This is one in a series of ongoing Under the Hood articles that provides insight into common issues faced by advisors and their clients.
Cyber-crime, once reserved for Hollywood thrillers, has now found its way to Main Street, and a number of identity theft organizations have emerged offering protection against this crime. Armed with new methods, though, cyber-criminals are scamming unsuspecting individuals out of billions of dollars annually before disappearing with barely a trace.
Ironically, in the past we worried about a thief stealing our material possessions. Today, we live in a world where criminals are stealing our identity. In fact, according to the Internet Crime Report 2012 from the U.S. Justice Dept., total losses attributed to identity theft in 2012 were $24.6 billion, compared to $13.9 billion for all property crimes. In addition, over 90% of identity theft victims didn't report the crime to police, for various reasons. The number of victims has risen from 10.2 million in 2010 to over 13 million in 2013.
Financial advisors are increasingly targeted by identity thieves. Therefore, it's more important than ever that advisors protect their clients’ assets and information. There are many reasons for this, not the least of which is the fact that FINRA and the SEC are cracking down on advisors who lack adequate cyber-security policies.
How One of My Clients Was Threatened
One of my clients was a near victim of cyber-crime recently.
A few months ago I received an email from a retired client asking me to transfer $15,000 from her retirement account. The sender’s email address matched the client’s so it seemed like a legitimate request. However, when this client has needed money from her account in the past, she would call. Although this was a relatively minor deviation in behavior, it was enough for me to call her.
When I did, I discovered she did not send the email. How could this happen? Obviously, someone had hacked her email account. How? The night prior to the email requesting the money, she received what appeared to be an email from her spouse and clicked on a link inside. That's all it took. At this point it was Hacker 1; Client 0.
How does this type of breach occur? According to computer expert Jason Blevins of Baton Rouge, Louisiana-based Compu-Tech of LA, when the client clicked on the link, her computer likely downloaded a sophisticated spyware program (known as a keystroke logger) which recorded her keystrokes. This would have allowed the hacker to get her password(s) and access her email account. Then, the hacker could have established any number of rules on her email account, including one to redirect email replies from selected sources to the hacker rather than the client.
In essence, the client would have been completely unaware that a problem even existed. However, if this is the case and the hacker uploaded such a program to her computer, simply changing her email address and password would not correct the problem. According to Blevins, your garden-variety malware-removal programs are probably not sufficient to identify and remove such sophisticated spyware. So the client took her computer to a professional to have the software removed.
If you receive a phone call notifying you that you've won a free vacation or some other gift, be wary. Especially if you are asked to pay the return postage or some other charge upfront. Never give personal information or money to someone you do not know personally. In this type of fraud you may hear comments such as: "You must act now or the offer won't be good!" or "You can't afford to miss this high-profit, no-risk offer!"
Even though such a phone call may cause suspicion, some individuals will go along with it anyway, only to find out later that it was a scam. Why would anyone proceed if they were suspicious? After all, "If it sounds too good to be true it probably is.” While we've all heard this saying, there may still be times when the prospect of receiving something for nothing will overrides our better judgment and causes us to make a poor decision. The desire to receive something for free can be a powerful enticement and identity thieves understand this very basic human desire.
Perhaps the best step we can take to combat this crime is to spread the news, revealing the tricks of the trade and the tactics of these criminals. However, the first step is to educate yourself. The FBI website has some great information on how to identify and protect yourself from fraud.
Additional Tips for Avoiding Identity Theft
Here are a few additional tips to help you avoid identity theft.
1) Never click on a link in an email, text, or other communication when the only thing in the body of the message is the link. It's a good practice to contact the person who sent it to verify its authenticity.
2) Don't let (snail) mail remain in your mailbox for long.
3) Report lost or stolen credit cards immediately.
4) Check your credit and debit card transaction information on a regular basis. Report any unauthorized activity immediately.
5) Shred paper statements, ATM receipts, bills, etc. before you throw them in the trash or recycling.
6) Don't write down your passwords, Social Security number, etc. and keep this information in your wallet. Limit the amount of sensitive information you carry.
7) Consider paying bills electronically and eliminating paper statements and other documents (go paperless).
8) Consider subscribing to a high-quality, reputable identity theft protection service. (Here’s a side-by-side comparison of the major service providers.)
Adopt and Follow a Security Policy
When identity thieves find a lucrative niche, they exploit it until it dries up. According to Bill Winterberg, technology expert and founder of FPPad, a technology consulting firm for advisors, identity thieves are specifically targeting financial advisors.
He recommends that advisors adopt a security policy which requires two methods of verification. This becomes more important as the size of the firm increases. For example, if client John Smith sends an email to his advisor requesting money from his account, and his advisor couldn't be contacted, can anyone else at the firm verify that the client is who he says he is? Does anyone else at the firm know Mr. Smith personally?
Winterberg also suggests keeping a list of security questions in your contact management system (CMS) for this type of event. He also recommends questions that cannot be easily answered by researching the Internet or other venues. For instance, he would not recommend questions such as: Mother's maiden name or Date of Birth. He does, however, recommend questions such as:
1) Name and type of animal of your first pet
2) Color, make and model of your first car.
The point is to use information known only by the client. This is more important with high-profile clients who may have online biographies that could be accessed by thieves. Winterberg recommends compiling a list of appropriate questions in your CMS. In addition, you might use a video phone system such as Skype, Facetime or Google Hangout. Then, you can see the client face-to-face, which is pretty hard to falsify.
Identity theft is one of the fastest growing crimes and anyone can fall prey to it. Hackers are not just targeting the wealthy. With the proliferation of online commerce, the desire to get something for nothing, and a generation that has grown up with computers, many criminals have turned to technology rather than weapons. Therefore, we need to be diligent in our quest to protect all sensitive information with which we have been entrusted. The Federal Trade Commission is an excellent resource for information on the latest scams and tips on how to avoid them. In addition, you can sign up for email alerts to keep you abreast of new developments.
We invite you to view the entire collection of Under the Hood articles that provide insight into common issues faced by advisors and their clients. For example: