As financial advisors, we follow industry trends in cybersecurity technology, employ quality email filtering software, and train our staff to be on the lookout for fraud attempts. We train both client-facing staff and support staff to never click on links, never download attachments they’re not expecting, and how to spot phony “click here to confirm your password” attempts.
The reality is that crooks are becoming more sophisticated and are increasingly willing to play the long game, rather than hack into an account to drain it. Most financial accounts use industry-tested standards and algorithms for encryption including AES-256, HSTS, triple DES, and a host of other protocols. This makes traditional hacking time consuming and largely unprofitable.
What can be easy to hack is someone’s personal email. Think about all of the personal information you share in email — I’m not even talking big things like credit card or Social Security numbers — it’s innocuous stuff like pet’s names, children’s names, birthdays, anniversaries, etc. Should a thief gain access to your email account, they can then read through your saved, sent, and deleted emails where they are likely to find information for many of the websites you use. Now, all a thief needs to do is send an email that mimics your writing and contains random personal details to your contacts — like your financial advisor.
Financial advisors and investment managers often have discretionary control over their clients’ managed assets. Still, it is not uncommon for a client to ask us to move some assets to a different account for a spending need. Consider this example:
“Good morning! Hope you had a great weekend. Betty and I had a great time at the reunion I was telling you about. Remind me to tell you what my cousin said about Bitcoin. I’d also like for you to transfer $50,000 to our new checking account. Junior is leaving for college in the fall. I’ve attached a deposit slip for the routing number.”
Not every fraud attempt comes with a huge red flag. Common phrases were used, and personal details were included. The attached deposit slip was a legitimate bank account number and contained the client’s name and address. In this industry case study, signatures were forged, and the forms even passed the custodian’s strict anti-fraud protocol. A few days later, the checking account was linked to the client’s financial accounts. It was now back to the advisor’s hands to process the withdrawal request.
Before $50,000 was transferred, the advisor called the client to confirm the request. Turns out the client had no knowledge of this withdrawal request. A 30-second phone call to confirm an email from a few days prior revealed that the client’s email had been hacked, and he hadn’t requested a withdrawal. The custodian was immediately notified, account numbers were changed, and the client was able to put a fraud alert on his bank accounts and credit cards, just in case.
The moral of the story is that everyone has a responsibility to safeguard their assets. Investors need to protect their email and computers. Advisors must maintain open communication with their clients, following protocols like a mandatory verbal confirmation for transactions, and not acting on financial requests left on voicemail. A thief only has to be right once to hit a payday. The financial advisor must be perfect 100 percent of the time to prevent fraud.