank accounts, but if, if there's funds in escrow, okay, that's that, that's covered under these policies. So, so we're slowly moving back towards, that piece, for those businesses that in general, it's like, almost like an inflection point, half a million to, million in revenues. Those practices start looking at commercial crime policies, which predominantly cover a business for employee theft or dishonesty. They also have this, a broad commercial crime policy also has this social engineering fraud coverage part, which does extend beyond, uh, for funds beyond your control. So, you know, depending, again, depending where. You are with your business and what your risk tolerance is, that is, that is something that a growing business or a business of a certain size can consider too. Perfect. That's good to know because at wherever we can help our clients do a little better in their business, a lot of, a lot of our clients, I know for myself, I mean. we do the bookkeeping, so I see the transactions that come in for our clients, and a lot of our clients don't have cyber insurance, so they don't think they need it, I guess, even though they're, you know, they're doing consulting or course creation and they don't, Yeah. is not like a connection made. So, Similar, how I say I'm not an IT consultant, I can't, I don't weigh in on like telling you, hey, these are your best practices from an IT perspective. But what I do do is try to point certain things that we learn from our insurers where they say, Hey, you need to pick up the phone, right? Or you back up your information because no, it doesn't prevent a cyber attack, but it can help put you in a better position if you do suffer, a cyber attack, right? All that stuff. So we similar how we kind of point that out, you know?, Your trusted, professional, amongst your, clients. they will listen to you. And if you've, if you make observations and, you're obviously not gonna recommend, you need to do this with your business or you need to, unless you're, unless you're hired to provide some consulting, advice. But you also, you know, you can, you can point them in the right direction too. again, drawing from what you know with. overall kind of all your clients, you can say, Hey, you know, I see this and this with certain clients, you know, you may want to consider, uh, look into this and that. Right. So, Yeah, that reminds me, you said something about backing up information, and I know this, this is one of those areas where when cloud computing was starting to become a thing, this was very concerning for a lot of people moving to the cloud. And I feel like we've adopted the cloud so well that I don't know that people are necessarily thinking about this as a risk, but, um, anymore, just being focused on different things. But one of the things that, I carry the burden and the cost of for our clients when they work with us is I pay for a backup service to pull all the data from Xero where we're doing their bookkeeping and back it up on a weekly basis. And sometimes I look at that expense that hits every month, and I'm just like, uh, Yeah. Is it necessary? Can I cut the, but at the, same time, like that peace of mind, whether my client cares or not, if something were to happen and someone were to enter our accounting system through one of me or my team and shut everything down. Take over our zero account. I, I at least know I have all the work that we've already done backed up. If we have to recreate it, yes, we have PDF bank statements as well, but I would rather not recreate years and years worth of bookkeeping information from a PDF. Yeah. What, what, what it professionals kind of recommend is this sort of like 3, 2, 1 backup strategy, which means hey, have three sources of your sources of your data in two different formats. One of them is, uh, offline, sounds sort of great, I guess, but at the same time it's like, well. the resource involved with that? and is it practical for me as my business, as a, solo bookkeepers just starting out? so you gotta, I think about how you can reinvent the backup strategy in terms of saying, okay, where's my, where's, where's information? Where's my own information? Where's my client's information? Okay. If it's all in the hard of my hard drive. Okay. You know, if the computer's gone, forget a cyber attack. If it's gone. What do I do next? Right? Oh, I've got a bit of a problem. Okay, great. I'll put it in the cloud. I'll use Dropbox or Google Suite or Google Docs, whatever it is. QuickBooks or the Keep app or whatever it is. I'll, I'll, I'll put it up there. Okay, great. It's, it's in this, if my hardware's gone, I can just reconnect it. Okay. Well what if, what if QuickBooks just all of a sudden shuts, shuts down? then you say, okay, well. Where can I get the information from? Yeah, sure. QuickBooks will probably have it backed up, but what's, what's the speed to kind of get that information? Or what if Dropbox gets compromised and held in a hostage by a cyber criminal? Right. like your Dropbox account, then