Email scammers, fraudsters, and crooks only have to be right once to hit a payday. They can try numerous attempts using a variety of methods. They have nothing to lose. However, as financial advisers, we must be right 100% of the time—we have everything to lose.
We follow industry trends in cybersecurity technology, employ quality email filtering software, and train our staff to be on the lookout for fraud attempts. We train both client-facing staff and support staff to never click on links, never download attachments they’re not expecting, and how to spot phony, “Click here to confirm your password” attempts.
Crooks are becoming more sophisticated and are increasingly willing to play the long game, rather than hack into an account to drain it. Most financial accounts use industry-tested standards and algorithms for encryption including AES-256, HSTS, triple DES, and a host of other protocols. This makes traditional hacking time consuming and largely unprofitable.
What can be easy to hack is someone’s personal email. Think about all of the personal information you share in email—we’re not even talking big things like credit card or Social Security numbers—it’s innocuous stuff like pet’s names, children’s names, birthdays, anniversaries, etc. Should a thief gain access to your email account, they can then read through your saved, sent, and deleted emails where they are likely to find information for many of the websites you use. Now, all a thief has to do is send an email that mimics your writing and contains random personal details to your contacts—like your financial adviser. You can learn more about protecting your email here: Cybersecurity 101
As financial advisers and investment managers, we often have discretionary control over our clients’ managed assets. Still, it is not uncommon for a client to ask us to move some assets to a different account for a spending need. Consider this example:
“Good morning! Hope you had a great weekend. Betty and I had a great time at the reunion I was telling you about. Remind me to tell you what my cousin said about Bitcoin. I’d also like for you to transfer $50,000 to our new checking account. Junior is leaving for college in the fall. I’ve attached a deposit slip for the routing number.”
Not every fraud attempt comes with a huge red flag. Common phrases are used, and personal details are included. The attached deposit slip is a legitimate bank account number and even contains the client’s name.
In this industry case study, signatures were forged, and the forms even passed the custodian’s strict anti-fraud protocol. A few days later, the checking account was linked to the client’s financial accounts. It was now back to the adviser to process the withdrawal request.
Before $50,000 was transferred, the adviser called the client to confirm the request. Turns out the client had no knowledge of this withdrawal request. A 30-second phone call to confirm the email from a few days prior revealed that the client’s email had been hacked and he hadn’t requested a withdrawal. The custodian was immediately notified, account numbers were changed, and the client was able to put a fraud alert on other financial accounts like his bank accounts and credit cards.
The moral of the story is that everyone has a responsibility to safeguard their assets. Investors need to protect their email and computers. Advisers must maintain open communication with their clients, following protocols like a mandatory verbal confirmation for transactions, and not acting on financial requests left on voicemail. It’s much more than the client’s assets at stake—it is their reputation as a trusted expert and their compliance with regulatory agencies.
If you have questions regarding our security measures or the security protocols of your custodian, our Experts will be glad to help: