Hackers don’t just want your money. Financial advisors have access to valuable information, not to mention connections to other advisors with their own assets and information. Cybercriminals have a name for these lucrative targets: candy stores.
A guide published in July by Privide, a credit and identity monitoring and consulting provider, described what hackers are looking for at these “candy stores” and what their potential targets can do to protect them.
“I’ve been in the security business for 20 years and I didn’t hear the term candy store until probably six or seven months ago when a very notorious identity thief we were interviewing brought it up,” Neal O’Farrell, founder of Privide and creator of the guide, told ThinkAdvisor in July.
There are five characteristics of a “candy store,” O’Farrell said.
- High net worth. “They are individually well off and therefore worth targeting,” he said. That could mean they have higher net worth or better credit than the average consumer.
- Valuable information. “They have personal information that is just as valuable or more valuable than money,” O’Farrell said. That may be business dealings they don’t want exposed, emails or texts they don’t want a competitor or a spouse discovering, assets they don’t want people to know about, or charitable or political activities. “There’s a value to this information and there’s also the embarrassment; how much would this individual pay not to have this information exposed?”
- Access to other “candy stores.” “Successful people, wealthy people tend to connect to similar people. If you’re a doctor, you probably know a lot of doctors,” O’Farrell said.
- Access to “non-peer” information. Employee and client information is valuable as well.
- Multiple accounts with large balances. “There’s a lot of very sophisticated malware out there, particularly banking Trojans, that the only difficult thing that comes between them and your bank account is anti-virus software, and we know now that most of that doesn’t work.”
However, “You don’t have to meet all five criteria to be a lucrative target,” he added.
“Cybercrime is becoming an industry and like any other industry, it’s become fragmented,” O’Farrell said. “It’s become specialized.”
Some crooks go after state secrets, while others hunt high-profile victims like “the Targets and the eBays of the world.” Hackers who go after high-net-worth targets do so because “they’re the perfect target. They’re the biggest reward with the lowest risk.”
A hacker’s attack plan doesn’t start with a computer virus though, but much earlier with research, according to O’Farrell. It’s very easy to compile lists of financial managers or high-net-worth targets and to get their email addresses, he said.
Hackers rarely hit targets one at a time. “They can hit dozens or even hundreds at a time,” he noted. “In one case, one thief spent over 18 months developing a portfolio of clients. He called it his ‘rainy day file’ because they were his most lucrative targets that he knew he owned, and any time he felt he needed extra money, he’d hit one of these clients. He knew their passwords, he knew their habits.”
Once they’ve identified their targets and learned all they can about them is when they implement the malware that constitutes the actual attack. Malware is “the easiest way to get into the lives of a target,” O’Farrell said. “You can do it from the other side of the street or you can do it from the other side of the world.”
After purchasing the malware they’re going to use, whether it’s a keylogger or a banking Trojan, they run it through a crypting service, which tests the malware against all the known anti-virus products. O’Farrell said there are 40 to 50 products in use today. Norton and McAfee are familiar products, but there are smaller options too, like Panda, ESET or Kaspersky.
Criminals are “launching a piece of malware on the target whose only defense is probably anti-virus software, and they know the anti-virus software isn’t going to catch it. They own that client,” O’Farrell said.
He noted that with financial advisors there has been “a gradual dawning of awareness” about the threat of cyberattacks, but “they need to accelerate that. They have to move from the typical strategy, which is ‘check and forget,’ to ‘live and breathe.’”
O’Farrell stressed that “if you’re serious about protecting yourself — I know it’s a pain — but you have to be paranoid about security. After a while it’s not a chore; it’ll kick in.”
Advisors have to be especially on guard with email, which O’Farrell said is the easiest delivery method for malware. A common attack is a “spear phishing” email: An attacker researches who their target emails and gets email from and uses that information to send an innocuous-looking email with the malware.
“The email will come from a name and an email address you recognize,” O’Farrell said. “It’ll be a topic you’re used to. It might come from the IRS. It might come from a partner. It might come from your personal trainer. Your only defense against that is nonstop vigilance.”
Employees are another weakness in advisors’ line of defense. They’re the most common point of attack, according to O’Farrell. A recent attack on brokerage firm Benjamin Edwards in July, the Target breach last year, the eBay breach earlier this year all were initiated by an attack on an employee, O’Farrell said. “While you’re protecting yourself, you’ve also got to make sure your employees are absolutely vigilant. Vigilance means every time I see an email, I think of security.”
Finally, O’Farrell stressed the importance of encrypting data. “Encryption is the single best, cheapest, easiest way to provide that last line of defense if they get through all your other defenses. It also gets you off the hook in most states from data breach regulations.”
Not just your email, he said, but your phone calls and text messages too. “It’s all free so there’s no excuse.” Apps like Redphone and Wickr encrypt those messages for users and destroy them after a certain period of time, O’Farrell said.
While advisors can decide if they want to encrypt only sensitive data or all of the information they have access to, O’Farrell illustrated why the second route is more useful. First, they don’t have to make a judgment call about whether a piece of information is sensitive; and second, they may not recognize when it is sensitive in the first place. “Even a list of email addresses is highly sensitive. It’s enough for hackers to be able to socially engineer your clients or your employees.”
Ideally, advisors should be discussing this with their clients, O’Farrell said, not just to protect their business, but to strengthen their relationship. “It’s a great service to provide. You really are helping your relationship because you’re showing that you care, that you’re in touch and aware of the current risks.”
Correction: An earlier version of this article incorrectly described a thief who spent 80 months compiling a file of victims. The correct number is 18. This article has been updated.
Related on ThinkAdvisor: