It’s never been more important to establish proactive routines to protect client information. Because at the end of the day, if an advisor has a contract indemnifying trades and actually does process a fraudulent trade—even if it came from a client with a compromised email—the advisor is likely on the hook.
Phishing emails sent to investors are the common way for fraudsters to gain access to client information,Daniel Skiles of the Shareholders Service Group told attendees at a breakout during the MarketCounsel Summit. And Yahoo is one of the more common email domains that he sees data security threats from, Skiles added. Once they get email access, cybercriminals then go on to impersonate clients and seek wire transfers from unsuspecting advisors.
“Fraudsters good at this,” says Daniel Skiles of the Shareholders Service Group. But common sense and watching for red flags such as odd dollar amount requests, requests to send money to unfamiliar or foreign banks and incorrect client signatures can help advisors stay ahead. “Use common sense, if it’s not how a client normally acts, your “spidey sense” should tingle,” says Tom Embrogno of Docupace.
Advisors should also be aware of low-tech threats as well, Embrogno says, noting that these attacks are not always highly sophisticated. Recently, a group of fraudsters posed as janitorial staff, buying up several companies that services major Wall Street firms. Over several months, the criminals replaced existing staff with fraudsters, sending them in at night to access and copy confidential client documents. “Fraudsters are very patient,” Embrogno. And the scheme, while rather low-tech, was extremely damaging.
For advisors in smaller practices, it’s important to follow basic protocols that protect both advisors and clients. The most basic safeguard: require advisors or staff to have direct conversations with a client before the money can go out. “I’d rather miss a deadline than send fraudulent order,” Skiles says.
It’s much easier to safeguard against fraud than try to repair the damage after it’s occurred. Once a fraudulent money transfer has been sent, it’s very hard to get those funds back. It happens, says Skiles, but rarely because the money leaves the dummy account pretty quickly through rapid transfers to multiple other accounts.
“You have to respond to it quickly, says Bill French of Fidelity Investments. Once fraud has occurred, the first step is to lock down the account. If the advisor is handling the recovery, reach out to the client’s bank and let them know a fraudulent wire occurred and ask them not to release the funds if they haven’t already.
And while 60 percent of wire fraud is routed through domestic banks, once there, there’s only a short window of time before that money leaves the country through secondary transfers, French says.
On the client end of the recovery, French says the best practice is to change all of the account numbers, as well as all login credentials. But do this only after the client has double-checked their home or office computer (or any other device that was compromised) is free of viruses and malware, otherwise the client could be re-compromised.