Data
breaches at Target and Neiman Marcus were certainly scary. Personal information
from tens of millions of people fell into the hands of cybercriminals.
But
an equally threatening and perhaps more personal attack is a hacker getting
into your email and then using it to take money from your bank and brokerage
accounts.
It
is a problem that is increasing at all wealth levels, from individuals with
small investment accounts to family offices that serve the wealthiest clients.
Naureen Hassan, senior vice president of client experience at Charles Schwab,
which is the largest custodian of independent advisers in the country, said the
firm had seen a fivefold increase in email-related fraud over the last two
years.
“The
biggest type of fraud we see is the
fraudster takes over the person’s email, and emails the adviser asking for
urgent money,” Ms. Hassan said. “The other problem is related to clients
storing signed pieces of paper in their email, which allows fraudsters to forge
their signature.”
One
of the better-known cases involved a client of GW & Wade, a Focus Financial
Partners firm in Wellesley, Mass., that manages about $4 billion. The firm,
which settled in October with the Securities and Exchange Commission, sent
$290,000 of a client’s money in three separate wires to a foreign bank, in
response to a hacker sending emails from the client’s account requesting the
transfers.
The
S.E.C. accused GW & Wade of not having adequate safeguards to prevent the
thefts and fined it $250,000 for executing the transfers. In its censure of the
firm, the agency required it to take remedial steps to increase data security.
“When
alerted to the situation, we took immediate action and ensured our client was
never at financial risk,” Neil Goldberg, a principal of the firm, said in a
statement. “Since then, we have put into place both new systems and procedures
to prevent any similar occurrence.”
While
GW & Wade ended up being penalized financially and took a reputational hit,
its mistake served as a warning to other independent advisers eager to respond
to client requests.
A
client of a Boston adviser said that he and his wife were traveling in Asia in
the fall when their account was hacked and emails were sent to everyone at the
adviser’s firm who had ever emailed him, asking for a wire transfer.
He
said the adviser tried to contact him, unsuccessfully, and then reached out to
his son to let him know what was happening.
“They
read my emails, and they mimicked my tone for requests for money,” said the
man, a retired financial services executive who requested anonymity. “The whole
system appeared to be more sophisticated than these notes from Nigeria.”
The
Nigerian prince email swindle, in which a supposed royal offers riches in
exchange for a bank account number, is to today’s phishing scams what a Brother
word processor from the 1980s is to a MacBook.
A
security executive at a trust company told of a hacker who got creative in
trying to fool the firm. The executive, who requested anonymity, said the firm
received an email from a client’s account asking that $137,000 be wired to
Italy to buy some art. He said this client was part of a large family that
traveled frequently, so the request was not odd on its face. But he said the
family had put a procedure in place in which no wires went out without a call
being made to the person requesting the money.
The
executive said clients can be frustrated by this level of bureaucracy, until
someone they know gets hacked. “Once it’s happened to one of their family
members,” he said, “it’s amazing how they’re much more accommodating.”
This
is where the solution to a sophisticated swindle can sometimes be the simple
action most people would take if a stranger knocked on their door at night:
They would not answer it.
“I
called my wealth manager and said, ‘If I emailed you to wire $25,000 to a third
party or someone with the same last name as me, what do you do?' ” said Ken Springer,
a former F.B.I. agent who is now president of Corporate Resolutions, an
investigations firm. “He said they would want to get a verbal confirmation, and
they’ll document what phone number I used. Most reputable firms require that.”
It
wouldn’t hurt to ask the same question of your wealth manager. Where some
advisers slip up, though, is in thinking they have received several levels of
verification when they have not.
“An
email with an attached, signed letter is not enough because it’s all the same
communication,” said Jeffrey R. Bedser, founder and chief executive of iThreat
Cyber Group. “That’s not two forms, that’s one communication. There should
always be a secondary verification.”
Beyond
employing offline common sense, individuals need to be vigilant about how they
use technology and the
systems their advisers have to prevent their accounts from being hacked, or, if
they are hacked, to keep their money from being transferred.
A
common area where security breaches occur is an unsecured public wireless
network, say in a coffee shop or park. People who commit fraud set up fake hot
spots that will still give you access to the Internet but will capture
everything you do on the swindler’s computer.
Another
mistake is using your email address as your login for any banking or investment
account. “You’re giving hackers half the battle,” said Bill Wyman, chief
executive of Summitas, a firm that builds encrypted communications portals for
financial services companies.
0 comments:
Post a Comment