Okay. If you've got it backed up, a different kinda, backed up from, from those software, tools. Okay, great. Then you've got options, right? And again, it's that res, that initial kind of resource involved to, for you to kind of establish that, strategy and put this and pay a fee to get that stuff up with the hardware. The external hard drive. But then when it comes to that breaking point or when you are faced with that decision, I mean the cost of having to go back a month or two months or whatever it is, is gonna be probably far outweigh what your monthly expenses on that, backup solution. So, so think about it from that perspective. Hey, and, and you sort of stress test that. again, cyber insurers aren't saying you have to have this 3, 2, 1 backup strategy, but, you just. You do what's best for you and your business. Yeah. back in the day, when I worked at a CPA firm where we were starting to go, we were moving everything to paperless, so digital, but still on a local network. We, someone was responsible for taking that backup disc off of the site every weekend Yeah, like that. God, Um. yeah. so kind of like think of what is your strategy for managing things as you have it now? Like when I think through our process, my issue is that like actually nothing is on our desktops. Everything is on the cloud. We use Google Drive or Okay. workspace, business version. So all of our client files are digital. There we have zero and we have Hubdoc. So we have multiple places where all the receipts are saved. We back up Hubdoc onto Google Drive, but then that other piece is the zero file, and that's where it's important to have that third party. It's actually fairly affordable, even though I was like, oh, this expense, it's like a hundred dollars a month for all of our clients. the per client fee is hardly anything in comparison to the peace of mind that it gives us. but to the, to what you're saying is like, I get an email every month, I think of like a reminder of like, your subscription is renewed. You can go in and download your backups. But like, I've only ever downloaded a backup from there. Like once Yeah. I had a client close her business and I was removing her zero file, I just saved all the backup files and canceled her subscription.'cause that's. Also something we have to do. when you cancel your zero subscription, you lose access completely. It's a little different than than QuickBooks. They don't keep it for a year or whatever. that's a hole in my process of like, okay, so maybe once a month we should go in and, and download, at the very least, download all those backup files to an external hard drive perhaps. Yeah. and again, you know, the, the risks, the likelihood of. The zero being compromised or something happens to your and, and the, the backup provider having an issue, it's read the likelihood that both events would happen at the same time. It's probably, uh, low. so that third piece is, I'm, I'm not saying I'm, like I said, I'm not an IT consultant, but you know, you think about it, okay, what, what's the cost? What's the process? And then you manage the, like e each one of these. Risk mitigation, strategies or these processes and procedures provide value, but they also, they're not a resource drain, but they, there's resource involved with that, that you have to kind of give up, right? Uh, and so again, you make a decision that's best for you and your business, and often it's also function of size and scale. At what size are you at? What, scale are you? you have employees? You know, there's, you know, kind of going back to the cyber insurance, the exposure piece. if you're a startup, bookkeeper, about to sign your first client, points of exposure are relatively low. Meaning you've got your, you've got your hard, you've got your, your, your, your laptop, you've got You maybe use one or two, uh, software, packages. got one client, maybe two clients, one email address, no employees, right as you kind of grow. Every additional, client, every additional, employee, every additional, you know, software tool you use represents an opportunity for cyber criminal to kind of launch their, attack, right? So, that increases. And so as you kind of grow the, the exposure, increases. And so you try to think about, okay, well at what point am I with my business and what do I need to address? I, you know, I like to say. part of the insurance process, the application process, revisit your cyber. risk management isn't gonna be your number one priority. Servicing your clients and winning new clients is gonna be your number one priority, right? But keep it as an ongoing initiative and that insurance application process, even if you don't buy cyber insurance, you know, think about it, okay, what have I done up, this last year? What's changed? What do I need? You know, what should I, okay, I heard about backing up information. I've got everything in my hard drive. Okay. Maybe now's the time to kind of start thinking about it. You know, just keep that as an ongoing, initiative. And if, especially