You Aren’t Paranoid, Hackers Really Are Out to Get You

Here are five steps you can take now to protect you and your clients. Here are five steps you can take now to protect you and your clients.

Everybody’s talking about cybercrime, and the hacks and thefts at giant organizations. In all likelihood, you know someone who’s been affected by hacks at a major retailer, for instance. As an independent financial advisor, you may think you’re too small a fish to be a target. But that is far from the case: According to the 2016 Internet Security Threat Report, Symantec’s annual analysis of cybercrime, attacks against small businesses are rising rapidly, with 43% of attacks targeted at small firms [defined as fewer than 250 employees] in 2015.

Your firm touches a lot of incredibly valuable information, so you are a natural target of scammers great and small.

Are you thinking about cyber fraud as much as you should, or are you counting on your custodian to protect you? The truth is, custodians can only do so much. Everyone who has access to your clients’ finances must take precautions. And that includes you. It’s enough to make an advisor paranoid—and maybe that’s a good thing.

Perils of Cyberfraud

Here’s an example: An advisor we work with had a very active client—one who typically contacted him by email, and frequently used funds from his accounts to close business deals with a variety of partners. But then a fraudster expertly mimicked this client’s requests for funds and managed to steal a large amount of money, all in sums that were a shade under the $250,000 level that would bring on a full-bore federal investigation. The advisor is now working through an E&O situation.

Now you may be thinking, “I’d never fall for such a scam.” But to sit down and look at the emails, they seemed completely legitimate. They used the correct email address, with no indication that the emails (and funds) were being diverted elsewhere—not even after a forensic analysis. The language used in the emails was eerily similar to the client’s typical communications. In all likelihood, the fraudster had been monitoring the client’s emails for some time, and so was able to make the fraudulent communications seem “normal.”

As the asset manager who would be releasing the funds to a third party, our firm followed its Compliance Policies and Procedures and did what it was supposed to do: We called the advisor and confirmed that the transactions had been verified with the client. The advisor, who was accustomed to communicating with some clients by email, affirmed that they had. Everyone did what they were supposed to do—but still, the theft took place.

Think about a typical work day. You’re in the throes of your business, you’re busy, you get an email. Most of us aren’t taking the second look and asking about fraud. But today you must do so, especially if you’re working with clients who tend to move money around, whether for business needs or family distributions, such as tuition or travel. Even phone calls can get diverted to a third party—and if that person has the right answers to your identity questions, you could be deceived. 

What We’re Doing Differently

We all have to take a wider view of cybersecurity, identity theft and fraud. The SEC has been watching this for some time. Internet fraud is increasing, scams are getting more sophisticated. It’s hard to imagine that, with all the cautions you think you have in place, fraud could still bite you. But it can. Custodians do work with advisors but everyone has to do their part.

At my firm, Efficient Advisors, we have updated our compliance policy: we will not accept electronic communication as the only form of communication for any electronic transfer of funds or third-party distributions. That’s why we call the advisor and ask if they have spoken directly to the client. If the advisor says yes, our responsibility ends. Some custodians have gone farther. They mandate a call to the phone number of record and speak to the person who authorized the transaction. Even that, however, is not a perfect defense.

We’ve also come up with some recommendations for advisors. No matter how large or small your practice, these steps can help make your clients’ accounts a little more secure.

Step 1: Speak Directly With Clients
Do not accept electronic communication like email for any disbursement of funds from a client’s account. In an age where clients are used to moving money and paying bills with a swipe of their finger on a smart phone, this may seem burdensome. But taking the extra step of old-fashioned communication may help prevent you and your clients from being victimized.

Step 2: Train Your Staff
Create that culture of compliance and awareness of industry developments that exemplifies best practices. Everyone at the firm needs to follow that cliché of public safety, “If you see something, say something.” Because you will, most likely, have to deal with sketchy communications at some point. Look at every request, whether for information or funds, with a cynical eye.

Step 3: Review Your Operations Manual With a Fine-Tooth Comb at Least Annually
In today’s sensitive environment, all members of your firm—including you, as a leader—need to make sure you have the right procedures and systems in place to protect the firm. You also need to set the tone for the firm. Emphasize that it’s an important effort and obey the rules yourself. Setting the right example will help make sure you have a tight ship.

Step 4: Recommend to Your Clients That They Hire a Credit Monitoring Service
No, it’s not the complete answer, but it still helps.

Step 5: Don’t Rely on What You Think You Know About Technology 
Whatever you may know about information technology and security, fraudsters know more—this is their business.

Is it paranoia if everybody is really against you? That question used to be funny. In the era of cybercrime, though, a little paranoia can go a long way toward protecting your clients, your firm and your reputation.

Page 1 of 2
Single page view Reprints Discuss this story
We welcome your thoughts. Please allow time for your contribution to be approved and posted. Thank you.