Like it or not, financial advisers are now on the front lines in the war against cybercrime.
In the past few years, there has been an extraordinary increase in the level of sophistication among cybercriminals, said Philip J. Blank, managing director of security, risk and fraud at Javelin Strategy & Research.
That, combined with the relative ease of creating sophisticated databases, is making it far easier to carry out multistage schemes that prey on financial firms and their clients, he said.
So worried is the Financial Industry Regulatory Authority Inc. about the rise in e-mail-related fraud and theft that it sent out twin alerts Jan. 27 about the problem, one to investors and one to advisers.
Finra thinks that your firm and your clients are potential targets, particularly of crooks who gain illicit access to an investor's e-mail account, which then would allow them to send a legitimate-looking e-mail to the client's brokerage or custodian with instructions to transfer money out of the account.
With this and other scams becoming more widespread, the experts with whom I have spoken with said that advisers should take the lead in keeping their customers out of harm's way.
“When it comes to their financial lives, clients are going to see advisers as the quarterback of their relationship with investment firms,” said Joanna Belbey, a social-media and compliance specialist with Actiance Inc.
That means that advisers must be well-versed in their firm's security policies — or, in the case of independent advisers, establish their own security policies. All advisers should be up-to-date on the latest cyberscams, frauds and schemes.
Here are some major cybersecurity do's and don'ts of which you and your clients should be aware, and suggestions for staying out of trouble:
• Never respond to e-mail correspondence from one of your investment providers by clicking on a link and entering a password. Legitimate requests for sensitive information won't arrive this way.
• Never access a website that opens from such an e-mail. Open a fresh web browser session and type in the correct address from a reliable source.
• Don't provide your Social Security number for anything, if at all possible. Ask your providers for alternatives (some have come up with them, but only if you ask). Don't share personal details that can be used as unique identifiers on your social-media pages, especially your date of birth.
• Never give any personal information to someone who sends you a message through a social-media site. As a result of the widespread use of social media, cybercriminals now can trick people into giving up personal information because there is a perceived level of trust once you have linked, friended or are following someone, Ms. Belbey said.
Even something as innocuous as a Facebook friend or a Tweet asking for your birthday could give a criminal the information he or she needs to break into an account.
A SCRIPT TO USE
Ms. Belbey suggests incorporating this don't-share-information policy into your client meetings, especially with older clients who might be less aware of cybercrime. She even offers a script you can follow: “Since we're meeting to talk about your goals, we should also talk about keeping yourself secure online. Let me remind you of a few things that have happened of late and that your bank is never going to send you an e-mail requesting your password or PIN, etc.”
• Make sure that all your computer operating systems are up-to-date, security patches are applied, antivirus software is current, and that you have man-in-the-browser protection in place.
Although unfamiliar to many advisers, man-in-the-browser attacks are becoming increasingly common.
These occur when someone, usually unintentionally, downloads a seemingly legitimate application that has been compromised with a piece of malicious code. That code infects a user's web browser and can make it capable of sharing information with a cybercrook.
Such information can take the form of your password when you next log in to your bank account, for example.
All the large commercial pro-viders of antivirus or security software can provide man-in-the-browser protection.
• Check your firewalls. Not only do commercial-grade-network firewalls that businesses should be using keep many unwanted bits of software out, they also can be set to prohibit certain types of data from exiting the network — or at the very least trigger an alert if sensitive data leaves your system or an attempt is made to extract it.
Some of these also provide host-based intrusion prevention systems, which can be updated to counter new types of threats.
• Keep your office or home wireless network as secure as possible. If it uses the obsolete wired equivalent privacy protocol for security, throw it out and buy a new model that employs at least WPA2.
• Recognize that open WiFi hot spots (those that don't require you to enter security key to access them) provide little or no protection for the data that you send over them.
• If it has been more than a year since your firm has had a security audit by a qualified professional, start thinking about having one.