Cybersecurity is by far the most popular topic when I’m speaking with advisors. And rightfully so. Most conversations revolve around important action steps and “what are you hearing?” type questions for best protecting an advisory firm.
Unfortunately, fraudsters continue to evolve their attack strategies, and “social engineering” attacks, also called “spear phishing,” are more frequent. In this attack, the fraudster uses information they know about the victim to gain trust, and then gains more information from the victim to ultimately execute the attack. Here is an example:
Your client’s email has been hacked, and the fraudster is monitoring all the activity in real time. They probably won’t send your firm a fraudulent email request, but they can see that your client frequently requests via email that you send money from their brokerage account to their ABC Bank account through the ACH system.
After the most recent ACH request, the fraudster calls your client posing as a representative from ABC Bank to verify the ACH transaction and to make sure that everything is in good order. Because the fraudster expects your client to be suspicious of the call, they say they will send a text message with an “authorization number” from the ABC Bank System.
The client believes this is legitimate and reads the authorization number to the fraudster. What the client doesn’t realize is that the fraudster actually used ABC Bank’s password reset process for sending the text message and now the fraudster has the authorization number to complete the password reset process as if they were the client. They create a new password giving them full access to the client’s ABC Bank account and essentially locking the client out of it at the same time.
Now more than ever, we have to be regularly warning, educating and training clients — and our colleagues — on what to do and not do. Here are some ideas:
Clients should always be suspicious with “different” and “odd” requests that involve their financial affairs. In fact, your year-end communications with clients is a good time to include critical cybersecurity guidance.
Provide clients a list of actions your firm would never do as it relates to money movement and other requests vulnerable to cyber fraud attacks. Include that your firm would never provide money movement instructions (either deposits or withdrawals) via email without requiring a verbal confirmation of the specific details. Also add that your firm would never email your client instructions and/or paperwork for opening a new account without any prior conversation or discussion.
Many advisors still include a standard disclaimer as part of their general voicemail greeting that says, “Trading instructions will not be executed if left on voicemail.” Advisors should consider including money movement requests as part of this message as well. Maybe even consider adding such a statement in your email auto signature. Even a general statement like: “Don’t be a victim of financial fraud. Be suspicious and verbally confirm all money movement requests,” can have an influence and help clients understand their role in preventing a cyber fraud attack.
Share examples and stories of how the cybersecurity fraudsters execute attacks to educate clients. Start by using the example above. Even as fraudsters continue to evolve their cyber fraud attack strategies, there are common themes that can be identified. From obscure email instructions, to trying to fill in gaps of information with odd questions, to the heightened tone of urgency in the request all can be clues that something isn’t right. Hopefully, this will cause the client to stop engagement with the fraudster.
Holidays and vacations can be a fertile season for the fraudsters to conduct their attacks. They know that when our lives get busy with both internal and external distractions, it can become easier for all of us (clients, staff, and advisors) to fall prey to their attacks. Maintain heightened scrutiny, and don’t cut any corners with following your procedures.
Dan Skiles is the president of Shareholders Service Group in San Diego. He can be reached at [email protected].