Everybody’s talking about cybercrime, and the hacks and thefts at giant organizations. In all likelihood, you know someone who’s been affected by hacks at a major retailer, for instance. As an independent financial advisor, you may think you’re too small a fish to be a target. But that is far from the case: According to the 2016 Internet Security Threat Report, Symantec’s annual analysis of cybercrime, attacks against small businesses are rising rapidly, with 43% of attacks targeted at small firms [defined as fewer than 250 employees] in 2015.
Your firm touches a lot of incredibly valuable information, so you are a natural target of scammers great and small.
Are you thinking about cyber fraud as much as you should, or are you counting on your custodian to protect you? The truth is, custodians can only do so much. Everyone who has access to your clients’ finances must take precautions. And that includes you. It’s enough to make an advisor paranoid—and maybe that’s a good thing.
Perils of Cyberfraud
Here’s an example: An advisor we work with had a very active client—one who typically contacted him by email, and frequently used funds from his accounts to close business deals with a variety of partners. But then a fraudster expertly mimicked this client’s requests for funds and managed to steal a large amount of money, all in sums that were a shade under the $250,000 level that would bring on a full-bore federal investigation. The advisor is now working through an E&O situation.
Now you may be thinking, “I’d never fall for such a scam.” But to sit down and look at the emails, they seemed completely legitimate. They used the correct email address, with no indication that the emails (and funds) were being diverted elsewhere—not even after a forensic analysis. The language used in the emails was eerily similar to the client’s typical communications. In all likelihood, the fraudster had been monitoring the client’s emails for some time, and so was able to make the fraudulent communications seem “normal.”
As the asset manager who would be releasing the funds to a third party, our firm followed its Compliance Policies and Procedures and did what it was supposed to do: We called the advisor and confirmed that the transactions had been verified with the client. The advisor, who was accustomed to communicating with some clients by email, affirmed that they had. Everyone did what they were supposed to do—but still, the theft took place.
Think about a typical work day. You’re in the throes of your business, you’re busy, you get an email. Most of us aren’t taking the second look and asking about fraud. But today you must do so, especially if you’re working with clients who tend to move money around, whether for business needs or family distributions, such as tuition or travel. Even phone calls can get diverted to a third party—and if that person has the right answers to your identity questions, you could be deceived.
What We’re Doing Differently