if you, if you're plugged into the bookkeeping community, you listen to the ambitious bookkeeper and you hear people talk about certain things, certain what, what the guests are articulating, keep that going. Like I said, it's, it doesn't, you don't have to do everything now, but, keep it in the back of your mind. Yeah, if you could, Give people like a couple really simple ways that they can mitigate risk, whether or not they have the insurance policy. What would you say are the top couple things that someone should be doing? I. Call when you get a request to transfer funds. I mean, I, every month I get a call from someone, an existing client or new prospect who said, I've got this issue. And it is just not slowing down. So, like I said, if there's one takeaway from this discussion is like if you get a request to transfer funds, and I know most of you will say, Hey, I'm not doing AP or anything like that, but even any kind or any changes to bank account information and a payroll system or whatever, if it's a new bank account, pick up the phone and call. the other thing in terms of mitigating risk, from an e and o perspective, from a professional liability, perspective, talked about engagement letters, but that is, you know, when a claim does get, notified to the insurance, company, and one of my clients comes to me and says, Hey, we messed this up. I need help. You know, we notify the insurer. thing that claims adjustable, uh, like, Hey, let me, let me take some information., Let me understand what the agreement was between. business and your client and what are the allegations made against you? Right., And so they kind of, because that will form a strong part of the defense. Like I said, if someone, accuses you of. usually plaintiff attorneys like to chuck a lot of things in there, and if they kind of, try to open it up beyond just bookkeeping and say, Hey, financial advice, you should have acted as an accountant. And, and you're pretty in your engagement, with a client that you're only providing bookkeeping or only certain, scope of services forms strong basis of, uh, uh. Strong, uh, strong defense. That's, that's kind of the foundation of what, uh, the claims are just in the outside counsel. The hired attorney will, formulate their, uh, defense around. and then the other thing, which you sort of, kind of touched upon is good clients from bad clients., It's not a risk management strategy, but it's, you know, I think, was it, someone once, uh, I forget his name. The General Electric, Manager, ah, but he basically said, Hey, we need to cull the bottom 10% of all employees, all clients, every single year, basically, meaning that the bottom 10%, the resource train on that business was. outweighed what top 90%, uh, kind of created. And so you sort of, kind of go through and usually the bad clients fall within that bottom 10%. So if you are in a position to sort of think about, Hey, who am I? Good clients? Who am my bad clients? Who my problematic clients? Uh, and if you can get rid of some of the problematic clients, you know, And sometimes they pay, more. but it's a function of putting yourself, you ask about processes and procedures. If you think about it and you say, Hey, okay, this is a bad line, but I'm getting compensated well and it's worth my time, then okay, great. If you feel like it's, it's not, then you can sort of work towards, you know, just make it make more of a deliberate decision in servicing those, bad clients. Wonderful. Well, thank you so much for sharing. I mean, like, I could probably go on all day and, and ask you more and more questions. a couple of my tips would be, make sure you're using two factor authentication in case your passwords are. Compromised and make sure your team is also using it. After this, I'm gonna go and double check my zero file to make sure all of my team has two FA turned on. Yeah. Um, and, um, Yeah, so much. yeah. and just to continue to stay aware of. The tactics that are happening and really evaluate all of your systems and where your risks might be. I know a lot of bookkeepers come to me and they're more stressed about doing something wrong and messing up with a client than any of these other things, so. I, I think the risk is higher with cyber crime than it is that you're gonna mess up something with your clients unless you accidentally do wire fraud. Yeah. Yeah, You know, if you have a good heart, and you have your engagement letter in place. That was one question I was gonna ask is have you come across anyone where they'd had it delineated, outlined in there? Engagement letter that they were specifically not providing a certain service, but they did, and then something fell apart because they went outside of what they actually agreed upon. Yes. I mean, scope creep does happen. Mm-hmm. I mean, I'm sure often. I dunno how, how to, how it is with, your clients, uh, Serena. But you know, I do see communication the, in the groups where someone's like, oh, they're trying to get me to do this and that. So, that kind of goes