Financial advisors are more likely to be victims of cyberattacks than those in other industries, largely because financial data is extremely valuable to cybercriminals and small businesses tend to have less sophisticated cybersecurity systems in place.

In 2016, 20% of financial firms were affected by data breaches. This increased to 25% in 2017. With the average data breach costing $7 million, protecting personal and financial data must be prioritized in the industry.

While cyberattacks are becoming more frequent and sophisticated, many cybercriminals use simple phishing tactics to take advantage of human errors rather than planning complex attacks. As an advisor, you need to be aware of the most common phishing tactics used, understand how these scams are becoming more complex, and know how to protect your clients’ data.

What Do Common Phishing Scams Look Like?

Cybercriminals know how to disguise phishing attacks as messages that appear to be normal and legitimate. Emails are often used, but some phishing scams involve the use of text messages, IMs and even phone calls. Messages are carefully crafted to look like they come from a legitimate source, and some cybercriminals know how to spoof a phone number or hack an email address to send a message from a known or familiar source.

The purpose of a phishing scam is to trick you into sharing personal or financial information. You might, for instance, be redirected to a page with a form that collects data that could be used to steal a client’s identity or be prompted to use login credentials for a client’s account.

Here are a few examples of phishing emails you might receive:

  • Emails that ask you to follow a link to a page where you are prompted to enter login credentials.
  • Emails that ask you to fill out an online form.
  • Emails that redirect you to a page that mimics the login page of a legitimate financial institution, such as Fidelity, Schwab, TD Bank, JPMorgan Chase or Bank of America.
  • Emails that alert you of a fax you have just received to trick you into opening a malicious attachment.

These unpleasant emails are sometimes easy to identify. Pay attention to the spelling and grammar and to the sender’s email address, including the domain name. If an email creates a sense of urgency to download an attached file or visit a link, you should immediately be suspicious. Financial institutions will never send emails that ask you to log in to your account right away or to verify information immediately. A legitimate financial institution will call you to obtain this information.

If an email asks you to follow a link, check the URL and compare it with the official URL of the financial institution mentioned in the email.

Advanced Phishing Methods

Some cybercriminals have developed more sophisticated techniques to steal valuable data. There are keystroke viruses that can infect a computer and record everything you type, including login credentials for online banking and other financial websites.

Once a machine is infected, it can send this sensitive information to a cybercriminal who will then be able to use these credentials to access online accounts. You can avoid being affected by one of these viruses by being wary of the links and attached files you receive via email. Make sure the devices you use to manage clients’ accounts have antivirus software.

Cybercriminals can also impersonate a client by hacking their email address or stealing their phone. They might claim that they need access to their funds right away because of an emergency. This type of scam can be difficult to recognize since the message will come from a trusted source and might look legitimate.

The best way to protect yourself from these scams is to establish best practices for certain actions such as releasing funds and meeting face-to-face with a client before performing these actions. Always verify written requests for distributions by calling the client. You should also communicate with clients regularly via phone calls and establish ID verification questions in advance; confirm the client’s identity at the beginning of the call using the established ID verifications.

Your Role as a Financial Advisor

You need to be aware of the most common phishing tactics and other ill-intentioned techniques used by cybercriminals. Provide training to every firm employee to ensure everyone who has access to sensitive information is aware of these techniques. An employee accidentally opening a malicious file can infect an entire network. Also, encourage employees to take their time conducting thorough and careful email reviews to prevent inadvertent, careless mistakes that can easily be avoided.

You should also look into creating an educational program to help your clients recognize these scams. Your clients might not be aware of how complex these hazardous attempts are, how prevalent they are becoming, or how to identify an investment scam. Use your humanity and the personal relationships you have cultivated to your advantage; communicate this as an added value to your clients.

Lastly, you should develop procedures that you can follow to verify a client’s identity before performing actions like withdrawing funds for a client. Communicating via regular phone calls and face-to-face meetings instead of entirely relying on emails will help you build stronger relationships with clients and make it difficult for cybercriminals to successfully impersonate them.


Andrea McGrew is chief compliance/chief legal officer at USA Financial, a comprehensive financial services institution, focused on providing advisors with the tools required to make solid recommendations and to empower clients to make educated and informed financial decisions. For more information, go to www.usafinancial.com.