Bruce’s Note: Insulated by corporate policy and firewalls it’s easy for Financial Advisors to forget that a majority of their clients don’t enjoy such protection when it comes to their personal online banking and investment accounts. Guest contributor Casey Cotten, Chief Technology Office for San Diego based Madison Avenue Securities, Inc. makes a strong case for why Financial Advisors should view providing protection of personal and financial information as part of their fiduciary responsibility to their clients. As a year-end value added strategy for their clients, Financial Advisors may consider passing this article onto their clients in hopes that the Holiday Season is filled with cheer instead of fear, as Casey suggests.
The holidays are just around the corner, and unfortunately that means an increase in malware and viruses that demands extra vigilance. We need to make sure we remain cognizant of our basic fiduciary responsibility to our clients by helping them make informed decisions so as to protect their personal and financial information. So in order to keep such bad tidings at bay, let’s take a quick tour of the problems lurking out there.
Malware is software used to disrupt computer operations, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other.
Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details and sometimes even money by masquerading as a trustworthy entity in an electronic communication. Communications purport to be from popular social websites, auction sites, banks, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to a legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.
These types of third party fraud are increasingly directed at the financial services industry. To prevent it from making your holiday season (and thereafter) less than joyful, you need to be able to identify it and set a plan of correction so that the jingle doesn’t stop the bells from ringing in the good times.
How does a Phisher/Hacker look to compromise a client?
Phishers usually begin by creating a “mule” account by scamming a user to share their bank account information for transfers. It can be hard to believe that anyone falls for these “I have a gift for you” approaches, but they do.
How does a Phisher/Hacker look to compromise an advisor?
Common methods of compromise include password cracks, malware key loggers, phishing links (a friend or family member in trouble, please send money email, PayPal password has expired, etc.). The compromise also usually grants access to a user’s email box such that the following happens. The Phisher scans the box to determine its worth. He then locates all emails related to the financial advisor and clients. The Phisher will then email the advisor to check status and amounts on accounts. These Phishers keep connections to accounts by CREATING RULES TO HAVE ALL NEW MESSAGES from the advisor go to a trash bin or to a new address altogether. For example, sometimes a RULE adding a number after the email address is used such that it is easy to redirect who is to receive it – the Client or the Phisher. The Phisher then gathers the necessary financial review information and emails the advisor to wire transfer an amount that would not typically raise any red flags to the Phisher’s mule account. The Phisher can then transfer the monies received to a prepaid card, which can then easily be exchanged, traded or even leave the country without a trace. Remember that prepaid cards are not and do not need to be declared.
The net result is that an advisor thought he had received an email from the client, and as such acted upon it in what seemed a responsible manner. But then all or a portion of a client’s account is liquidated.
Luckily for the client and the advisor, a good broker dealer has a careful process in place to verify with the client all third party money transfers. After talking to the client it can be determined if the request is fraudulent. Alerts can then be placed on all accounts held at the broker dealer and the client can be advised to file a police report and put a fraud alert on accounts held away. We’re now in a digital age. But it is still important to have personal human contact with clients to ensure privacy and protection. The greater ease of doing business digitally comes with a real threat of potential fraud.
Ask yourself the following questions.
- What precautions should I take to protect my clients?
- Do I meet in public locations to go over accounts with my clients?
- How do I ensure that nobody is looking over my shoulder or listening in?
- Do I take advantage of free public wireless connections?
- Does my device have client data stored on it?
- Am I even aware of this?
- If I do have client information stored, is my devices hard drive encrypted?
‘Tis the Season to be jolly, but folly is afoot too. Let’s make sure you do not put your clients or your business in harm’s way.
I have linked a few articles and resources below to help alleviate the stresses that Phishing/Hacking efforts may bring to the financial services Industry. There is plenty of information available, but these will give you a good point of reference.
PHISHING ATTACKS: Obligations to Provide Security Against Attacks that Occur Elsewhere (Technology Executives Club)
“Phishing” and Other Online Identity Theft Scams: Don’t Take the Bait (Save and Invest)