beyond the, engagement letter. so I mean, again, it's, know, if you provide a service and, and. The insure, the ENO policies, good and ENO policies, they won't have an exclusion relating or requiring you to use an engagement letter. So we want that to be absent and that's deliberate and it's not a bad thing. So we. Use of engagement letters should be viewed as a risk management function, and there should be a credit as part of the pricing application, pricing, uh, process applied rather than an exclusion in the policy. So meaning that, hey, if you use engagement letters, you get a, a premium discount, or it's part of the pricing calculation if you don't. You get kind of ding for that. And so that's, that, that should be the difference versus, hey, if you don't use one, you don't get covered, right? We still want the client or the policy holder to be covered for that. so if there's scope creep, again, it, it sort of has to fall within the definition of professional services, that those services are covered under that, policy. Um, and if it's a broad policy, shouldn't be an issue with that, again, you know, if you're starting, if you deviate from bookkeeping to legal services. That's a problem. Right? But if you provide some advisory type of services, and it's a broader policy, an accountant's professional liability policy, that won't necess, I'm not providing coverage interpretation, but that should be fine. Right. so yeah. I mean, but you also wanna think, yeah. Well, what have I. Initially kind of agreed to, with my client, why, why they're asking this. Am I comfortable doing that? And then, you know, again, it becomes a, it becomes a business decision. Uh, yeah. Yeah. The thing that comes to mind with that is I very clearly don't offer tax or tax advice or anything like that, but I always have clients that are like, should I, is it better to do this versus that tax wise? And it's like, uh, I hate to always default to talk to your tax preparer, but like, Yeah. this is your excuse if you're one of those people listening to. Ha to say that. So you can say, well, if it were me, I would do this, but you need to talk to your tax provider or whatever. or don't even give what you would do personally. It's because if you don't wanna cross that line of giving tax advice, you can just keep your mouth shut and say You need to talk to your tax provider. Yeah. I mean, I would, if, if you do provide tax advice you have a broader policy that covers so, and. We can talk more about this, but so similar how you have an engagement letter that outlines the scope of services that you provide to your clients. Insurance policy works in a same kind of way where it says, Hey, you will be covered for these and these services. And so an accountant's professional liability policy is broader because it would cover you for any accounting related, services. so if it's a broad policy form with a broad definition of professional services, if you do provide tax. You should be covered under that broader, policy, right? And so if someone comes back and said, well, you of made, you said I would do this and I did that and I didn't check with my tax professional, you know, then you still want that policy, to be covered, Okay. to cover you for legal expenses, right? And then you can fight it or the lawyers can kind of fight it out, um, if it's a more restricted policy. And then the insurer says, well, you should have told us that you providing tax advice. then it can become more, problematic. but yeah, I mean, you, your, your point's also like, Hey, what are my boundaries and what are, what are, what are I providing to the clients? So again, like I said, it becomes a business decision. You just need to think about what your, what your exposures are, your risks are, and yeah, we'll bend the rules a little here, there. So, and that's, it just happens. That makes sense. Okay. you know what? We didn't even talk about ai, I know. I just realized that, for another another time. um. Yeah, exactly. So yeah. Thank you so much for, coming on here again to chat about all this. If someone is shopping for insurance or they already have insurance and they're not sure they have the right coverage, where can they get ahold of you to have you help them? Yeah, so thanks for having me, Serena. Much appreciated. Hopefully it is been a pretty fun discussion, as fun as insurance can be. Uh, but uh, yeah, they can reach out to me at, probably the best as email, jock, which is JOCK dot walls, WOLS, at my risk desk.com. Perfect, and we'll have that in the show notes. all right, cool. Yeah, and, and I can, you know, if, if you want, we can also plug my, calendar invites in there. if that's helpful. I don't know. I, I can't, I mean, how many calls do you want? Well, the calendar hopefully will manage that a little. So, Alright. Well thank you again so much for coming on here and we'll talk to you soon. Awesome. Thanks, Serena. Yeah.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Accounting High Artwork

Accounting High

Accounting High