The National Cybersecurity Awareness Month (NCSAM) is observed each October. Certainly a part of being more secure online is having an awareness of events where the fraudsters achieved their goal. Here are some examples of the types of fraud attacks that have directly impacted people in our profession.
Case #1 Your firm has been working with a client to facilitate a wire transfer, a process that has been planned for more than a month. The client provides you with the receiving account details, and your firm completes the wire form and sends it back to the client for a signature. The client signs the wire form and emails the document back to your firm.
Your firm has a policy to verbally confirm all wire requests, so the lead advisor calls the client and leaves a voicemail message for the client to call back and confirm the instruction. The call is returned 30 minutes later when the lead advisor is out of the office. The details of the request are logged in your CRM and another staff member confirms the wire request with the client when they return the phone call. The wire is sent.
A day later it is determined that the request is fraudulent and the money went to the wrong bank account. How could that happen?
What no one knew was the client’s email box had been compromised for months, and a fraudster had been waiting to execute the attack. The wire instructions were changed by the crook so the money didn’t go to an account for the client’s benefit but to a completely unrelated account number, and the bank didn’t stop the transaction even though the beneficiary information didn’t match the title on the receiving bank account.
Furthermore, because any voicemail left for the client also is conveniently emailed to the client’s email box, it was the fraudster who was able to react quickly and receive the voice message via email. Then, they called your office (not the client), lucky because they got an associate who didn’t know the client’s voice, and the fraudster was able to confirm all the false details regarding the wire request.
Case #2 A client emails your staff member and mentions that he expects to receive a year-end bonus. Your staff member continues the conversation on both email and over the phone. In January, the client now has the funds and emails the staffer requesting the wire instructions for sending the money to his managed account. Your client receives a swift return email with the wire instructions, but the instructions route the money to the fraudster’s account.