Cybersecurity is by far the most popular topic when I’m speaking with advisors. And rightfully so. Most conversations revolve around important action steps and “what are you hearing?” type questions for best protecting an advisory firm.
Unfortunately, fraudsters continue to evolve their attack strategies, and “social engineering” attacks, also called “spear phishing,” are more frequent. In this attack, the fraudster uses information they know about the victim to gain trust, and then gains more information from the victim to ultimately execute the attack. Here is an example:
Your client’s email has been hacked, and the fraudster is monitoring all the activity in real time. They probably won’t send your firm a fraudulent email request, but they can see that your client frequently requests via email that you send money from their brokerage account to their ABC Bank account through the ACH system.
After the most recent ACH request, the fraudster calls your client posing as a representative from ABC Bank to verify the ACH transaction and to make sure that everything is in good order. Because the fraudster expects your client to be suspicious of the call, they say they will send a text message with an “authorization number” from the ABC Bank System.
The client believes this is legitimate and reads the authorization number to the fraudster. What the client doesn’t realize is that the fraudster actually used ABC Bank’s password reset process for sending the text message and now the fraudster has the authorization number to complete the password reset process as if they were the client. They create a new password giving them full access to the client’s ABC Bank account and essentially locking the client out of it at the same time.
Now more than ever, we have to be regularly warning, educating and training clients — and our colleagues — on what to do and not do. Here are some ideas: