From the December 2012 issue of Investment Advisor • Subscribe!

Email Fraud—Protect Your Clients and Your Firm

Apathy regarding security can make it easy for thieves

Unfortunately, the number of attempts by thieves trying to steal your clients’ money is increasing every day. Every firm in our profession—advisors, broker-dealers, custodians and banks—is directly impacted by this troubling trend. Part of the challenge is how comfortable everyone, especially your clients, has become using technology to share confidential information. They might not even be using a secure method of transmission. Of course, there is also the “it won’t happen to me” mentality that prevents people from worrying about it. The reality is you need to be worried and ultimately change your behavior.

Here is one scenario that is all too common: A thief impersonates one of your clients using his email address to request changes or send money to another account. First, the thief gets your client’s email login credentials, generally using virus software. Once they have access to your client’s email address, thieves will monitor your client’s activity and learn how and with whom he communicates. Monitoring your client’s email activity will provide thieves with the necessary information so that once they attempt the actual fraud, the message looks very similar if not identical to previous messages. This is not your obvious fraud email, with grammatical errors and misspellings. This makes it very challenging for the recipient to recognize it as fraud. 

Given this scenario, there are several steps you should take to protect your clients and your firm. First, you and your clients need to be vigilant in protecting your email login credentials. Make sure you have virus software installed on your computer, only use devices that you control and frequently change your password using various letters, numbers and characters. Furthermore, be sure to activate extra levels of security and verification if they are offered by your email provider. For example, many of your clients may use Gmail for their personal email. If this is the case, make sure they activate Gmail’s two-step verification process. This extra level of security requires you to enter a code, texted to your phone by Gmail, when you log in. This adds another barrier of protection when someone tries to log in to your account—particularly when the attempt is from an unrecognized computer.

To have a fighting chance in preventing fraud, your staff needs to be trained and actively looking for attempts by thieves. The challenge is everyone is very busy, and it is not necessarily easy to catch a fraud attempt. With hundreds of emails during the week, your staff is striving to provide great service and efficiently work through the list of requests and tasks. One of the best policies to have in place is to speak directly with clients to confirm an email request, especially if they are asking you to do something that is not consistent with past behavior: for example, a client sends an email requesting for the first time to wire money to another account. Also, it is important to not use email to confirm a client’s instructions. If it is a fraud attempt, the thief will respond as the client since he or she already has access to the email account.

It is critical to review the operational tasks performed by your staff and develop procedures that make the most sense for your firm. Specifically, evaluate the potential risk of fraud with each process or task. Perhaps there are a number of requests that you would never accept via email, regardless of the client or dollar amount. Unfortunately, when email fraud attempts occur, you hear advisors say, “We were just trying to be responsive to our client’s request,” or “The email looked very similar to the one I received yesterday from the client.” Remove the guesswork, and provide your staff with appropriate guidelines and procedures to protect everyone involved.

Not too long ago, it was extremely rare for advisors to experience an email fraud attempt on one of their client accounts. Unfortunately, times have changed. We must keep raising the bar with security, and maintain an appropriate level of caution in order to best respond to this situation.  

Reprints Discuss this story
This is where the comments go.